SharePoint Connector Setup
Index SharePoint sites, pages, and files by creating a dedicated App Registration with the appropriate permissions.
Setup Checklist
Before starting, ensure you have:
- Azure Global Administrator or Cloud Application Administrator role
- Microsoft 365 E1+ licensing for SharePoint content
- Certificate generated (see Certificate Generation Guide)
- Active Atolio deployment
Required API Permissions
Step 1: Create App Registration
- Navigate to Azure Portal > App Registrations
- Click “New registration”
- Enter name:
Atolio SharePoint
- Select “Accounts in this organizational directory only”
- Click “Register”
Step 2: Add API Permissions
⚠️ Important: Only add Application permissions, not Delegated permissions
- In your App Registration, click “API permissions” in the left menu
- Click “Add a permission”
- Select “Microsoft Graph”
- Click “Application permissions” (not Delegated permissions)
Add these Microsoft Graph permissions:
Identity & Directory Permissions (Required for ACL mapping)
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
Directory.Read.All
(optional - can omit withdisable_full_permissions: true
in configuration)
SharePoint Content Permissions
Files.Read.All
Sites.Read.All
Step 3: Grant Admin Consent
- After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
- Confirm by clicking “Yes”
- Verify all permissions show “Granted for [your tenant name]” with green checkmarks
Step 4: Upload Certificate
- Click “Certificates & secrets” in the left menu
- Click “Upload certificate”
- Select your
.cer
file (not the.pfx
file) - Add description:
Atolio SharePoint Authentication
- Click “Add”
Step 5: Collect Configuration Values
From the “Overview” page, copy:
- Application (client) ID
- Directory (tenant) ID
You’ll provide these along with your base64-encoded .pfx
certificate to your Atolio support contact.
SharePoint Site Groups & Associated Permissions
Many SharePoint sites are deployed without connecting to Microsoft Office 365 groups. Microsoft treats certain SharePoint configurations as unsupported unless managed through Office 365 groups. For Atolio to index correct permissions on non-O365 managed sites, the Sites.FullControl.All
permission is required. Communication Sites commonly fall into this category. For more information on connecting sites to O365 groups, see Microsoft’s documentation.
Atolio can index these sites if Sites.FullControl.All
permission is set on your App Registration. This is the least privileged permission available for read access to the SharePoint API. Atolio never writes back to the SharePoint API.
When configuring the connector for non-O365 group sites:
- Set
Sites.FullControl.All
permissions on the App Registration, specifically within the SharePoint API. (see below screenshot) - Set
IndexSharePointPermissions
configuration to true
All other configuration and certificates remain the same.
Resource Filtering
Limit indexing scope using resource filters. SharePoint supports site-specific filtering:
Site Filtering
Index specific SharePoint sites by URL:
resources:
site:
included:
- https://contoso.sharepoint.com/sites/Engineering
- https://contoso.sharepoint.com/sites/Marketing
excluded:
- https://contoso.sharepoint.com/sites/Confidential
Sample Configuration
Here’s a complete YAML configuration example for SharePoint:
connector: microsoft
source: sharepoint
common:
enabled: true
identity-provider: false
cron-spec: "30 */1 * * *"
secrets:
client_cert:
value: "<BASE64_ENCODED_PFX_CONTENT>"
client_cert_password:
value: "<CERTIFICATE_PASSWORD>" # Optional if no password set
configuration:
client-id: "<APPLICATION_CLIENT_ID>"
tenant-id: "<DIRECTORY_TENANT_ID>"
disable_full_permissions: false
index_sharepoint_permissions: true # Required for non-O365 group sites
resources:
site:
included:
- https://contoso.sharepoint.com/sites/Engineering
- https://contoso.sharepoint.com/sites/Marketing
Troubleshooting
Error | Cause | Solution |
---|---|---|
401 Unauthorized | Missing admin consent | Click “Grant admin consent” in API permissions |
403 Forbidden | Wrong permission type | Ensure you added Application permissions, not Delegated |
invalid_client | Certificate not found/expired | Verify certificate is uploaded and valid |
Sites not appearing | Missing Sites.FullControl.All | Add SharePoint API permission for non-O365 group sites |
Permission errors on specific sites | Site not connected to O365 group | Set index_sharepoint_permissions: true |