Bristol University is just about completing a migration of services from Google to Microsoft Office 365. After much wailing and gnashing of teeth in the early days most folks seem to have settled into the new environment and are making use of the new collaboration tools including Sharepoint. As someone who adminstered Sharepoint based intranets on Windows Server 2003 back in the day this would ordinarily have caused a cold shiver down my spine but it’s come a long way and good use of the shared calendaring, email, intranet, project/task management, and change-tracked document repository features has been made in the groups I am part of.
One of those groups, the BioSPI Laboratory has a shared server for number crunching jobs and other ad-hoc services where it would be useful to have access to our group’s Sharepoint document repository. My favourite cloud storage swiss army knife of recent years is the excellent rclone by Nick Craig-Wood. I’ve used it on several projects for accessing services such as Backblaze B2, Amazon S3, SFTP sites, Google Drive on a variety of operating systems and it has been flawless in my experience. It natively supports Microsoft OneDrive/Sharepoint but I found there were a couple of extra hoops to jump through to get it working with our institution’s particular configuration.
The friendliest way to do this is via the Microsoft Graph Explorer but it is possible to query these endpoints directly through whatever tool you prefer.
Once signed in, the first query is to https://graph.microsoft.com/v1.0/me/memberOf
which will give you a (possibly long) list of all the groups you are a member of, e.g.:
[…] { “@odata.type”:“#microsoft.graph.group”, “id”: Grab this ID here, “deletedDateTime”: null, “classification”: “Confidential”, “createdDateTime”: “2018-10-13T11:23:06Z”, “creationOptions”: [ “GROUPSONA:STANDARD” ], “description”: “BioSP👁 group @ The University of Bristol 🧠”, “displayName”: “grp-BioSP👁”, “groupTypes”: [ “Unified” ], […] }, […]
Next, query https://graph.microsoft.com/v1.0/groups/[group ID from the last step]/drives
and similarly grab the ID field. Confusingly, this ID is not a GUID like all of the other IDs in the microsoft graph. There’ll be a record for each drive in the Sharepoint site, in most cases there’ll just be a single document library as below:
{ “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#drives", “value”: [ { “createdDateTime”: “2018-10-06T08:10:49Z”, “description”: “”, “id”: Grab this ID here, “lastModifiedDateTime”: “2018-10-06T08:10:49Z”, “name”: “Documents”, “webUrl”: “redacted”, “driveType”: “documentLibrary”, “createdBy”: { “user”: { “displayName”: “System Account” } }, “owner”: { “group”: { “email”: “redacted”, “id”: “redacted”, “displayName”: “grp-BioSP👁” } }, “quota”: { “deleted”: 0, “remaining”: 0, “total”: 0, “used”: 0 } } ] }
When I initially set this up, I didn’t do this step and everything worked… for about 2 weeks and then I got errors saying my client was unauthorised. Whether the default rclone ClientID got banned, or the university tightened up some settings somewhere I don’t know but you may find you have to create your own ClientID to gain access to your institution. The rclone documentation section on this matter is very clear, but my instution has denied access to the part of the Azure AD Portal linked in those docs so an alternative method is required.
A previous version of the rclone docs, pointed at the old App Registration Portal which was deprecated earlier this year and was supposed to be turned off in September but as of writing (November 2019) is still working.
http://localhost:53682
and you’re done. Make a note of your AppID/ClientID and client secret (the password you created), you’ll need them later.
This way is hard, and complicated, and the process given in the Microsoft ITOps Blog is incomplete. Instead, the process described in a pair of blog posts by Octavie van Haaften is far more complete but still far from simple. Most notably, one must sift through the Service Principles, App Roles, and Oath2Permissions returned by the instructions in these posts to find the ones that correspond to the instructions from rclone.
If there’s enough demand, I might wrap these steps up into a powershell helper script to make the process less painful. If you find yourself also with no access to the Azure AD portal then once the old portal is turned off this will be the only way left, alas.
If you’re familiar with rclone then once you have your DriveID, (optional) ClientID & secret then you should be good to set up a new OneDrive remote with this information. If not, here’s my instructions for setting up on a remote server running Ubuntu Linux 18.04 (should apply to most installations)
Excellent instructions are provided on the rclone download page and I found the “script download and install” method worked great for me. If you like a little more control over the process, then just grab the latest .deb and sudo dpkg -i rclone-current-linux-amd64.deb
to install it.
If you’re setting up rclone on your local machine, or a machine where you have GUI access then this step isn’t required. In my case, I was connecting to a remote server over SSH so I had to install rclone on my local machine before I started configuring the remote machine so that I was able to issue the rclone authorize
command required in the next set of instructions
Running rclone config
will enter you into the configuration menu for rclone
And you’re done! This “remote” you have configured can now be used by name in any of the rclone commands, such as rclone mount which (in daemon mode) can provide persistent access to your document repository as if it were a local directory.
I hope this is useful to some people and if you’ve got any questions, hit me up on the socials at the top of the page.