Can OneDrive Personal access tokens be read-only?

benze · April 5, 2025, 7:15pm

What is the problem you are having with rclone?

Is there anyway to setup & configure an access token with Microsoft OneDrive Personal to be read-only? I have tried to use the advanced configuration tool to generate a token with read-only scopes, and the config file specifies only read permissions, yet I am still able to touch and delete a file using rclone.

I want to run rclone against a OneDrive setup but need to ensure that there is no chance that the token can be compromised or used to make changes to the drive.

Given that it is a OneDrive personal account, I do not have the ability to create an app registration in Azure.

Run the command 'rclone version' and share the full output of the command.

rclone v1.69.1
- os/version: darwin 13.4 (64 bit)
- os/kernel: 22.5.0 (arm64)
- os/type: darwin
- os/arch: arm64 (ARMv8 compatible)
- go/version: go1.24.0
- go/linking: dynamic
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Microsoft Onedrive Personal

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone --config /tmp/rclone/rclone.config deletefile OneDrive:test.txt

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[OneDrive]
type = onedrive
access_scopes = Files.Read Files.Read.All Sites.Read.All offline_access
token = XXX
drive_id = XXX
drive_type = personal

A log from the command that you were trying to run with the `-vv` flag

rclone -vv --config /tmp/rclone/rclone.config deletefile OneDrive:test.txt                                                                                            

2025/04/05 15:03:40 DEBUG : rclone: Version "v1.69.1" starting with parameters ["rclone" "-vv" "--config" "/tmp/rclone/rclone.config" "deletefile" "OneDrive:test.txt"]
2025/04/05 15:03:40 DEBUG : Creating backend with remote "OneDrive:test.txt"
2025/04/05 15:03:40 DEBUG : Using config file from "/tmp/rclone/rclone.config"
2025/04/05 15:03:41 DEBUG : fs cache: renaming child cache item "OneDrive:test.txt" to be canonical for parent "OneDrive:"
2025/04/05 15:03:41 INFO  : test.txt: Deleted
2025/04/05 15:03:41 DEBUG : 6 go routines active

kapitainsky · April 6, 2025, 5:04am

This should not be the case. I have not done it mysled yet but you will find multiple posts on this forum confirming that it works. Even more it is the only way nowadays to get your own client_id.

benze · April 6, 2025, 5:27pm

This is the screen I get when I try to enable app registrations.

To be fair, I didn't try to sign up for Azure specifically for the personal account, but seems like a complicated approach for what should be a simple task. Is that truly the only option? To have to setup Azure with a personal email address?

Thanks,

Eric

kapitainsky · April 7, 2025, 4:39am

It is what Microsoft decided...