Skip to main content
The SharePoint connector lets you index documents from a Microsoft SharePoint Online library into your AI Knowledge project. Once synced, documents are available for RAG queries — and per-user permissions from SharePoint are enforced at query time through Permission-Based Access Validation (PBAV).

Overview

Document Sync

Import files from a SharePoint document library into your knowledge base with incremental updates.

Access Control

Each user’s SharePoint permissions are checked at query time — users only see RAG results from files they can access.

Supported Formats

PDF, Word, PowerPoint, Excel, CSV, plain text, and Markdown files are indexed automatically.

Authentication Modes

The connector supports two authentication modes, configured by your platform administrator:
Each user connects their own Microsoft account via OAuth. The connector respects per-user SharePoint permissions at query time through PBAV.
  • Users must individually click Connect with Microsoft before syncing or querying
  • RAG results are filtered per-user: you only see content from files you can access in SharePoint
  • Best for organizations that need to enforce document-level access control
The sections below describe the delegated flow. If your connector is in service account mode, skip to Configuring the Connector — no Microsoft sign-in is needed.

Connecting Your Microsoft Account

Before configuring the connector in delegated mode, connect your Microsoft account to authorize access to SharePoint.
1

Open the Connectors Tab

In your AI Knowledge project, go to Advanced > Connectors. The SharePoint connector card displays your current connection status.
2

Connect with Microsoft

In the Microsoft Connection section of the SharePoint card, click Connect with Microsoft. A popup opens to the Microsoft sign-in page.Sign in with your organizational Microsoft account and consent to the requested permissions (read-only access to your SharePoint files and sites).
3

Confirm Connection

After successful sign-in, the popup closes automatically and the connector card updates to show Connected with an expiration date. The OAuth session uses refresh tokens and remains valid for up to 90 days.
Each user connects their own Microsoft account independently. The connector uses delegated OAuth, meaning all SharePoint operations respect the signed-in user’s permissions.

Configuring the Connector

1

Open Configuration

Click the Configure button on the SharePoint connector card. A configuration dialog opens.
2

Select a SharePoint Site

The dialog loads the list of SharePoint sites accessible to your account. Select the site containing the documents to sync.If no sites appear, your Microsoft account may not have access to any SharePoint sites — contact your SharePoint administrator.
3

Select a Document Library

After selecting a site, the dialog loads available document libraries (drives). Choose the library to sync.A confirmation banner shows the selected site and library.
4

Save

Click Save to enable the connector with the chosen configuration. The connector card updates to show the selected site, library, and status as Enabled.

Syncing Documents

Click Sync Now on the connector card to start a synchronization. The card shows real-time progress as files are discovered, filtered, and indexed.

What Happens During Sync

  1. File discovery — The connector recursively lists all files in the configured library, traversing subfolders
  2. File filtering — Only supported file types are indexed (see table below); other files are skipped
  3. Incremental sync — Files are compared by their cTag (content tag). Files whose content has not changed since the last sync are skipped
  4. Indexing — New or modified files are downloaded and indexed into the knowledge base
  5. Deletion detection — Files that no longer exist in SharePoint are removed from the knowledge base

Supported File Types

FormatMIME Type
PDFapplication/pdf
Word (.docx)application/vnd.openxmlformats-officedocument.wordprocessingml.document
Word (.doc)application/msword
PowerPoint (.pptx)application/vnd.openxmlformats-officedocument.presentationml.presentation
Excel (.xlsx)application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
CSVtext/csv
Plain texttext/plain
Markdowntext/markdown

Sync Results

After sync completes, the connector card shows a summary:
  • Indexed — files that were new or updated and successfully processed
  • Unchanged — files skipped because their content hasn’t changed
  • Deleted — files removed from the knowledge base because they no longer exist in SharePoint
  • Errors — files that failed to index (e.g. missing download URL)
  • Skipped — files with unsupported file types

Permission-Based Access Validation (PBAV)

PBAV only applies in delegated authentication mode. In service account mode, PBAV is disabled and all synced documents are visible to all users.
PBAV ensures that RAG query results respect each user’s SharePoint permissions. It operates transparently at query time — no additional configuration is needed beyond connecting Microsoft accounts.

How It Works

  1. A user submits a query to the AI Knowledge agent
  2. The RAG pipeline retrieves relevant document chunks, some of which may come from SharePoint
  3. For each SharePoint chunk, the system calls the MCP server’s validateUserAccessDelegated tool, which probes the file using the querying user’s delegated OAuth token
  4. Chunks from files the user cannot access are removed before the LLM generates a response

User Experience

The behavior varies depending on the user’s authentication state:
StateBehavior
Not connectedAll SharePoint chunks are removed. The agent response includes a prompt to connect with Microsoft.
Connected — partial accessOnly accessible chunks are included. A warning is appended: “Some documents are not accessible to you; you do not have permission to read them.”
Connected — full accessAll relevant chunks are included. No warnings.
PBAV uses a fail-closed approach. If the MCP server is unreachable or returns an error, all SharePoint chunks are removed from the response rather than being shown without access checks.

Non-SharePoint Documents

PBAV only applies to documents that originated from the SharePoint connector (identified by their sharepoint tag). Documents from other sources (file uploads, web crawls, etc.) are not affected and pass through unchanged.

Disconnecting / Disabling

Disconnecting Your Microsoft Account

To disconnect your personal OAuth session:
  1. Go to Advanced > Connectors
  2. In the Microsoft Connection section, click Disconnect
This revokes your delegated tokens. PBAV will treat you as unauthenticated until you reconnect.

Disabling the Connector

To disable the SharePoint connector entirely for a project:
  1. Go to Advanced > Connectors
  2. Click Configure on the SharePoint card
  3. Click Disable this connector
  4. Confirm the action
Disabling the connector permanently deletes all documents imported from SharePoint from the knowledge base. This action cannot be undone.

Troubleshooting

Your Microsoft account does not have access to any SharePoint sites, or the OAuth token has expired.Fix: Verify your SharePoint access by navigating to SharePoint directly in a browser. If your OAuth session is expired, disconnect and reconnect your Microsoft account.
This can happen if all files in the library are in unsupported formats, or if all files are unchanged since the last sync.Fix: Check the sync summary — a high “skipped” count indicates unsupported file types. A high “unchanged” count means an incremental sync detected no changes.
Your AI Knowledge project has reached its maximum document count.Fix: Remove unused documents from the project or contact your administrator to increase the limit.
PBAV detected SharePoint chunks in the RAG results but your OAuth session is missing or expired.Fix: Go to Advanced > Connectors and click Connect with Microsoft to establish or refresh your OAuth session.
You are connected but do not have access to some of the SharePoint files referenced in the RAG results.Fix: This is expected behavior — PBAV is correctly filtering results based on your SharePoint permissions. Contact your SharePoint administrator if you believe you should have access to the restricted files.

Next Steps

RAG Configuration

Fine-tune how your agent retrieves and ranks document chunks

Document Management

Manage all documents in your knowledge base, including synced SharePoint files

Self-Hosting Setup

Deploy the SharePoint MCP server and register an Azure AD application (platform admins)