Add or Edit a OneDrive for Business Source


OneDrive for Business sources are unavailable in organizations created after November, 2020. To index OneDrive items, you must create a SharePoint Online source, and select OneDrive in the source Content to Include section.

When you have the required privileges, you can add the content of managed users' OneDrive for Business to a Coveo organization.

Leading practice

The number of items that a source processes per hour (crawling speed) depends on various factors, such as network bandwidth and source configuration. See About Crawling Speed for information on what can impact crawling speed, as well as possible solutions.

Source Key Characteristics

Features Supported Additional information
OneDrive for Business within SharePoint SharePoint Online  
Searchable content types check List folders, list items, and list item attachments.
Content update operations Refresh check

Takes place every six hours by default.

Rescan check  
Rebuild check  
Content security options Same users and groups as in your content system check  
Specific users and groups check  
Everyone check  


Supported SharePoint Versions

The source supports OneDrive for Business within SharePoint Online.

SharePoint Account With Appropriate Permissions

When you want to include OneDrive for Business content, you must create a specific SharePoint account that will be only used for the source. If you use your own account, you must change the source Password value in the Edit a OneDrive for Business Source panel every time you change your password to prevent authentication errors.

Select or create a user that the source will use to retrieve your OneDrive for Business content. See the following table to identify the required type of user for your web application enabled authentication.

SharePoint authentication Type of user User format


Native Office 365 account

SSO with SAML identity provider (such as ADFS and Okta)

Identity provider user account

This SharePoint account must be:


OneDrive users can remove the Coveo crawling account from the list of site administrators allowed to access their OneDrive. If updates in a user’s OneDrive are suddenly not retrieved anymore, the user might have removed the crawling account from this list.

Add or Edit a OneDrive for Business Source

Before you start, ensure that your OneDrive for Business instance meets the source requirements.

Then, when adding or editing your OneDrive for Business source, follow the instructions below.

"Configuration" Tab

On the Add/Edit a OneDrive for Business Source subpage, the Configuration tab is selected by default. It contains your source’s general and content information, as well as other parameters.

General Information

Source Name

Enter a name for your source.

Leading practice

A source name can’t be modified once it’s saved, therefore be sure to use a short and descriptive name, using letters, numbers, hyphens (-), and underscores (_). Avoid spaces and other special characters.

Site URL

Enter your OneDrive for Business root site, including the protocol (https://).


Optical Character Recognition (OCR)

If you want Coveo to extract text from image files or PDF files containing images, check the appropriate box. OCR-extracted text is processed as item data, meaning that it’s fully searchable and will appear in the item Quick View. See Enable Optical Character Recognition for details on this feature.


Contact Coveo Sales to add this feature to your organization license.

"Authentication" Section

When you want to include a secured OneDrive for Business content or include permissions, you must set the appropriate authentication parameters.

  1. Enter the Username and Password of a dedicated OneDrive for Business administrator account that has access to the content you want to include (see SharePoint Online instructions in Granting SharePoint Permission to the Crawling Account). See Source Credentials Leading Practices.

  2. Depending on the provider used to log in to SharePoint, enter the applicable Identity provider URL:

    • When using SSO Office 365 authentication, enter the URL of the identity provider server used in SharePoint Online to authenticate users. This URL is required since OneDrive for Business is part of SharePoint Online.

    • When authenticating via ADFS, you can edit the identity provider URL in the ADFS settings (see Finding and Enabling the ADFS Service Endpoint URL Path).

    • When authenticating via Okta, the URL should be of the following format:{applicationId}/sso/wsfed/active

    • When using native authentication, leave this field blank.

  3. Depending on the provider used to log in to SharePoint, enter the applicable SharePoint trust identifier:

    • When using SSO Office 365 authentication, enter the Relying Party Trust identifier for the SharePoint Online identity provider server. The URL is required since OneDrive for Business is part of SharePoint Online.

    • Unless you use a different or modified SharePoint Online identity provider, use the default urn:federation:MicrosoftOnline value.

    • When using native authentication, you may leave the default value, as it will be ignored.

"Content to Include" Section

Select List folders if you need to index your OneDrive for Business list folders.

"Content Security" Tab

Select who will be able to access the source items through a Coveo-powered search interface. For details on this parameter, see Content Security.


When using the Everyone content security option, see Safely Apply Content Filtering for information on how to ensure that your source content is safely filtered and only accessible by intended users.

"Access" Tab

In the Access tab, set whether each group and API key can view or edit the source configuration (see Resource Access):

  1. If available, in the left pane, click Groups or API Keys to select the appropriate list.

  2. In the Access Level column for groups or API keys with access to source content, select View or Edit.


  1. Finish adding or editing your source:

    • When you want to save your source configuration changes without starting a build/rebuild, such as when you know you want to do other changes soon, click Add Source/Save.


      On the Sources (platform-eu | platform-au) page, you must click Launch build or Start required rebuild in the source Status column to add the source content or to make your changes effective, respectively.

    • When you’re done editing the source and want to make changes effective, click Add and Build Source/Save and Rebuild Source.

      Back on the Sources (platform-eu | platform-au) page, you can review the progress of your source addition or modification.

      Once the source is built or rebuilt, you can review its content in the Content Browser.

  2. Optionally, consider editing or adding mappings once your source is done building or rebuilding.

Safely Apply Content Filtering

The best way to ensure that your indexed content is seen only by the intended users is to enforce content security by selecting the Same users and groups as in your content system option. Should this option be unavailable, select Specific users and groups instead.

However, if you need to configure your source so that the indexed source content is accessible to Everyone, you should adhere to the following leading practices to ensure that your source content is safely filtered and only accessible by the appropriate users:

Following the above leading practices results in a workflow whereby the user query is authenticated server side via a search token that enforces the search hub from which the query originates, which can’t be modified by users or client-side code. The query then passes through a specific query pipeline based on a search hub condition, and the query results are filtered using the pipeline filter rules.

Configure Query Filters

Filter rules allow you to enter hidden query expressions to be added to all queries going through a given query pipeline. They’re typically used to add a field-based expression to the constant query expression (cq).


You apply the @objectType=="Solution" query filter to the pipeline to which the traffic of your public support portal is directed. As a result, the @objectType=="Solution" query expression is added to any query sent via this support portal.

Therefore, if a user types Speedbit watch wristband in the searchbox, the items returned are those that match these keywords and whose objectType has the Solution value. Items matching these keywords but having a different objectType value aren’t returned in the user’s search results.

To learn how to configure query pipeline filter rules, see Manage Filter Rules.


You can also enforce a filter expression directly in the search token.

Use Condition-Based Query Pipeline Routing

The most recommended and flexible query pipeline routing mechanism is condition-based routing.

When using this routing mechanism, you ensure that search requests are routed to a specific query pipeline according to the search interface from which they originate, and the authentication is done server-side.

To accomplish this:

  1. Apply a condition to a query pipeline based on a search hub value, such as Search Hub is Community Search or Search Hub is Agent Panel. This condition ensures that all queries that originate from a specific search hub go through that query pipeline.

  2. Authenticate user queries via a search token that’s generated server side and that contains the search hub parameter that you specified in the query pipeline.

Configure the Search Token

When using query filters to secure content, the safest way to enforce content security is to authenticate user queries using a search token that’s generated server side. For instance, when using this approach, you can enforce a search hub value in the search token. This makes every authenticated request that originates from a component use the specified search hub, and therefore be routed to the proper query pipeline. Because this configuration is stored server side and encrypted in the search token, it can’t be modified by users or client-side code.

Implementing search token authentication requires you to add server-side logic to your web site or application. Therefore, the actual implementation details will vary from one project to another.

The following procedure provides general guidelines:


If you’re using the Coveo In-Product Experience (IPX) feature, see Implementing Advanced Search Token Authentication.

  1. Authenticate the user.

  2. Call a service exposed through Coveo to request a search token for the authenticated user.

  3. Specify the userIDs for the search token, and enforce a searchHub parameter in the search token.


You can specify other parameters in the search token, such as a query filter.

For more information and examples, see Search Token Authentication.

What’s Next?