Microsoft Connectors

The Microsoft connectors support:

• Entra ID - for resolving user mappings across apps as an Identity Provider
• SharePoint - for indexing sites, docs, spreadsheets, slides, and other files
• Teams - for indexing channels, chat, and messages
• OneDrive - for indexing docs, spreadsheets, slides, and other files
• Outlook - for indexing emails and calendar events

Security Best Practice: Separate App Registrations

We recommend creating separate App Registrations for each Microsoft source you plan to use. This follows the principle of least privilege and provides:

• Reduced attack surface - Each connector only has the minimum permissions required
• Better audit trails - Azure logs can isolate which application accessed which data
• Independent lifecycle management - Rotate certificates, disable connectors, or modify permissions without affecting other sources
• Granular admin consent - Security teams can approve smaller, focused permission requests
• Independent rate limits - Each App Registration has separate Microsoft Graph API rate limits, preventing sources from competing for shared quotas in large environments

Architecture Options

Choose the approach that best fits your organization’s security and scale requirements:

Option 1: Separate App Registration per Source (Recommended)

Create individual App Registrations for:

• Entra ID (if using as identity provider)
• SharePoint
• Teams
• OneDrive
• Outlook

Each registration gets only the permissions needed for that specific source.

Option 2: Single Shared App Registration (Evaluation Only)

Use one App Registration for all sources. This requires the superset of all permissions and is not recommended for production environments due to security and rate limiting concerns.

Prerequisites

Before configuring any Microsoft connector, ensure you have:

Azure Access Requirements

• Azure tenant with appropriate licensing (Microsoft 365 E1+ for SharePoint/OneDrive, Teams Premium for meeting transcripts)
• Global Administrator or Cloud Application Administrator role to:
  • Create App Registrations
  • Grant application permissions
  • Provide admin consent
• Certificate for authentication - See Certificate Generation Guide below

Atolio Environment

• Active Atolio deployment - Contact your Atolio onboarding team if you need assistance
• Configuration values - You’ll collect these from Azure and provide them to your Atolio support contact

Certificate Generation

Microsoft Graph API requires certificate-based authentication. Choose one option:

Option 1: Self-Signed Certificate (OpenSSL)

# Generate private key and certificate
openssl req -x509 -newkey rsa:2048 -keyout atolio-key.pem -out atolio-cert.pem -days 365 -nodes

# Create PFX file (no password)
openssl pkcs12 -export -out atolio-cert.pfx -inkey atolio-key.pem -in atolio-cert.pem -passout pass:

# Create CER file for Azure upload
openssl x509 -outform der -in atolio-cert.pem -out atolio-cert.cer

# Get base64-encoded PFX for Atolio configuration
cat atolio-cert.pfx | base64

Option 2: Self-Signed Certificate (PowerShell/Windows)

# Generate certificate
$cert = New-SelfSignedCertificate -Subject "CN=Atolio" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature

# Export CER file for Azure
Export-Certificate -Cert $cert -FilePath "atolio-cert.cer"

# Export PFX file for Atolio (replace 'password' with your preferred password)
Export-PfxCertificate -Cert $cert -FilePath "atolio-cert.pfx" -Password (ConvertTo-SecureString -String "password" -Force -AsPlainText)

# Get base64-encoded PFX
[Convert]::ToBase64String([IO.File]::ReadAllBytes("atolio-cert.pfx"))

Common Setup Steps

All Microsoft connectors require these foundational steps:

1. Create App Registration - Follow Entra ID - Create New App Registration
2. Upload Certificate - Add your .cer file to the App Registration
3. Grant API Permissions - Add Application permissions (not Delegated) for each source:
   • For Entra ID identity provider: Use only the directory permissions listed in the authentication guide
   • For content sources: Use the specific permissions listed in each connector’s documentation
4. Admin Consent - Click “Grant admin consent” in the API permissions page

Configuration Values

Collect these values from Azure and provide them to your Atolio support contact:

• ClientCert - Base64-encoded content of the .PFX file (from certificate generation step)
• ClientCertPassword - Certificate’s private key password (if you set one)
• TenantId - Directory (tenant) ID from the App Registration Overview page
• ClientId - Application (client) ID from the App Registration Overview page

Resource Filtering

All Microsoft connectors support filtering to limit indexing scope using YAML configuration in your connector settings:

resources:
  user:
    included:
      - arthur.dent@example.com
  group:
    excluded:
      - contractors@example.com

Common filter types include:

• User filters - Index content for specific user accounts
• Group filters - Index content accessible by specific Microsoft 365 groups
• LDAP group filters - Index content for members of specific Entra ID security/distribution groups (Outlook only)
• Site/Team filters - Index specific SharePoint sites or Teams

For detailed filtering options, see the individual connector documentation pages.