SecureHiveDocs
Sign InGet Started
Back to Service Management Integrations

Microsoft 365 Integration

Connect OneDrive and SharePoint so users can attach documents from Microsoft 365 to requirements and other entities. Configure once per tenant in Secure Hive and in Microsoft Entra ID (Azure).

On this page
OverviewWhere to configure what (Entra)SecureHive setupEntra: App registrationEntra: Enterprise applicationAdmin consentApprove admin consent requestsUsage in Secure HiveTroubleshooting
Overview
The Microsoft 365 integration lets users connect their Microsoft account and attach files from OneDrive or SharePoint to items in Secure Hive (e.g. project requirements).
  • Connect Microsoft 365: OAuth flow; each user connects once per tenant. Tokens are stored per user per tenant.
  • Add from OneDrive / SharePoint: Users can list their drive items, then Link (store URL) or Copy to Secure Hive (download and store in your tenant bucket).
  • Per-tenant configuration: Each Secure Hive tenant uses its own Azure AD app (Client ID, Client Secret). Credentials are stored in Secure Hive and are not read from environment variables.
Where to configure what in Microsoft Entra ID
Entra splits configuration by design. Use the right place for each step.
  • App registration → Redirect URI (Web), API permissions (Microsoft Graph delegated), Client ID, Client secret. This is where you configure what the app is allowed to do.
  • Enterprise application (created from the app registration) → User/group assignment, “User assignment required?”, visibility. Admin consent is granted from the app registration or from the Enterprise app’s Permissions.
  • Admin consent requests (under Enterprise apps → Activity) → Where you approve or deny user-submitted “Request approval” requests so users can use the app.
SecureHive setup
Configure the Microsoft 365 integration for your tenant so the Connect flow and callbacks use your Azure AD app.

Steps

  1. In Secure Hive, go to Settings → Integrations.
  2. Open the Microsoft 365 card (under Documents) and click Configure.
  3. Click Create integration (or Add Integration).
  4. Enter the values from your Azure AD app registration:
    • Client ID — Application (client) ID from the app registration.
    • Client Secret — A client secret you create in the app registration.
    • Azure Tenant ID (optional) — Leave blank for multi-tenant (common), or set your tenant ID to restrict sign-in to your org.
    • Redirect URI (optional) — Must match the redirect URI you add in Azure (e.g. https://your-api.example.com/auth/m365/callback or http://localhost:9000/auth/m365/callback for local dev). If omitted, the platform uses M365_REDIRECT_URI or BACKEND_URL + /auth/m365/callback.
  5. Save. One active integration per tenant is used for the Connect URL, callback, and token refresh.
Microsoft Entra ID: App registration
Create (or use) an app registration for “Connect Microsoft 365” and configure redirect URI and API permissions.
  1. In Azure PortalMicrosoft Entra IDApp registrationsNew registration. Name it (e.g. “SecureHive O365”), choose supported account types, then Register.
  2. AuthenticationAdd a platformWeb. Set Redirect URI to your backend callback URL, e.g. https://api.securehive.ai/auth/m365/callback or http://localhost:9000/auth/m365/callback. This must match the value in Secure Hive (integration Redirect URI or platform default).
  3. API permissions → Add permission → Microsoft GraphDelegated. Add all of the following:
    • openid — Sign users in
    • offline_access — Required for refresh tokens (see below)
    • Files.Read, Files.ReadWrite, Files.Read.All — User files (OneDrive and Teams/SharePoint channel folders)
    • Sites.Read.All — SharePoint sites
    • Team.ReadBasic.All — List teams the user is in (for Teams channel files). In Azure, search for Team (singular) to find it.
    • Channel.ReadBasic.All — List all channels in a team (including private). Required to browse private channel files (e.g. iGRC). In Azure, search for Channel.
    (User sign-in may also show User.Read.)
  4. Certificates & secrets → New client secret. Copy the secret value and paste it into Secure Hive’s integration form (Client Secret). The client secret is encrypted at rest in Secure Hive.
  5. Copy the Application (client) ID and paste it into Secure Hive as Client ID.

Why offline_access is required

Microsoft only returns a refresh token when the app requests the offline_access scope. Secure Hive uses the refresh token to obtain new access tokens when the current one expires (typically after about one hour), so users do not have to sign in to Microsoft 365 again every time. Without offline_access, the token response will not include a refresh token and the Connect flow will fail with “Missing access_token or refresh_token in token response.”

In the Azure portal this permission may appear as “Access and manage user data any time” under Microsoft Graph delegated permissions. After adding it, grant admin consent so it is pre-approved for your tenant.

Microsoft Entra ID: Enterprise application
When you register an app, an Enterprise application (service principal) is created in your tenant. Configure assignment and visibility here.

Go to Microsoft Entra IDEnterprise applications → find your app (e.g. “SecureHive O365”).

  • Users and groups: Assign the users (or groups) who are allowed to use the app. If “User assignment required?” is Yes, only assigned users can complete Connect Microsoft 365.
  • Properties: Set User assignment required? to No if you want any signed-in user to use the app (once admin consent is granted). Set Visible to users? to Yes if you want the app to appear in My Apps.
Usage in Secure Hive
How users connect Microsoft 365 and attach files from OneDrive or SharePoint.

Connect Microsoft 365

Users connect in one place: User Settings → Integrations tab (Profile, Avatar, Password, 2FA, Integrations). There they click Connect Microsoft 365 and are redirected to Microsoft to sign in and consent (if not already consented). After success, they are redirected back to User Settings → Integrations (same tenant host, e.g. tenant.securehive.ai or tenant.localhost).

Add from OneDrive / SharePoint

In attachment areas (e.g. project requirements), Add from OneDrive is always shown. If the user is not connected, the button is disabled and a tooltip directs them to User Settings → Integrations to connect. Once connected, the button is enabled. Users can:

  • Link — Store the Microsoft 365 URL as an attachment; opening it goes to the source file.
  • Copy to Secure Hive — Download the file and store it in your tenant’s document storage; the attachment is then owned by Secure Hive.
Troubleshooting
Common issues and how to resolve them.

“Missing access_token or refresh_token in token response”

The app must request the offline_access scope so Microsoft returns a refresh token. In the Azure app registration, go to API permissions → Add permission → Microsoft Graph → Delegated → add offline_access (or “Access and manage user data any time”). Grant admin consent, then have the user try Connect Microsoft 365 again. See Entra: App registration for the full permission list and why offline_access is required.

“Redirect URI not configured”

Set the Redirect URI in the Microsoft 365 integration in Secure Hive (Settings → Integrations → Microsoft 365 → Edit), or set M365_REDIRECT_URI or BACKEND_URL in the backend environment. The value must exactly match the Web redirect URI in the Azure app registration.

“Approval required” / “Request approval” screen

The tenant requires admin consent and/or user assignment. Grant admin consent for the app (Enterprise application → Permissions → Grant admin consent). Assign users in Users and groups, or set User assignment required? to No. If users have already submitted requests, approve them under Enterprise appsActivityAdmin consent requestsMy Pending.

“Microsoft 365 connection was cancelled or not approved”

The user left the Microsoft consent screen (e.g. clicked “Back to app” or “Cancel”) before completing the flow. They should try again and complete sign-in/consent. If the app is not yet approved for the org, an admin must grant consent or approve the admin consent request as above.

Redirect goes to root domain instead of tenant

The callback redirect is built using the tenant’s subdomain (or tenant slug). Ensure FRONTEND_URL is set correctly (e.g. https://securehive.ai or http://localhost:3000). Tenant URLs are derived as https://<subdomain>.securehive.ai or http://<subdomain>.localhost:3000.