SharePoint Connector

The SharePoint connector provides access to Microsoft SharePoint Online document libraries via the Microsoft Graph API, enabling AI agents and automations to browse folders, list files, and download content.

Browse Structure

List sites, drives, and folder hierarchies

File Access

Download files with metadata for change detection

Access Control

Per-user permission validation (PBAV) for secure access

Prerequisites

An Azure AD Application registered in your tenant
Application permissions granted:
- Sites.Read.All - Read sites and files
- Files.Read.All - Read file content
- GroupMember.Read.All - For PBAV group membership checks (optional)
Admin consent granted for these permissions

For AI Knowledge document sync with per-user access control, see the dedicated SharePoint Connector for AI Knowledge documentation.

Usage as App
Usage as MCP

Installation

Go to Apps in your workspace
Search for Sharepoint and install it
Configure the app instance with your Azure AD credentials

Configuration

Field	Value
Client ID	Application (client) ID from Azure AD
Client Secret	Client secret value
Tenant ID	Directory (tenant) ID
Site URL	Optional, default SharePoint site URL
Site ID	Optional, default SharePoint site ID

Available Automations

Site Operations

Automation	Description
`listSites`	List SharePoint sites accessible to the app

Drive Operations

Automation	Description
`listDrives`	List document libraries in a site

File & Folder Operations

Automation	Description
`listChildren`	List items in a folder or drive root
`getItem`	Get item metadata by ID
`getFiles`	List files with metadata
`getFileTree`	Get recursive folder structure
`downloadFile`	Download file content

Authentication

Automation	Description
`ensureAccessToken`	Get or refresh access token
`getAccessToken`	Get a new access token

DSUL Examples

List Sites

- Sharepoint.listSites:
    output: sites

List Document Libraries

- Sharepoint.listDrives:
    siteId: "contoso.sharepoint.com,abc-123,def-456"
    output: drives

List Files in a Folder

- Sharepoint.listChildren:
    siteId: "contoso.sharepoint.com,abc-123,def-456"
    driveId: "b!xyz..."
    itemId: "01ABCDEF..."
    output: items

Download a File

- Sharepoint.downloadFile:
    siteId: "contoso.sharepoint.com,abc-123,def-456"
    driveId: "b!xyz..."
    itemId: "01ABCDEF..."
    output: fileContent

Get Folder Tree

- Sharepoint.getFileTree:
    siteId: "contoso.sharepoint.com,abc-123,def-456"
    driveId: "b!xyz..."
    output: tree

MCP Setup

Open your AI Knowledge project
Go to Advanced > Tools
Click Add and select the MCP tab
Enter the MCP endpoint URL
In the Headers field, add your credentials:

{
  "mcp-api-key": "your-mcp-api-key",
  "azure-client-id": "your-client-id",
  "azure-client-secret": "your-client-secret",
  "azure-tenant": "your-tenant-id"
}

Authentication

The MCP server supports both service-to-service and delegated authentication:

Service Account (Client Credentials)

Configure workspace secrets:

Secret	Description
`azureClientId`	Azure AD client ID
`azureClientSecret`	Azure AD client secret
`azureTenant`	Azure AD tenant ID
`azureSiteId`	Optional default SharePoint site ID

Delegated Auth (OAuth)

For per-user access with PBAV (Permission-Based Access Validation), users connect their Microsoft account via OAuth. This enables:

Per-user file access validation
Respecting SharePoint permissions at query time
Secure document access in multi-tenant environments

Available Tools

Tool	Description
`configureSharePoint`	Configure credentials for service-to-service auth
`listSharePointFolders`	List folders and document libraries
`listSharePointFiles`	List files with metadata for RAG indexing
`downloadSharePointFile`	Download file content

Tool Details

configureSharePoint

Configure SharePoint credentials for Client Credentials Flow.

{
  "name": "configureSharePoint",
  "arguments": {
    "clientId": "your-azure-client-id",
    "clientSecret": "your-client-secret",
    "tenant": "your-tenant-id"
  }
}

listSharePointFolders

List folders and document libraries with metadata for change detection. Supports pagination.

{
  "name": "listSharePointFolders",
  "arguments": {
    "siteId": "contoso.sharepoint.com,abc-123,def-456",
    "driveId": "b!xyz...",
    "folderId": "01ABCDEF..."
  }
}

Parameter	Description
`siteId`	SharePoint site ID (optional if default configured)
`driveId`	Document library ID (omit to list all drives)
`folderId`	Folder item ID (omit for root)
`pageToken`	Pagination token from previous response

listSharePointFiles

List files with full metadata for RAG indexing. Returns eTag, cTag, contentHash for change detection.

{
  "name": "listSharePointFiles",
  "arguments": {
    "siteId": "contoso.sharepoint.com,abc-123,def-456",
    "driveId": "b!xyz...",
    "includeDownloadUrl": true
  }
}

Parameter	Description
`siteId`	SharePoint site ID (optional if default configured)
`driveId`	Document library ID (required unless using pageToken)
`folderId`	Folder item ID (omit for drive root)
`includeDownloadUrl`	Include pre-signed download URLs (default: false)
`pageToken`	Pagination token from previous response

downloadSharePointFile

Download file content as text or base64-encoded binary.

{
  "name": "downloadSharePointFile",
  "arguments": {
    "siteId": "contoso.sharepoint.com,abc-123,def-456",
    "driveId": "b!xyz...",
    "fileId": "01ABCDEF..."
  }
}

Output Formats

All tools support an outputFormat parameter:

verbose (default) - Human-readable text for LLM consumption
structured - Machine-readable JSON in structuredContent
both - Both text and structured content

Permission-Based Access Validation (PBAV)

When using delegated OAuth, PBAV ensures that RAG query results respect each user’s SharePoint permissions:

User submits a query to the AI Knowledge agent
RAG retrieves relevant document chunks
For each SharePoint chunk, the system validates user access via their OAuth token
Chunks from inaccessible files are filtered out before the LLM responds

See SharePoint Connector for AI Knowledge for detailed PBAV documentation.

Error Handling

HTTP Status	Error	Solution
401	Unauthorized	Verify Azure AD credentials
403	Forbidden	Check app permissions or user access
404	Not Found	Verify site/drive/item IDs exist
429	Rate Limited	Wait and retry

Common Issues

“Site not found” - The site ID format is hostname,siteCollectionId,siteId. Use Graph Explorer to find the correct format. “Access denied” - The Azure AD app needs Sites.Read.All permission with admin consent. “Token expired” - OAuth tokens expire after 1 hour. Use ensureAccessToken to refresh.

External Resources

Microsoft Graph Files API

Official API documentation

SharePoint Sites API

Site operations reference

Graph Explorer

Test API calls interactively

AI Knowledge SharePoint Connector

Document sync and PBAV for AI Knowledge

Integration Overview

Apps Marketplace

SharePoint Connector

Browse Structure

File Access

Access Control

Prerequisites

Installation

Configuration

Available Automations

Site Operations

Drive Operations

File & Folder Operations

Authentication

DSUL Examples

List Sites

List Document Libraries

List Files in a Folder

Download a File

Get Folder Tree

MCP Setup

Authentication

Service Account (Client Credentials)

Delegated Auth (OAuth)

Available Tools

Tool Details

configureSharePoint

listSharePointFolders

listSharePointFiles

downloadSharePointFile

Output Formats

Permission-Based Access Validation (PBAV)

Error Handling

Common Issues

External Resources

Microsoft Graph Files API

SharePoint Sites API

Graph Explorer

AI Knowledge SharePoint Connector

Integration Overview

Apps Marketplace

Browse Structure

File Access

Access Control

​Prerequisites

​Installation

​Configuration

​Available Automations

​Site Operations

​Drive Operations

​File & Folder Operations

​Authentication

​DSUL Examples

​List Sites

​List Document Libraries

​List Files in a Folder

​Download a File

​Get Folder Tree

​MCP Setup

​Authentication

​Service Account (Client Credentials)

​Delegated Auth (OAuth)

​Available Tools

​Tool Details

​configureSharePoint

​listSharePointFolders

​listSharePointFiles

​downloadSharePointFile

​Output Formats

​Permission-Based Access Validation (PBAV)

​Error Handling

​Common Issues

​External Resources

Microsoft Graph Files API

SharePoint Sites API

Graph Explorer

AI Knowledge SharePoint Connector

Prerequisites

Installation

Configuration

Available Automations

Site Operations

Drive Operations

File & Folder Operations

Authentication

DSUL Examples

List Sites

List Document Libraries

List Files in a Folder

Download a File

Get Folder Tree

MCP Setup

Authentication

Service Account (Client Credentials)

Delegated Auth (OAuth)

Available Tools

Tool Details

configureSharePoint

listSharePointFolders

listSharePointFiles

downloadSharePointFile

Output Formats

Permission-Based Access Validation (PBAV)

Error Handling

Common Issues

External Resources