I was wondering about the feasibility about creating a OneDrive connection that does not grant full access to all the files on my OneDrive. There are some files that have sensitive content and I do not want n8n to access them. Is there a way to create a connection that does not give it full access to my onedrive folders and only access to a selection of them?
If you are using a personal Microsoft account, OneDrive supports a special Files.ReadWrite.AppFolder permission scope. This creates a dedicated, isolated folder inside your OneDrive (usually located at OneDrive/Apps/n8n). n8n will only be able to see and interact with files inside that specific folder. Anything outside of it remains entirely invisible to the integration.
To set this up, you cannot use n8n’s default one-click authentication. You must create your own Custom App Registration:
Go to the Microsoft Entra admin center (or Azure Portal) and register a new application.
Under API Permissions → Microsoft Graph → Delegated Permissions, look for Files.ReadWrite.AppFolder and check it.
Ensure that broader permissions like Files.ReadWrite or Files.ReadWrite.All are not selected.
Copy your Client ID and Client Secret.
In n8n, create a new Microsoft OneDrive OAuth2 API credential, switch the Auth Type to own/custom, and input your Client ID and Secret.
When you authorize, Microsoft will only grant access to that singular sandboxed application folder.
Hope that helps.
@pnanos
Not directly with the standard OneDrive credential in n8n; it receives the permissions granted to the application in Microsoft Graph, so to restrict access to specific folders you would typically need to use a dedicated account, a separate shared drive, or register your own Azure application with more restrictive permissions.
Hi @pnanos
The easiest way to fix this is to create a second, separate Microsoft account just for n8n. Instead of connecting n8n to your main account, you connect it to this new one. You then go into your main account and “share” only the specific folders you want n8n to use with that second account. This creates a digital wall that keeps your sensitive files completely invisible to n8n.
One thing worth noting: Files.ReadWrite.AppFolder only works with personal Microsoft accounts (Outlook.com/Hotmail). If you have a work or school Microsoft 365 account, that permission scope is not available. For business accounts your best option is the dedicated SharePoint site approach - create a separate site, scope the App Registration to that site’s resource only, and point n8n at that SharePoint URL instead of your main OneDrive. It gives you the same folder isolation effect.
Thank you, I’ll give that a try!