SharePoint Connector Setup

Provide necessary API permissions to index SharePoint sites.

Index SharePoint sites, pages, and files by creating a dedicated App Registration with the appropriate permissions.

Setup Checklist

Before starting, ensure you have:

  • Azure Global Administrator or Cloud Application Administrator role
  • Microsoft 365 E1+ licensing for SharePoint content
  • Certificate generated (see Certificate Generation Guide)
  • Active Atolio deployment

Required API Permissions

Step 1: Create App Registration

  1. Navigate to Azure Portal > App Registrations
  2. Click “New registration”
  3. Enter name: Atolio SharePoint
  4. Select “Accounts in this organizational directory only”
  5. Click “Register”

Step 2: Add API Permissions

⚠️ Important: Only add Application permissions, not Delegated permissions

  1. In your App Registration, click “API permissions” in the left menu
  2. Click “Add a permission”
  3. Select “Microsoft Graph”
  4. Click “Application permissions” (not Delegated permissions)

Add these Microsoft Graph permissions:

Identity & Directory Permissions (Required for ACL mapping)

  • Application.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • User.Read.All
  • Directory.Read.All (optional - can omit with disable_full_permissions: true in configuration)

SharePoint Content Permissions

  • Files.Read.All
  • Sites.Read.All
  1. After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
  2. Confirm by clicking “Yes”
  3. Verify all permissions show “Granted for [your tenant name]” with green checkmarks

Step 4: Upload Certificate

  1. Click “Certificates & secrets” in the left menu
  2. Click “Upload certificate”
  3. Select your .cer file (not the .pfx file)
  4. Add description: Atolio SharePoint Authentication
  5. Click “Add”

Step 5: Collect Configuration Values

From the “Overview” page, copy:

  • Application (client) ID
  • Directory (tenant) ID

You’ll provide these along with your base64-encoded .pfx certificate to your Atolio support contact.

SharePoint Site Groups & Associated Permissions

Many SharePoint sites are deployed without connecting to Microsoft Office 365 groups. Microsoft treats certain SharePoint configurations as unsupported unless managed through Office 365 groups. For Atolio to index correct permissions on non-O365 managed sites, the Sites.FullControl.All permission is required. Communication Sites commonly fall into this category. For more information on connecting sites to O365 groups, see Microsoft’s documentation.

Atolio can index these sites if Sites.FullControl.All permission is set on your App Registration. This is the least privileged permission available for read access to the SharePoint API. Atolio never writes back to the SharePoint API.

When configuring the connector for non-O365 group sites:

  • Set Sites.FullControl.All permissions on the App Registration, specifically within the SharePoint API. (see below screenshot)
  • Set IndexSharePointPermissions configuration to true

sharepoint permissions

All other configuration and certificates remain the same.

Resource Filtering

Limit indexing scope using resource filters. SharePoint supports site-specific filtering:

Site Filtering

Index specific SharePoint sites by URL:

resources:
  site:
    included:
      - https://contoso.sharepoint.com/sites/Engineering
      - https://contoso.sharepoint.com/sites/Marketing
    excluded:
      - https://contoso.sharepoint.com/sites/Confidential

Sample Configuration

Here’s a complete YAML configuration example for SharePoint:

connector: microsoft
source: sharepoint
common:
  enabled: true
  identity-provider: false
  cron-spec: "30 */1 * * *"
secrets:
  client_cert:
    value: "<BASE64_ENCODED_PFX_CONTENT>"
  client_cert_password:
    value: "<CERTIFICATE_PASSWORD>"  # Optional if no password set
configuration:
  client-id: "<APPLICATION_CLIENT_ID>"
  tenant-id: "<DIRECTORY_TENANT_ID>"
  disable_full_permissions: false
  index_sharepoint_permissions: true  # Required for non-O365 group sites
  resources:
    site:
      included:
        - https://contoso.sharepoint.com/sites/Engineering
        - https://contoso.sharepoint.com/sites/Marketing

Troubleshooting

ErrorCauseSolution
401 UnauthorizedMissing admin consentClick “Grant admin consent” in API permissions
403 ForbiddenWrong permission typeEnsure you added Application permissions, not Delegated
invalid_clientCertificate not found/expiredVerify certificate is uploaded and valid
Sites not appearingMissing Sites.FullControl.AllAdd SharePoint API permission for non-O365 group sites
Permission errors on specific sitesSite not connected to O365 groupSet index_sharepoint_permissions: true