Connect Retool to OneDrive using a REST API Resource pointed at the Microsoft Graph API (https://graph.microsoft.com/v1.0). Authenticate via Azure AD OAuth 2.0 with the Files.ReadWrite.All scope. Build a document management panel that browses drives, lists files, generates shared links, and manages Microsoft 365 file storage for your organization.
| Fact | Value |
|---|---|
| Tool | OneDrive |
| Category | Storage |
| Method | REST API Resource |
| Difficulty | Intermediate |
| Time required | 35 minutes |
| Last updated | April 2026 |
Build a OneDrive File Management Panel in Retool
OneDrive for Business and personal OneDrive storage are central to Microsoft 365 organizations — teams store, share, and collaborate on files across OneDrive and SharePoint, with content synced to devices and accessible through Teams and Office apps. Operations teams often need a way to manage this file storage programmatically: auditing shared links, monitoring storage usage, organizing files in bulk, or building approval workflows around document creation. Retool provides a custom interface for these operations through the Microsoft Graph API.
Microsoft Graph is the unified API for all Microsoft 365 services — it handles not just OneDrive but also SharePoint, Teams, Calendar, Mail, and more. This means a single Retool resource configured with Graph API credentials can potentially query across your entire Microsoft 365 tenant, depending on the permissions granted. For OneDrive specifically, the /me/drive endpoints serve personal drives and the /drives endpoint accesses organizational SharePoint drives that appear as OneDrive for Business storage.
Practical use cases in Retool include a document management panel for content teams that need to organize files outside the OneDrive web UI's limitations, a shared link audit tool that reviews and cleans up overly permissive sharing across the organization, and a file request management dashboard for teams that receive external file submissions through OneDrive file request links. The server-side proxy in Retool ensures OAuth tokens never reach end users' browsers, making this pattern safe for handling organizational file data.
Integration method
OneDrive is accessed through the Microsoft Graph API — a unified REST API for all Microsoft 365 services. Retool connects via a REST API Resource using OAuth 2.0 authentication against Azure Active Directory. You register an app in Azure AD, configure the OAuth credentials in Retool, and all Graph API calls proxy through Retool's server-side layer. The Graph API base URL is https://graph.microsoft.com/v1.0, and OneDrive operations use the /me/drive and /drives endpoints.
Prerequisites
- An Azure Active Directory account with permission to register applications (or an existing Azure AD app registration with Graph API permissions)
- Microsoft 365 tenant admin access (required for granting admin consent to API permissions)
- A Retool account with permission to create Resources
- Your Azure AD tenant ID, client ID, and client secret from the app registration
- Understanding of OAuth 2.0 flow — Retool handles token refresh automatically once configured
Step-by-step guide
Register an Azure AD application with OneDrive permissions
To access the Microsoft Graph API (which powers OneDrive), you need to register an application in Azure Active Directory. Navigate to the Azure Portal (portal.azure.com) and sign in with your organizational admin account. In the left navigation, click Azure Active Directory, then App registrations, then New registration. Give the app a name like 'Retool Graph API' and set Supported account types to 'Accounts in this organizational directory only' for most corporate setups. In the Redirect URI section, set the type to Web and enter Retool's OAuth callback URL: https://oauth.retool.com/oauth/server if you are using Retool Cloud (check Retool's resource configuration screen for the exact OAuth callback URL — it is displayed there). Click Register. After registration, note your Application (client) ID and Directory (tenant) ID from the Overview page — you need both. Next, click Certificates & secrets in the left menu, then New client secret. Enter a description and set an expiration period. Copy the Secret Value immediately (it is only shown once). Finally, click API permissions → Add a permission → Microsoft Graph → Delegated permissions. Search for and add: Files.ReadWrite.All (for full file access), Sites.Read.All (for SharePoint/OneDrive for Business drives), and User.Read (for basic user profile). Click Grant admin consent for [your tenant] to approve these permissions for your organization.
Pro tip: For read-only dashboards like file browsers or audit tools, use Files.Read.All instead of Files.ReadWrite.All to follow the principle of least privilege. Only add write permissions (Files.ReadWrite.All) if your Retool app needs to create, update, or delete OneDrive files.
Expected result: An Azure AD app registration exists with the correct Graph API permissions, admin consent granted, and you have the Tenant ID, Client ID, and Client Secret.
Configure the Microsoft Graph REST API Resource with OAuth 2.0
In Retool, navigate to the Resources tab and click Add Resource. Select REST API. Name the resource 'Microsoft Graph API' or 'OneDrive API'. In the Base URL field, enter https://graph.microsoft.com/v1.0. Scroll to Authentication and select OAuth 2.0 from the dropdown. The OAuth configuration requires several fields: for Authorization URL, enter https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize (replace YOUR_TENANT_ID with your actual tenant ID). For Token URL, enter https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token. For Client ID, enter the Application (client) ID from Azure AD. For Client Secret, enter the secret value you copied. For Scope, enter: https://graph.microsoft.com/Files.ReadWrite.All https://graph.microsoft.com/Sites.Read.All https://graph.microsoft.com/User.Read offline_access (the offline_access scope is required for Retool to receive a refresh token and keep sessions alive). Select 'Share OAuth 2.0 credentials between users' if you want all Retool users to share a single service account connection, or leave it unchecked to require each user to authenticate individually. Click Save Changes. After saving, click the 'Connect OAuth' button that appears — this opens the Microsoft login flow where you authenticate once to establish the token.
Pro tip: For organizational deployments where all Retool users should see the same files, enable 'Share OAuth 2.0 credentials between users'. Use a dedicated service account (e.g., retool-service@yourcompany.com) for the OAuth connection to avoid dependency on a personal employee account.
Expected result: The Microsoft Graph API resource shows a connected OAuth status and test queries return Graph API data successfully.
Build OneDrive file browsing queries
With the resource configured, build queries to browse OneDrive content. Create a query named 'getDrives' — set Method to GET, Path to /me/drives. This lists all drives accessible to the authenticated user (personal OneDrive and any SharePoint drives). Create a second query named 'getDriveRoot' — GET /drives/{{ driveSelect.value }}/root/children. This fetches the top-level items in the selected drive. To navigate into folders, create a query named 'getFolderContents' — GET /drives/{{ driveSelect.value }}/items/{{ folderSelect.value || 'root' }}/children. Add URL parameters: $select=id,name,size,lastModifiedDateTime,folder,file,webUrl,@microsoft.graph.downloadUrl and $orderby=name asc. The $select parameter limits which fields Graph returns, dramatically reducing response size. Add a transformer to normalize the response and differentiate between folders and files. Display the results in a Retool Table, using a 'Type' column derived from whether the item has a 'folder' or 'file' property in the response. Add a breadcrumb navigation using Text components that track the current path by storing folder navigation in a Retool State variable.
1// Transformer: reshape Graph API drive items for Retool Table2const items = data.value || [];3return items.map(item => ({4 id: item.id,5 name: item.name,6 type: item.folder ? 'Folder' : (item.file?.mimeType || 'File'),7 size: item.size8 ? item.size > 10485769 ? `${(item.size / 1048576).toFixed(1)} MB`10 : `${Math.round(item.size / 1024)} KB`11 : '--',12 modified: new Date(item.lastModifiedDateTime).toLocaleString(),13 web_url: item.webUrl,14 is_folder: !!item.folder,15 child_count: item.folder?.childCount || 016}));Pro tip: Microsoft Graph supports $expand to include additional properties inline. For example, adding $expand=permissions to a file query returns sharing permissions in the same response, saving a second API call when building permission audit views.
Expected result: The file browser queries return normalized lists of drives and folder contents, differentiated by type (Folder vs File), visible in Retool Table components.
Build shared link generation and permission management
One of the most useful operational features is generating shared links programmatically. Create a query named 'createShareLink'. Set Method to POST. Path to /drives/{{ driveSelect.value }}/items/{{ filesTable.selectedRow.id }}/createLink. Set Body Type to JSON. In the Body, build a sharing link configuration: the 'type' field accepts 'view', 'edit', or 'embed'. The 'scope' field accepts 'anonymous', 'organization', or 'users'. The 'expirationDateTime' field takes an ISO 8601 date string for link expiry. Add a Form in a Retool Modal for creating share links: include a Select for link type (view/edit), Select for scope (organization/anonymous), Date Picker for expiration, and a Password field if you want to set a link password. After creating a link, the response contains a 'link.webUrl' that you can display to the user and offer a copy-to-clipboard button. For reviewing existing permissions, create a query named 'getPermissions' — GET /drives/{{ driveSelect.value }}/items/{{ filesTable.selectedRow.id }}/permissions — and display results in a secondary Table showing all grants for the selected item. Add a 'Revoke' button that triggers DELETE /drives/{{ driveSelect.value }}/items/{{ filesTable.selectedRow.id }}/permissions/{{ permissionsTable.selectedRow.id }}.
1// Create shared link body2{3 "type": "{{ shareLinkType.value }}",4 "scope": "{{ shareLinkScope.value }}",5 "expirationDateTime": "{{ shareLinkExpiry.value ? new Date(shareLinkExpiry.value).toISOString() : '' }}"6}Pro tip: Store the newly created share link URL in a Retool State variable and display it in a Text component with a 'Copy Link' button using the copyToClipboard() action. This saves users from needing to navigate back to OneDrive to find the link.
Expected result: The share link creation form generates OneDrive sharing URLs with configurable permissions and expiry, displayed immediately in the Retool interface for copying.
Build a storage usage monitoring dashboard
To monitor storage consumption across your organization, use the Graph API's quota endpoints. Create a query named 'getMyDriveQuota' — GET /me/drive — which returns a 'quota' object with total, used, remaining, and deleted values in bytes. For tenant-wide monitoring (Admin access required), use GET /users with a select to get all users, then for each user run GET /users/{{ userId }}/drive to get their quota. However, querying individual user drives for all users is slow for large organizations. A better approach is to use a Retool Workflow that runs on a daily schedule: the workflow queries all users, fetches each user's drive quota, and stores the results in Retool Database. Your Retool app then queries Retool Database for fast dashboard loads. Create a Chart component bound to the quota data showing a horizontal bar chart of storage used per user. Add a Table showing users sorted by storage consumed, with color-coded indicators for those over 80% of quota. Create a Configuration Variable for the storage warning threshold percentage and reference it in conditional Table row coloring.
1// Transformer: compute storage usage stats from Graph API quota response2const quota = data.quota || {};3const totalGB = (quota.total / 1073741824).toFixed(1);4const usedGB = (quota.used / 1073741824).toFixed(1);5const usedPercent = quota.total > 06 ? Math.round((quota.used / quota.total) * 100)7 : 0;89return [{10 total_gb: totalGB,11 used_gb: usedGB,12 remaining_gb: ((quota.remaining || 0) / 1073741824).toFixed(1),13 used_percent: usedPercent,14 status: usedPercent > 90 ? 'Critical'15 : usedPercent > 75 ? 'Warning'16 : 'OK'17}];Pro tip: For complex integrations involving multiple Microsoft Graph resources, custom transformers for user enumeration, and Workflow-based caching, RapidDev's team can help architect and build your Retool Microsoft 365 management solution.
Expected result: A storage monitoring dashboard shows current quota usage with visual indicators, alerting on users approaching their OneDrive storage limits.
Common use cases
Build an organizational file browser and document management panel
Create a Retool panel that lets authorized users browse OneDrive drives and SharePoint document libraries, navigate folder hierarchies, preview file metadata, generate shared links with expiry dates, and manage file permissions — all without needing OneDrive web UI access for bulk operations.
Build a Retool file browser connected to Microsoft Graph API. Show a Tree or Table of OneDrive folders and files with name, size, last-modified date, and sharing status. Include a button to generate a shared link with a configurable expiry date and permission level.
Copy this prompt to try it in Retool
Build a shared link audit and governance tool
Create a Retool audit dashboard that scans all files shared externally across your organization's OneDrive drives, shows who shared what with whom, identifies links with no expiry date, and allows admins to revoke or update permissions in bulk. This addresses a common Microsoft 365 security audit requirement.
Build a Retool governance panel that queries Microsoft Graph for all shared OneDrive items across the organization, displays them in a Table with sharer, recipient, permission level, and expiry date, and includes bulk-revoke buttons for admin remediation.
Copy this prompt to try it in Retool
Build a storage usage monitoring dashboard
Create a Retool monitoring panel that shows OneDrive storage usage per user across the Microsoft 365 tenant, identifies users approaching their storage quota, and provides drill-down views into the largest files and folders consuming storage. Combine with Charts to visualize storage trends over time.
Build a Retool dashboard that queries Microsoft Graph for OneDrive quota usage per user in the organization. Show a Table sorted by storage used, with Charts for quota usage distribution, and a detail panel showing largest files for a selected user.
Copy this prompt to try it in Retool
Troubleshooting
OAuth 2.0 authentication flow opens but returns an error after signing in
Cause: The redirect URI configured in Azure AD app registration does not exactly match Retool's OAuth callback URL. Azure AD requires an exact match including protocol and path.
Solution: In the Retool resource configuration screen, find the OAuth callback URL displayed by Retool (typically https://oauth.retool.com/oauth/server for Retool Cloud). Copy this URL exactly and add it to your Azure AD app registration under Authentication → Redirect URIs. Even a trailing slash difference will cause the OAuth flow to fail. For self-hosted Retool, the callback URL uses your Retool instance's BASE_DOMAIN.
Graph API returns 403 Forbidden for OneDrive endpoints despite successful OAuth connection
Cause: The Azure AD application does not have the required API permissions, or admin consent was not granted. Graph API permissions require both the permission to be added to the app registration AND admin consent to be granted by a tenant admin.
Solution: In Azure Portal → Azure Active Directory → App registrations → your app → API permissions, verify Files.ReadWrite.All (or Files.Read.All) is listed. Check that the Status column shows 'Granted for [your tenant]' with a green checkmark. If not, click 'Grant admin consent for [tenant]'. You must be a Global Administrator or have the Application Administrator role to grant consent.
OneDrive queries return results for personal drive but not organizational SharePoint drives
Cause: Personal OneDrive (/me/drive) and SharePoint document libraries (OneDrive for Business) use different endpoints. SharePoint drives appear under /sites or /drives with a drive ID, not under /me/drives.
Solution: To access SharePoint document libraries (which appear as OneDrive for Business), first query /sites to list SharePoint sites, then query /sites/{site-id}/drives to list drives in each site. Add Sites.Read.All permission to your Azure AD app. For searching across all organizational drives, use the search endpoint: GET /drives with $filter=driveType eq 'documentLibrary'.
Microsoft Graph returns 429 Too Many Requests throttling errors
Cause: Microsoft Graph enforces service-specific throttling limits. For OneDrive/Files, the limit is approximately 10,000 API requests per 10 minutes per user. Dashboards making many parallel queries (one per user for quota checks) quickly hit this limit.
Solution: Implement Retool Workflow-based caching: run a scheduled Workflow that fetches data from Graph once every few hours and stores it in Retool Database. Have your Retool app read from Retool Database instead of hitting Graph API directly. For real-time requirements, use Retool's query caching (30-second TTL) and avoid triggering the same query on every component render.
Best practices
- Use a dedicated Azure AD service account for the OAuth connection rather than a personal employee account — this prevents the integration from breaking when the employee leaves or changes passwords
- Request only the minimum required Graph API permission scopes — use Files.Read.All for read-only dashboards and only escalate to Files.ReadWrite.All when write operations are needed
- Store Azure AD Client ID, Tenant ID, and Client Secret in Retool Configuration Variables marked as secrets, not hard-coded in the resource configuration
- Use Microsoft Graph's $select parameter to limit fields returned in API responses — requesting only the columns you need significantly reduces response size and API quota consumption
- Implement Retool Workflow-based caching for expensive queries like organization-wide storage audits that enumerate all users' drives — cache results in Retool Database and refresh on a schedule rather than on every dashboard load
- Add the offline_access scope to OAuth configuration to ensure Retool can refresh tokens automatically — without this, users are logged out after the access token expires (typically 1 hour)
- For file upload operations, use Graph API's large file upload session API for files over 4MB — the simple PUT endpoint only supports files up to 4MB and silently fails for larger files
Alternatives
Dropbox uses its own OAuth 2.0 API rather than Microsoft Graph, making it a simpler alternative for teams not embedded in the Microsoft 365 ecosystem who need cloud file storage management.
Box is the enterprise alternative to OneDrive for organizations that require stronger access governance, compliance certifications, and enterprise content management outside the Microsoft ecosystem.
AWS S3 has a native Retool connector and is the better choice for teams storing application assets or data files in AWS rather than organizational documents in Microsoft 365.
Frequently asked questions
Can I access SharePoint files through the same Retool resource as OneDrive?
Yes. Microsoft Graph is a unified API for all Microsoft 365 services, including both OneDrive personal storage (/me/drive) and SharePoint document libraries (/sites/{site-id}/drives). The same Retool REST API Resource with Graph API credentials can access both, provided you've added Sites.Read.All permission to your Azure AD app. SharePoint drives appear as document libraries with a driveType of 'documentLibrary'.
Does Retool have a native OneDrive connector?
No, Retool does not have a native OneDrive connector. You connect through the Microsoft Graph REST API Resource, which provides access to OneDrive and all other Microsoft 365 services. The setup requires Azure AD app registration but provides comprehensive file management capabilities once configured.
How do I upload files to OneDrive from a Retool app?
For files under 4MB, use a PUT request to /me/drive/root:/{file-path}:/content with the file binary in the request body. Retool's File Picker component can capture files, and the contents can be sent via the query body. For larger files, use Microsoft Graph's upload session API: first create an upload session via POST, then upload the file in chunks using the returned upload URL. This pattern requires multiple sequential queries managed through Retool's query chaining.
How do I search for files across all OneDrive drives in my organization?
Use Microsoft Graph's search endpoint: POST /search/query with a query object targeting OneDrive entity types. The request body specifies the search term, entity types (['driveItem']), and fields to return. This searches across all drives the authenticated user has access to, returning files with their parent drive and folder path. Alternatively, for organization-wide admin search, use GET /drives with appropriate filters and the Sites.Read.All permission.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation