1. AODocs Knowledge Base
  2. AODocs tenant administration — for super administrators
  3. Actions for Microsoft tenant administrators

Understand and set up Microsoft SharePoint Embedded storage in AODocs

Follow
Avatar
AODocs product

AODocs libraries can store their attached files in Microsoft SharePoint Embedded containers, located in your own Microsoft 365 tenant. SharePoint Embedded joins Google Drive, Google Cloud Storage, and Azure Blob Storage as a storage platform for AODocs libraries.

This article is for Microsoft 365 administrators and AODocs super administrators. It explains how SharePoint Embedded storage works with AODocs and how to set it up.

Note: To use SharePoint Embedded as your AODocs storage platform, the SHAREPOINT_EMBEDDED storage service must be activated on your AODocs domain. Contact your AODocs sales representative or send an email to sales@aodocs.com.

Automatically generated table of contents

What is SharePoint Embedded storage?

With SharePoint Embedded storage, the attached files of your AODocs libraries are stored in dedicated SharePoint Embedded containers inside your own Microsoft 365 tenant – instead of Google Drive, Google Cloud Storage, or Azure Blob Storage. Everything else about AODocs is unchanged: the permission model, versioning, workflows, and the user experience are identical to any other AODocs library.

Key points:

  • Your Microsoft 365 tenant – the files physically reside in your tenant, which can help meet data residency and compliance requirements, with full access to Microsoft 365 services on your content.
  • One container per library – AODocs creates and manages a dedicated SharePoint Embedded container for each library. The container's display name is the AODocs library ID, which makes auditing from the Microsoft side easier.
  • Storage isolated from SharePoint quotas – SharePoint Embedded containers are dedicated storage, separate from your SharePoint sites.
  • No direct user access – only the AODocs backend accesses the containers, through Microsoft Graph with application permissions. Users always work through AODocs, where AODocs permissions are enforced as usual.
  • Pass-through billing – SharePoint Embedded consumption is billed by Microsoft directly to your Microsoft 365 tenant, on a pay-as-you-go basis.

How the setup works

SharePoint Embedded uses an application model with two roles:

  • the owning tenant – AODocs' Microsoft tenant, where the AODocs application and its container type are defined; this part is managed by AODocs
  • the consuming tenant – your Microsoft 365 tenant, where the containers are created and the files are stored
image01.png

On your side, the setup consists of two steps, described below:

1. Grant admin consent to the AODocs application in your Microsoft tenant.

2. Activate SharePoint Embedded pay-as-you-go billing in the Microsoft 365 admin center.

The registration of the AODocs container type in your tenant is then performed automatically the first time you create an AODocs library with SharePoint Embedded storage – there's no manual step.

Prerequisites

Before you begin, you need:

  • a valid SharePoint Online subscription with SharePoint Embedded available
  • access to the Microsoft 365 admin center
  • an administrator able to grant consent to applications – one of the following Microsoft Entra roles: Global Administrator, Application Administrator, or Cloud Application Administrator
  • the SHAREPOINT_EMBEDDED storage service activated on your AODocs domain (contact your AODocs sales representative)

1. As an administrator of your Microsoft tenant, open the following URL in your browser:

https://login.microsoftonline.com/[customer_tenant_id]/adminconsent?client_id=[aodocs_application_id]

after replacing:

  • [customer_tenant_id] with your Microsoft tenant ID, found on the Tenant properties page of the Azure portal
  • [aodocs_application_id] with the AODocs application ID provided by the AODocs Support team

2. Review and accept the requested permissions:

Permission Purpose
FileStorageContainer.Selected Access and manage the storage containers created from the AODocs container type
FileStorageContainerTypeReg.Selected Register the AODocs container type in your tenant

After you accept, the AODocs application appears in your tenant under Microsoft Entra ID > Enterprise applications:

image02.png

You can review the granted permissions on the application's Permissions page:

image03.png

Step 2: Activate SharePoint Embedded pay-as-you-go billing

SharePoint Embedded consumption is billed by Microsoft directly to your tenant. You must set up a billing profile before AODocs can create containers.

1. Open the Microsoft 365 admin center and select Setup.

2. Under Billing and licenses, select Activate pay-as-you-go services.

image04.png

3. On the Pay-as-you-go services page, open the Settings tab.

4. Under Syntex services for, select Apps, then select SharePoint Embedded and activate it. You're asked to link an Azure subscription and resource group, which will receive the consumption charges.

image05.png

Note: Learn more in the Microsoft documentation: Set up a billing profile in the consuming tenant.

Step 3: Create an AODocs library with SharePoint Embedded storage

Once the SHAREPOINT_EMBEDDED storage service is activated on your AODocs domain, you can create a Document Management library and select SharePoint Embedded as its storage platform. You're asked to enter your Microsoft tenant ID – the same ID as in step 1.

screen: The library creation dialog with SharePoint Embedded selected as the storage platform and the Microsoft tenant ID field filled in.

AODocs then automatically:

  • registers the AODocs container type in your Microsoft tenant (first library only – the registration is reused afterwards)
  • creates and activates a dedicated SharePoint Embedded container for the library

The library is ready: uploads, downloads, versions, annotations, and locks behave exactly as with any other storage platform, and the files reside in your Microsoft 365 tenant.

Important: The admin consent (step 1) and the billing profile (step 2) must be in place before you create the first library. If they're missing, the library creation fails with an explicit error – missing consent or missing billing setup.

Good to know and limitations

  • The storage platform is chosen when the library is created. Existing libraries can't be migrated to or from SharePoint Embedded – the Library Switcher doesn't support SharePoint Embedded.
  • Containers are created and fully managed by AODocs. You can't link an existing container that you created yourself.
  • AODocs permissions aren't replicated at the storage level: access control is enforced by AODocs, like for the other storage platforms. Administrators of your Microsoft tenant with sufficient rights on the container type can technically access the raw files from the Microsoft side.
  • Importing files from an external storage and downloading attachments as a ZIP archive aren't available on SharePoint Embedded libraries in this first release.
  • Microsoft applies limits per container – currently 30 million documents and 25 TB per container, which means per AODocs library. Learn more: Microsoft SharePoint Embedded documentation.

For dedicated AODocs instances: owning tenant setup

This section describes the setup performed by AODocs in the owning Microsoft tenant. You don't need to do any of this on a standard AODocs domain – it's documented for reference, and for dedicated AODocs instances where your organization also acts as the owning tenant.

Create the application registration

1. In the Azure portal, open Microsoft Entra ID > App registrations and click New registration.

image06.png

2. Enter a name for the application and, under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant), then click Register.

image07.png

The application's overview page displays the Application (client) ID – this is the ID used in the admin consent URL.

image08.png

Configure the API permissions

On the application's API permissions page, add the following Microsoft Graph permissions, then click Grant admin consent in the owning tenant:

Permission Type
FileStorageContainer.Selected Delegated and Application
FileStorageContainerTypeReg.Selected Delegated and Application
User.Read Delegated
image09.png

Create the standard container type

Create a standard container type with pass-through billing, using the SharePoint Online Management Shell:

New-SPOContainerType -ContainerTypeName "aodocs_containerType" -OwningApplicationId "[application_client_id]" -IsPassThroughBilling

You can verify the result – standard container types have the classification DirectToCustomer:

Get-SPOContainerType | Where-Object { $_.Classification -eq "DirectToCustomer" } | Format-List

image10.png

The resulting ContainerTypeId is carried in the AODocs storage service configuration (SPE_CONTAINER_TYPE_ID). With this model, AODocs maintains a single container type, registered into each consuming tenant at onboarding, and consumption charges go directly to each consuming tenant's Microsoft invoice.

Note: The AODocs application authenticates to Microsoft Graph with a federated credential (workload identity federation) – no client secret or certificate is stored.

Was this article helpful? 0 out of 0 found this helpful
If you didn’t find what you were looking for, don’t hesitate to leave a comment!
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

Related articles