How to connect Microsoft OneDrive to Dropbox Protect

Admins Updated May 28, 2026

In this article

person icon

 The information in this article applies to Dropbox Protect admins.

You can connect Microsoft OneDrive to Dropbox Protect to manage and monitor document security and access for your organization.
warning icon

Important: If you also use Dropbox Dash, your connected apps are shared between Dash and Protect. Any changes you make will apply to both.

Authorization methods

There are two methods to authorize the connection between Microsoft 365 products (OneDrive, SharePoint) and Protect:

  1. Register app in Microsoft Azure: Exchange certificates between Protect and Microsoft Entra ID to register the app on Microsoft Azure.
    • Note: This method is recommended as it links the authorization to the Azure system rather than to an admin user account

2. Authenticate with a service account: Create an admin account for accessing Microsoft OneDrive content to allow authorization between Protect and Microsoft OneDrive.

Follow the instructions below for the method that best works for your organization.

How content syncing works

  • Content sync starts as soon as the connection is made, allowing you to quickly view your data. This may take a few hours to several days based on the amount of content in your account. You’ll receive an email when syncing is complete.
  • Protect performs a sync of your Microsoft OneDrive content and permissions every 60 minutes.

Method 1: How to register Dropbox Protect in Microsoft Entra

  1. Log in to dropbox.com using your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Protect under Products, then click Apps.
  4. If you’re connecting apps for the first time, click See all apps.
    • Note: If you’ve already connected apps, click More apps.
  5. Click  Add next to Microsoft OneDrive.
  6. Select Register app in Microsoft Azure, then click Start.                         
  7. Review the steps in What to expect, then click Next.
  8. Click Azure portal and log in with your credentials.

At this point, you’ll need to create a new app registration in Microsoft Azure before you can continue with the prompts in Protect.

 

To create a new app registration in Microsoft Azure:

  1. In Microsoft Azure, click Microsoft Entra ID in the left sidebar.

2. Click Manage in the left sidebar, then click App registrations in the expanded list.

3. Click  New registration.

4. On the Register an application page, enter “Protect” in the Name field.

5. Under Supported account types, select Accounts in this organizational directory only.

6. Under Redirect URI (optional), click Select a platform, then select Web.

7. Paste the following address into the empty field: https://www.dropbox.com/oauth_connectors/redirect

8. Click Register.

Once you’ve registered Protect in Microsoft Azure, you’ll need to add the appropriate certificates and permissions.

To add a certificate:

  1. On the Protect overview page in Microsoft Azure, click Add a certificate or secret next to Client credentials.

2. Create a private key for secure authentication between Microsoft OneDrive and Protect.

  • Consult your IT department on how certificates are managed within your own organization. Learn more about creating and managing certificates.
  • When generating the certificate, create an unencrypted private key.
  • When copying the private key into the Microsoft 365 company app setup carousel, make sure you include the full key with the header and footer lines exactly as shown:
----BEGIN PRIVATE KEY----
[Your private key content]
----END PRIVATE KEY----

3. Click Upload certificate, choose your file, then click Add.

 

To add API permissions:

  1. On the Protect overview page in Microsoft Azure, click API permissions in the left sidebar.
  2. Click Add a permission.
  3. Click Microsoft Graph under Microsoft APIs.
  4. Click Application Permissions, then search for and add the following permissions:
  • Microsoft Graph
    • AuditLogsQuery-SharePoint
    • DelegatedPermissionGrant.Read.All
    • DelegatedPermissionGrant.ReadWrite.All
    • Directory.Read.All
    • Directory.ReadWrite.All
    • Domain.Read.All
    • Files.Read.All
    • Files.ReadWrite.All
    • Group.Read.All
    • Group.ReadWrite.All
    • GroupMember.Read.All
    • GroupMember.ReadWrite.All
    • Reports.Read.All
    • Sites.FullControl.All
    • Sites.Manage.All
    • Sites.Read.All
    • Sites.ReadWrite.All
    • User.Read.All
    • User.ReadWrite.All
  • Office 365 Management API Permissions
    • ActivityFeed.Read
    • ActivityFeed.ReadDlp
  • SharePoint Permissions
    • Sites.FullControl.All

5. Click Add permissions after you’ve made your selections.

6. Click  Grant admin consent for [tenant name].

7. Click Yes after reviewing the Grant admin consent confirmation prompt.

8. Return to the Protect overview page in Microsoft Azure.

Finally, you’ll need to enter the Protect IDs from Microsoft Azure to the Protect admin console.

To do this:

1. On the Protect overview page in Microsoft Azure, copy the Primary domain, then paste it into the Dropbox Protect prompt.

2. Click Next.

3. Copy the Application (client) ID and the Directory (tenant) ID from Microsoft Azure, then paste them in the prompt in Dropbox Protect.

4. Click Next.

5. Click Certificates and secrets in the left sidebar in Microsoft Azure.

6. Copy the Thumbprint, then paste it into the Certificate thumbprint field in Dropbox Protect.

7. Enter the private key associated with the certificate you uploaded to Azure. 

8. Click Next.

9. Review the requested permissions in the pop-up window, then click Allow.

10. Return to the admin console page on dropbox.com where you’ll find the Ready to sync prompt.

11. If you’d like to exclude specific drives from syncing to Dropbox Protect, click Select under Exclude content, then follow the steps in the section “How to exclude drives when connecting Microsoft 365 to Dropbox Protect” below. Otherwise, proceed to step 12.

12. Click Start syncing.

Your Microsoft OneDrive content will start syncing immediately. This can take anywhere from a few hours to a few days, depending on how much content is in your account. Protect admins will receive an email when all content has been synced.

Method 2: How to create and connect a service account

Service account requirements

To connect Microsoft OneDrive to Dropbox Protect, a Microsoft Global administrator must authenticate and authorize a company-level integration between OneDrive and Protect. For better security and to prevent issues with the Microsoft OneDrive and Protect integration (like if an admin leaves), it's recommended to create a non-human admin service account in Microsoft Entra ID for this integration.

highlighter icon

Note: For this article, “svc-dropboxprotect-microsoft-365” is referenced as the recommended account name for the service account.

Overview of setup:

Step 1: Create a new admin service account.

Step 2: Connect Microsoft OneDrive to Dropbox Protect using the service account.

How to create an admin service account for the Dropbox Protect integration

1. Log in to Microsoft Azure with your admin credentials.

2. Click Microsoft Entra ID.

3. Click Manage on the left sidebar.

4. Click Users in the dropdown menu.

5. Click New user.

6. Click Create new user in the dropdown menu.

7. Enter “svc-dropboxprotect-microsoft-365” in the user principal name (UPN) field.

8. Open the dropdown menu under User principal name to select the domain to which the user will be associated.

9. Leave Mail nickname as Derive from user principal name.

10. Enter “svc-dropboxprotect-microsoft-365” in the Display name field.

11. Enter a new password in the Password field.

  • You can either use the auto-generated password provided or set your own.
  • In either case, note the password somewhere safe, such as your password management vault.

12. Leave Account enabled as checked.

13. Click Next: Properties at the bottom of the page.

14. Enter “svc-dropboxprotect-microsoft-365” in the First name field.

15. Click Next: Assignments at the bottom of the page.

16. Click Add role to open the Directory roles pane on the right.

17. Enter “Global” in the search field.

18. Check the Global Administrator role for this service account user.

19. Click Select at the bottom of the page.

  • You should now see Global Administrator as a role for this user.

20. Click Next: Review + create at the bottom of the page.

  • You should now see an overview of the account to be created.

21. Verify that the User principal name is “svc-dropboxprotect-microsoft-365”.

22. Verify that the assigned role is Global Administrator.

23. Click Create to complete user creation.

  • You’ll be returned to the Users page and should see a Successfully created user pop-up message.

Refresh the page to see your new service account.

Once your service account is created, you can connect Microsoft OneDrive to Dropbox Protect.

 

How to connect Microsoft OneDrive to Dropbox Protect using the service account

To connect Microsoft OneDrive to Dropbox Protect using your service account:

  1. Log in to dropbox.com using your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Protect under Products, then click Apps.
  4. If you’re connecting apps for the first time, click See all apps.
    • Note: If you’ve already connected apps, click More apps.
  5. Click ① Add next to Microsoft OneDrive.
  6. Select Authenticate with a service account, then click Start.
  7. Review the What to expect prompt, then click Next.
  8.  Click Next.
  • You’ll see a pop-up window asking you to allow Dropbox Protect to connect with Microsoft Azure.

9. Click Allow.

10. Enter the email address for the service account created in the previous steps. 

11. Click Next.

12. Enter the password for your service account. 

13. Click Sign in.

Note: If you require multi-factor authentication (MFA) for accounts in your environment, you may be prompted for additional authentication associated with the service account.

14. Review the permissions requested, then click Accept.

15. Return to the admin console page on dropbox.com where you’ll find the Ready to sync prompt.

16. If you’d like to exclude specific drives from syncing to Dropbox Protect, click Select under Exclude content, then follow the steps in the section “How to exclude drives when connecting Microsoft OneDrive to Dropbox Protect”. Otherwise, proceed to step 19.

17. Click Start syncing

Your Microsoft OneDrive content will start syncing immediately. This can take anywhere from a few hours to a few days, depending on how much content is in your account. Protect admins will receive an email when all content has been synced.

How to exclude drives when connecting Microsoft OneDrive to Dropbox Protect

To exclude specific drives from syncing during setup:

  1. After you’ve authorized Microsoft OneDrive in Protect, click Select under Exclude Content in the Ready to sync prompt.
  2. Enter the identifier for the drive you want to exclude.
    • For OneDrive, use the user's email address linked to their personal OneDrive.
    • For SharePoint, open the SharePoint site in a new window and copy the URL. SharePoint URLs should be in the format: https://[name].sharepoint.com/sites/[site-name], and must not end with “.aspx”
  3. Click Done.
  4. Click Start syncing in the Ready to sync prompt.

To manage excluded drives:

  1. Log in to dropbox.com using your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Protect under Products, then click Apps.
  4. Click Microsoft OneDrive in the Your apps tab.
  5. Click  (edit) next to Excluded content.
  6. Connect or remove drives:
    • To connect a drive, enter the identifier for the drive you want to exclude.
      • For OneDrive, use the user's email address linked to their personal OneDrive.
      • For SharePoint, open the SharePoint site in a new window and copy the URL. SharePoint URLs should be in the format: https://[name].sharepoint.com/sites/[site-name], and must not end with “.aspx”
    • To remove and sync a drive, click  (delete) next to the identifier.
  7. Click Done.
highlighter icon

Notes:

  • If exclusion occurs after the initial sync, it may take a few hours to a few days to take effect in our systems, depending on the data size.
  • Protect only checks if the identifiers are structured correctly, not whether they’re correct or exist. Make sure they’re accurate before proceeding.
  • User exclusion in OneDrive only removes files from the user's My Drive. Shared documents or those where the user is a collaborator, but not the owner, can’t be excluded.
  • SharePoint exclusion removes all files from the entire SharePoint site.
  • You can exclude a user’s drive even if they aren’t a licensed Protect user.

FAQs about connecting Microsoft OneDrive to Dropbox Protect

Why do I need to allow Microsoft Graph, Office 365 Management API, and SharePoint permissions when registering Dropbox Protect in Microsoft Azure?

  • ActivityFeed.Read, ActivityFeed.ReadDlp, AuditLogsQuery-SharePoint: These permissions underpin Protect security and compliance guarantees. They’re used for the Protect page to review audit logs and verify access.
  • Files Read: This permission is used to obtain metadata and content from files for Protect.
  • Files Write: This permission is used to change file permissions for Protect.
  • Domain.Read.All: This permission is used by Protect to identify and catalog which links and users are internal or external.
  • Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, GroupMember.Read.All, User.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, User.ReadWrite.All: These permissions are used for details, such as user information and group memberships. For instance, one way access is granted in Microsoft is through groups. Protect also uses groups to manage access to files, folders, and sites.
  • Sites.Read.All, Sites.FullControl.All, Sites.Manage.All, Sites.ReadWrite.All: The read permissions are required for Protect to access files and folders on sites. Write is required by Protect to manage permissions.
  • DelegatedPermissionGrant.Read.All, DelegatedPermissionGrant.ReadWrite.All: These permissions are used to confirm that Protect has the necessary permissions.
  • Reports.Read.All: This permission is used to retrieve relevant analytics and usage data on your OneDrive and SharePoint data. 

Why do I need to create an unencrypted private key when generating a certificate in Microsoft Azure?

Private keys are used to establish trust between Dropbox Protect and Microsoft. When you upload a public key, Protect uses a private key to sign requests to Microsoft. This way, Microsoft can determine if the private key is paired with the public key you uploaded.

Encrypting a private key prevents it from being used for tasks like encryption or decryption. Therefore, we must use the unencrypted private key to sign requests.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Related Articles

How to configure your team’s desktop with GPO

How to connect Confluence to Dropbox Dash

How to connect Google Drive to Dropbox Protect

How to delete your Dropbox Dash account

Other ways to get help

Icon depicting two people
Community
Icon depicting a speech bubble
Contact support
Twitter Icon
Social media support