Configuring OneDrive Link for GCC-H


OneDrive Link requires a Microsoft Azure App registration that defines a client ID and secret used by Bluescape to create and refresh the Active Directory access tokens needed for users to view and edit their linked OneDrive documents.

Bluescape manages this Azure App registration for our non- Microsoft 365 Government Community Cloud High (GCC-H) customers. But for GCC-H customers, this App Registration must be created inside the customer’s GCC-H tenant.


  1. Create and configure the Azure App registration. This App registration is created inside the customer’s Azure GCC-H tenant.
  2. Configure the on-prem Bluescape instance with the new App registration’s client ID and secret.

Step 1: Creating the Azure App for Bluescape OneDrive Link

(Step 1 in the Overview section)

Where: This needs to be done inside the customer’s GCC-H tenant.
Who: Azure Admin for GCC-H tenant.

Navigate to Microsoft Azure Government and the New registration button at the top left.

We suggest using a “Name” like that shown below. Select the Multi-tenant option, so this App can access documents in multiple Azure GCC-H O365 tenants.

You can skip the Redirect URL section (we come back to that later) and press Register.

After pressing the Register button, you land on a page that shows the Overview for your new App registration. Nothing needs to be configured on this page. It simply displays the Application (client) ID and other helpful information. The client secret is not shown on this page.

The following sections explain the configuration needed for the sections shown in the left navigation pane.

Branding & properties page

This screen configures the contents in the “User Consent” dialog below. Each user must provide a one-time-per-user consent to allow their document to be used by Bluescape OneDrive Link.

Note: Users may not see this dialog depending on how the Azure Tenant is configured.

You can see the Bluescape Logo here, as well as links to the Bluescape home page, "Terms of Service,” and “Privacy Statement.”

These are configured on the Branding & properties page.

We suggest using the values shown in the screen capture below:

Home page URL:
Terms of service URL: Terms of Service | Bluescape
Privacy Statement URL: Privacy Policy | Bluescape

This is fine because these items are Bluescape-related and not related to GCC-H information.

Note: You can optionally use the Bluescape logo. Ask your customer support representative.

Authentication page

Platform Configurations Section:

This is where the Redirect URLs are set. Substitute < your-bluescape-instance-domain > with your own Bluescape instance domain. For example, for Bluescape’s public production instance, the redirect URL looks like this:

Here is the text for the two URLs shown, so you don’t need to type it:
https://idfed.< your-bluescape-instance-domain >/api/v2/oauthflow/codeForTokenExchange/o365 https://client.< your-bluescape-instance-domain >/onedrive_link.html

The remainder of the Authentication page:

Scrolling down, you see the following. Please use the settings shown here and select Save.

Certificates and Secrets page

You create a new client secret on the “Client secrets” tab. This, along with the client id, is used to configure your on-prem Bluescape instance in step 2 of this document.

You can wait to generate the secret (press the "New client secret) until you are ready to transfer it to the Bluescape instance configuration in step 2 below.

Note: You can copy the secret when it is created, but subsequent visits to the page do not display the secret. So be ready to transfer the secret to the Bluescape configuration when you create it.
Choose an expiration date when creating the secret. When the secret expires, generate a new one and re-configure (step 2) the Bluescape instance with the new value. You may want to set yourself a reminder for this expiration because Azure does not send you a notification about the pending expiry.

The expired secret stops working after it expires. Once you have seen that OneDrive works with the new secret, you can delete the old secret at any time.

Token configuration page

Nothing to configure here.

API permissions page

Configure the permissions to appear as follows:

To get there, click “Add a permission” and select “Microsoft Graph” at the top.

Then click “Delegated permissions” and scroll down to “Files.” Check each of the seven items. You should see the desired results above when you click the “Add permissions” button at the bottom.

The other pages…

That is all. No other pages need to be configured.

Step 2: Configuring your Bluescape instance with the App clientId and clientSecret

Prerequisites: Obtain your new App’s clientId (Application ID) from the “Overview” page. When you are ready to transfer a secret to the Bluescape config, you can create one on the “Certificates & secrets” page.

Also, you must identify your .jsonnet file for your on-prem instance configuration. (We refer to this file as “.jsonnet”)

Open the file idfed.jsonnet. You should see these references:

Verify that the sharedConfig values have the values from your new App.

To do that, open your “.jsonnet” file and search for “onedrive+.” If it is not there, then add the section. Otherwise, edit the section to look something like this:

    onedrive+: { 

        uploadClientId: "<This is a OneDrive Upload. Use existing id if present>" 

        uploadClientSecret: "", //Unused 

        idFedClientId: "<see prerequisites above>",     // This is a OneDrive Link 

        idFedClientSecret: "<see prerequisites above>", // This is a OneDrive Link 


You should use a vault or similar mechanism to make sure that the secret is secure.

Also, add the following so that the GCC-H OneDrive link is restricted to GCC-H O365 tenants:

    idfed+: { 
        msAuthHost: ',' 
        msGraphHost: ',' 

Where to Next?

Not what you were looking for? Reply below or Search the community and discover more Bluescape.