github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 11:28:35 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #13635] issue: Onedrive Sharepoint filepicker configured to support multi-tenant instead of single-tenant connections #16978

New Issue
Closed
opened 2026-04-19 22:46:46 -05:00 by GiteaMirror · 11 comments
GiteaMirror commented 2026-04-19 22:46:46 -05:00
Owner
Copy Link

Originally created by @erictmnz on GitHub (May 7, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/13635

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.7

Ollama Version (if applicable)

No response

Operating System

Linux

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have listed steps to reproduce the bug in detail.

Expected Behavior

The user configures the Onedrive / Sharepoint Client ID, Sharepoint URL and Tenant ID.
When using the Onedrive File Picker -> Sharepoint the user is allowed to pick files just from the current tenant. Users from other tenants are blocked from using the Onedrive filepicker.

Actual Behavior

When a user has configured the App Registration to allow Sharepoint Access it is highly recommended to limit the application to the single (current) tenant for security reasons.

Currently the implementation requires the application to grant multi-tenant access (see below).
This can be fixed by requiring a tenant id and using the organization endpoint (instead of the common endpoint).

This may have to be applied differently for onedrive vs sharepoint.

Image

Steps to Reproduce

  1. Register Single Tenant Microsoft Entra App and Assign access to selected Sharepoint sites (see: https://blog.dan-toft.dk/2022/12/sites-selected-permissions/)
  2. Add Onedrive Client ID and Sharepoint URL environment variables
  3. Attempt to use Onedrive File Picker -> Sharepoint (work)

Logs & Screenshots

See above

Additional Information

No response

Originally created by @erictmnz on GitHub (May 7, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/13635 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.7 ### Ollama Version (if applicable) _No response_ ### Operating System Linux ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior The user configures the Onedrive / Sharepoint Client ID, Sharepoint URL and Tenant ID. When using the Onedrive File Picker -> Sharepoint the user is allowed to pick files just from the current tenant. Users from other tenants are blocked from using the Onedrive filepicker. ### Actual Behavior When a user has configured the App Registration to allow Sharepoint Access it is highly recommended to limit the application to the single (current) tenant for security reasons. Currently the implementation requires the application to grant multi-tenant access (see below). This can be fixed by requiring a tenant id and using the organization endpoint (instead of the common endpoint). This may have to be applied differently for onedrive vs sharepoint. ![Image](https://github.com/user-attachments/assets/59865fff-5fb1-48d0-8071-d0f7cd2d65f4) ### Steps to Reproduce 1. Register Single Tenant Microsoft Entra App and Assign access to selected Sharepoint sites (see: https://blog.dan-toft.dk/2022/12/sites-selected-permissions/) 2. Add Onedrive Client ID and Sharepoint URL environment variables 3. Attempt to use Onedrive File Picker -> Sharepoint (work) ### Logs & Screenshots See above ### Additional Information _No response_
GiteaMirror added the bug label 2026-04-19 22:46:46 -05:00
GiteaMirror commented 2026-04-19 22:46:47 -05:00
Author
Owner
Copy Link

@McNickSistoPro commented on GitHub (May 7, 2025):

Did you use PnP to grant Sharepoint access to the app registration ?

<!-- gh-comment-id:2858676748 --> @McNickSistoPro commented on GitHub (May 7, 2025): Did you use PnP to grant Sharepoint access to the app registration ?
GiteaMirror commented 2026-04-19 22:46:47 -05:00
Author
Owner
Copy Link

@erictmnz commented on GitHub (May 7, 2025):

No I used the GraphQL API as described under the link that I posted. That worked fine.

<!-- gh-comment-id:2859845263 --> @erictmnz commented on GitHub (May 7, 2025): No I used the GraphQL API as described under the link that I posted. That worked fine.
GiteaMirror commented 2026-04-19 22:46:47 -05:00
Author
Owner
Copy Link

@McNickSistoPro commented on GitHub (May 8, 2025):

No I used the GraphQL API as described under the link that I posted. That worked fine.

Did you need admin privileges ?

<!-- gh-comment-id:2861886215 --> @McNickSistoPro commented on GitHub (May 8, 2025): > No I used the GraphQL API as described under the link that I posted. That worked fine. Did you need admin privileges ?
GiteaMirror commented 2026-04-19 22:46:48 -05:00
Author
Owner
Copy Link

@erictmnz commented on GitHub (May 8, 2025):

Yes to grant access to a specific site.

<!-- gh-comment-id:2861904830 --> @erictmnz commented on GitHub (May 8, 2025): Yes to grant access to a specific site.
GiteaMirror commented 2026-04-19 22:46:48 -05:00
Author
Owner
Copy Link

@hurxxxx commented on GitHub (May 8, 2025):

I'm looking into this for improvement

<!-- gh-comment-id:2863308275 --> @hurxxxx commented on GitHub (May 8, 2025): I'm looking into this for improvement
GiteaMirror commented 2026-04-19 22:46:49 -05:00
Author
Owner
Copy Link

@erictmnz commented on GitHub (May 8, 2025):

Much appreciated - will test today! 🚀

<!-- gh-comment-id:2863939169 --> @erictmnz commented on GitHub (May 8, 2025): Much appreciated - will test today! 🚀
GiteaMirror commented 2026-04-19 22:46:49 -05:00
Author
Owner
Copy Link

@erictmnz commented on GitHub (May 8, 2025):

@hurxxxx and @tjbck it is now working with a single tenant.
However, the application needs to be set up as a SPA and have the url root of Open WebUI defined as a redirect URL.
This should probably be added to the documentation. Would you like me to create a merge request for the doc repo?

<!-- gh-comment-id:2864345216 --> @erictmnz commented on GitHub (May 8, 2025): @hurxxxx and @tjbck it is now working with a single tenant. However, the application needs to be set up as a SPA and have the url root of Open WebUI defined as a redirect URL. This should probably be added to the documentation. Would you like me to create a merge request for the doc repo?
GiteaMirror commented 2026-04-19 22:46:49 -05:00
Author
Owner
Copy Link

@hurxxxx commented on GitHub (May 9, 2025):

@erictmnz That would be greatly appreciated if you could do that!

<!-- gh-comment-id:2864730036 --> @hurxxxx commented on GitHub (May 9, 2025): @erictmnz That would be greatly appreciated if you could do that!
GiteaMirror commented 2026-04-19 22:46:50 -05:00
Author
Owner
Copy Link

@almajo commented on GitHub (May 12, 2025):

Hey thanks for the integration! Can one of you maybe update the documentation for a tutorial how to setup the Sharepoint integration? Latest Env variables are missing and also a tutorial on the setup would be highly appreciated.

In addition, as I understand correctly, app registrations with secrets are not supported at the moment, right?

<!-- gh-comment-id:2871326574 --> @almajo commented on GitHub (May 12, 2025): Hey thanks for the integration! Can one of you maybe update the documentation for a tutorial how to setup the Sharepoint integration? Latest Env variables are missing and also a tutorial on the setup would be highly appreciated. In addition, as I understand correctly, app registrations with secrets are not supported at the moment, right?
GiteaMirror commented 2026-04-19 22:46:50 -05:00
Author
Owner
Copy Link

@erictmnz commented on GitHub (May 12, 2025):

Hi @almajo,

Sorry I haven’t had time to fully write this up yet.

This should get you there:

How to Enable OneDrive / SharePoint Integration in Open WebUI

This guide explains how to enable OneDrive and SharePoint integration in Open WebUI (≥ v0.6.8). The same Azure app registration can also be used for Microsoft OAuth login if needed.

1. Register a Microsoft Entra Application

  1. Go to Microsoft Entra Admin Center → App registrations → New registration.
  2. Choose tenant type:
    • Single-tenant: Only users from your Microsoft 365 tenant
    • Multi-tenant: Allow guests/external users to use their own OneDrive
  3. Under Platform, choose Single-page application (SPA).
  4. Enable Access tokens and ID tokens.
  5. Set Redirect URI: your Open WebUI root URL (e.g., https://ai.example.com)
  6. Save and note:
    • Application (client) ID
    • Directory (tenant) ID (only if using single-tenant)

2. Add Microsoft Graph & SharePoint API Permissions

Under API Permissions → + Add permission, add the following delegated scopes for both Microsoft Graph and Sharepoint (as applicable):

Scope Type Purpose
Files.Read Delegated Read user's OneDrive files
Files.Read.All Delegated Read all accessible files
Sites.Read.All Delegated Read site metadata & libraries
User.Read Delegated Access signed-in user info
AllSites.Read Delegated Legacy SharePoint access
MyFiles.Read Delegated Access personal drive
Sites.Search.All Delegated Enable file search

Important

: Click Grant admin consent to apply permissions tenant-wide.

3. Configure Environment Variables

In your .env file or env variables add:

# OneDrive / SharePoint integration
ENABLE_ONEDRIVE_INTEGRATION=true
ONEDRIVE_CLIENT_ID=your-client-id
ONEDRIVE_SHAREPOINT_TENANT_ID=your-tenant-id
<!-- gh-comment-id:2873667859 --> @erictmnz commented on GitHub (May 12, 2025): Hi @almajo, Sorry I haven’t had time to fully write this up yet. This should get you there: ## How to Enable OneDrive / SharePoint Integration in Open WebUI This guide explains how to enable OneDrive and SharePoint integration in **Open WebUI** (≥ v0.6.8). The same Azure app registration can also be used for Microsoft OAuth login if needed. --- ### 1. Register a Microsoft Entra Application 1. Go to **Microsoft Entra Admin Center → App registrations → New registration**. 2. Choose tenant type: - **Single-tenant**: Only users from your Microsoft 365 tenant - **Multi-tenant**: Allow guests/external users to use their own OneDrive 3. Under **Platform**, choose **Single-page application (SPA)**. 4. Enable **Access tokens** and **ID tokens**. 5. Set **Redirect URI**: your Open WebUI root URL (e.g., `https://ai.example.com`) 6. Save and note: - **Application (client) ID** - **Directory (tenant) ID** (only if using single-tenant) --- ### 2. Add Microsoft Graph & SharePoint API Permissions Under **API Permissions → + Add permission**, add the following **delegated** scopes for both Microsoft Graph and Sharepoint (as applicable): | Scope | Type | Purpose | |-------|------|---------| | `Files.Read` | Delegated | Read user's OneDrive files | | `Files.Read.All` | Delegated | Read all accessible files | | `Sites.Read.All` | Delegated | Read site metadata & libraries | | `User.Read` | Delegated | Access signed-in user info | | `AllSites.Read` | Delegated | Legacy SharePoint access | | `MyFiles.Read` | Delegated | Access personal drive | | `Sites.Search.All` | Delegated | Enable file search | > **Important**: Click **Grant admin consent** to apply permissions tenant-wide. --- ### 3. Configure Environment Variables In your `.env` file or env variables add: ```env # OneDrive / SharePoint integration ENABLE_ONEDRIVE_INTEGRATION=true ONEDRIVE_CLIENT_ID=your-client-id ONEDRIVE_SHAREPOINT_TENANT_ID=your-tenant-id
GiteaMirror commented 2026-04-19 22:46:51 -05:00
Author
Owner
Copy Link

@almajo commented on GitHub (May 19, 2025):

Hey @erictmnz thanks for the instructions, that really helped me out a lot!

However, when opening the file picker, the pop-up is blocked by the browser and because of this the auth flow is not working correctly. Only after allowing pop-ups and clicking on OneDrive (work/school) again makes it work.

Do you see this problem, too? I have tried with Chrome and Safari. Do you have an idea how we could circumvent this (running the auth flow not in a pop-up but maybe on the main page)?

<!-- gh-comment-id:2891631599 --> @almajo commented on GitHub (May 19, 2025): Hey @erictmnz thanks for the instructions, that really helped me out a lot! However, when opening the file picker, the pop-up is blocked by the browser and because of this the auth flow is not working correctly. Only after allowing pop-ups and clicking on OneDrive (work/school) again makes it work. Do you see this problem, too? I have tried with Chrome and Safari. Do you have an idea how we could circumvent this (running the auth flow not in a pop-up but maybe on the main page)?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#16978
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?