Azure AD App Registration (OneDrive)

? What is an Azure AD app — and why do I need one?

Microsoft doesn't let arbitrary desktop applications read your OneDrive directly. Instead, apps identify themselves to Microsoft using a Client ID — a unique identifier created when you register an "app" in Azure Active Directory (now rebranded as Microsoft Entra ID, but everyone still says Azure AD).

When a Chordalia product needs OneDrive access, it opens a browser where you sign in to your Microsoft account and approve the request ("This app wants to read your OneDrive files — allow?"). Microsoft remembers your approval and sends the product a token it can use to fetch files.

The Client ID doesn't grant any access on its own. It just tells Microsoft which app is asking when you sign in. The actual permissions are granted (or denied) by you, one user at a time.

Do I have to do this myself? For now, yes — each Chordalia user registers their own Azure AD app. Eventually we'll publish a single Chordalia app you can use without going through this registration. Until then, the good news is: it's free, takes ten minutes, and everything happens in your own Microsoft account.

What will it cost?

Nothing. Azure AD app registrations are a free identity feature; they don't consume any of your Azure OpenAI, AI Search, or free-trial credit.

1 Prerequisites

You need a personal Microsoft account (an @outlook.com, @hotmail.com, or @live.com address, or any address you've attached to a Microsoft account) with OneDrive enabled.

You do not need an active Azure subscription for this — app registrations are a free Microsoft Identity service and don't touch Azure billing. (If you happened to create an Azure account following the Azure Account Setup guide, that works fine too.)

Work or school accounts are different. If your Microsoft account is managed by a company or school, your IT admin may have disabled personal app registrations or blocked public-client OAuth flows. Either use a personal Microsoft account, or ask your admin to register the app on your organisation's behalf.

2 Open the Microsoft Entra admin center

Go to entra.microsoft.com → and sign in with your personal Microsoft account.

In the left sidebar, expand Applications and click App registrations.

"Entra" vs. "Azure Active Directory". Same thing. Microsoft renamed the service in 2023, but you'll see both names across their docs and UI. Wherever we say "Azure AD" or "Entra", treat them as identical.

3 Register a new application

At the top of the App registrations page, click + New registration.

Fill in the form

Name — whatever you want. Something like Arion Document Search or Chordalia OneDrive. You'll see this name on consent prompts when the product connects later.
Supported account types — pick Personal Microsoft accounts only. This matches where your personal OneDrive lives.
Redirect URI — leave both fields blank. Chordalia products use the "device code flow", which doesn't need a redirect URI.

Click Register. Azure AD creates the app and drops you on its overview page.

4 Enable public-client flows

Chordalia desktop apps are "public" clients (they can't keep a secret since the app runs on your computer). Public-client flows are off by default, so you need to switch them on.

Steps

In the app's left sidebar, click Authentication.
Scroll down to Advanced settings.
Find Allow public client flows and switch it to Yes.
Click Save at the top.

Why "public"? In OAuth terms, "public" means the app can't protect a secret because it runs on end-user devices (a desktop app, mobile app, or single-page web app). "Confidential" clients run on servers you control. The device-code flow Chordalia apps use is specifically designed for public clients.

5 Add API permissions

An app that asks for no permissions can't read anything. Here you tell Microsoft what categories of data the app is allowed to request when a user signs in.

Steps

In the app's sidebar, click API permissions.
You'll see User.Read already listed under Microsoft Graph — that's added by default. Keep it.
Click + Add a permission.
Choose Microsoft Graph.
Choose Delegated permissions (not Application permissions).
In the search box, type Files.Read and tick the box next to it. This lets the app read files in the user's OneDrive.
Without closing the dialog, clear the search and type offline_access. Tick that too. This lets the app get refresh tokens so you don't have to sign in every time.
Click Add permissions.

Your permissions list should now contain three entries under Microsoft Graph:

User.Read
Files.Read
offline_access

You'll consent when you sign in, not here. Because you're using a personal Microsoft account, there's no "admin consent" step — the first time the Chordalia product connects, Microsoft will show you a consent screen asking if you allow this app to read your files. That's where the actual approval happens.

6 Copy the Client ID

Go back to the app's Overview page (top of the left sidebar). You'll see two IDs near the top of the page:

Application (client) ID — a GUID like 2e2d805c-a543-4482-b7fe-1753879a7149. This is what you need. Click the copy icon next to it.
Directory (tenant) ID — another GUID. Chordalia products don't need this for personal-account apps, so you can ignore it.

The Client ID isn't secret. Unlike an API key, a Client ID isn't a credential — it's just an identifier. It's safe to paste in config files, share with support, or print on a billboard. What keeps your data private is the consent step that only you can approve with your Microsoft sign-in.

Using your Client ID in a Chordalia product

Arion — OneDrive connector

Open Settings → Cloud Sources → enable OneDrive. Paste:

Application (client) ID → Client ID
Folder path → / (whole OneDrive) or a specific folder like /Documents

Click Authorize with Microsoft… — a dialog shows a short code and URL. Open the URL in your browser, sign in, enter the code, and approve the access request. Arion stores the resulting refresh token in an encrypted file and uses it silently for future syncs.

Then Tools → Sync Cloud Sources to index your OneDrive files for the first time.

! Troubleshooting

"AADSTS70011: The provided value for the input parameter 'scope' is not valid"

You added the wrong kind of permission. Go back to API permissions and check that Files.Read and offline_access are listed under Delegated permissions, not Application permissions.

"AADSTS7000218: The request body must contain the following parameter: 'client_secret'"

You didn't enable Allow public client flows. Go back to Authentication → Advanced settings and toggle it to Yes.

"AADSTS50194: Application '{id}' is not configured as a multi-tenant application"

You picked the wrong account type when registering. Open the app → Manifest, find "signInAudience", and change its value to "PersonalMicrosoftAccount". Save. (Alternatively, delete the registration and create a new one with the correct Supported account types.)

The sign-in dialog says "Need admin approval"

You're signing in with a work or school account where the admin has locked down personal app usage. You'll need to either get admin consent for this app in your organisation, or sign in with a personal Microsoft account instead.

I revoked access — how do I re-authorise?

In the Chordalia product, open Settings, clear the OneDrive section, and click Authorize with Microsoft… again. Microsoft will present a fresh consent prompt. On Microsoft's side you can see (and revoke) granted consents at account.microsoft.com/privacy/app-access →

How do I delete the app registration entirely?

On the app's Overview page, click Delete at the top. The Client ID stops working immediately, which will also revoke any Chordalia product sessions that were using it.