Skip to main content
The SharePoint connector enables AI Knowledge to index documents from Microsoft SharePoint Online, with per-user permission-based access validation (PBAV) at query time. It relies on a dedicated MCP workspace that bridges the Microsoft Graph API with the Prisme.ai platform.

Architecture Overview

The connector involves three workspaces working together:

sharepoint-mcp

MCP server that wraps Microsoft Graph API calls. Handles OAuth delegated flow, token management, and file operations.

ai-knowledge

Orchestrates sync (file listing, download, indexing) and PBAV (per-chunk access filtering at query time).

sharepoint-app

Shared library imported by sharepoint-mcp. Provides low-level Graph API wrappers (list sites, drives, children, download).
Data flow:
  1. An AI Knowledge admin connects their Microsoft account via OAuth and configures a site + library
  2. Sync fetches the file list from SharePoint via the MCP server, downloads each file, and indexes it
  3. At query time, RAG chunks from SharePoint documents are filtered by probing the querying user’s access via their delegated OAuth token

Prerequisites

Before deploying, ensure the following are in place:
  • Prisme.ai platform version v26.03.02xxxx or later (required for the secrets module)
  • Latest Helm charts pulled for all workspaces
  • Access to the Azure portal with permissions to register applications and grant admin consent
  • The sharepoint-app workspace is deployed and available (it is imported by sharepoint-mcp)

Step 1: Deploy the SharePoint MCP Workspace

Import or create the sharepoint-mcp workspace on your Prisme.ai instance. The workspace index.yml must include: 
registerWorkspace: true
This flag registers the workspace in the global workspaces registry (global.workspacesRegistry), which AI Knowledge uses to discover and call the MCP server. After deployment, verify registration:
  1. Open the Prisme.ai admin panel
  2. Confirm that sharepoint-mcp appears in the global workspaces registry
  3. The MCP endpoint will be available at {API_URL}/workspaces/{WORKSPACE_ID}/webhooks/mcp
The sharepoint-app workspace must also be deployed, as sharepoint-mcp imports it for Graph API wrapper automations.

Step 2: Register an Azure AD Application

Create an app registration in the Azure portal to enable OAuth delegated authentication.
1

Create the App Registration

Navigate to Azure Portal > Microsoft Entra ID > App registrations > New registration.
  • Name: a descriptive name (e.g. “Prisme.ai SharePoint Connector”)
  • Supported account types: choose based on your tenant policy (single tenant is recommended for enterprise)
  • Redirect URI: leave blank for now (configured in the next step)
2

Configure the Redirect URI

Under Authentication > Platform configurations > Add a platform > Web, add the redirect URI:
{API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback
Replace {API_URL} with your Prisme.ai API base URL and {WORKSPACE_ID} with the ID of the sharepoint-mcp workspace.
The redirect URI must match exactly, including the scheme and path. A mismatch will cause the OAuth callback to fail with an AADSTS50011 error.
3

Add API Permissions

Under API permissions > Add a permission > Microsoft Graph > Delegated permissions, add the following scopes:
PermissionTypePurpose
Sites.Read.AllDelegatedList sites and read site metadata
Files.Read.AllDelegatedRead files and download content from drives
User.ReadDelegatedRead the signed-in user’s profile
offline_accessDelegatedObtain refresh tokens for long-lived sessions
openidDelegatedOpenID Connect sign-in
profileDelegatedRead user profile claims
emailDelegatedRead user email address
Click Grant admin consent for {your tenant} to pre-approve the permissions for all users in the organization.
4

Create a Client Secret

Under Certificates & secrets > Client secrets > New client secret:
  • Description: e.g. “Prisme.ai connector”
  • Expires: choose an expiration policy per your organization’s requirements
Copy the Value immediately — it is only shown once.

Step 3: Configure Workspace Secrets

In the Prisme.ai admin panel, navigate to the sharepoint-mcp workspace and configure the following secrets:
Secret NameDescriptionExample
azureClientIdApplication (client) ID from the Azure AD app registrationa1b2c3d4-e5f6-…
azureClientSecretClient secret value generated in Step 2~Abc123…
azureTenantAzure AD Tenant ID (GUID)f7e8d9c0-…
azureSiteIdOptional. Default SharePoint site ID (format: hostname,siteCollectionId,siteId). Used when no site is specified in tool calls.contoso.sharepoint.com,abc123,def456
These secrets are referenced in the workspace configuration as {{secret.azureClientId}}, etc. They are stored encrypted by the platform’s secrets module.

Step 4: Enable the Connector in AI Knowledge

In the AI Knowledge workspace configuration (index.yml or via the admin panel), enable the SharePoint connector and choose an authentication mode: 
config:
  value:
    connectors:
      sharepoint:
        enabled: true
        authMode: delegated # or service_account
This makes the Connectors tab and SharePoint card visible in the AI Knowledge project settings.

Authentication Modes

The authMode setting controls how the connector authenticates with SharePoint and whether per-user access control is enforced:
ModeValueBehavior
Delegated (default)delegatedEach user connects their own Microsoft account via OAuth. PBAV is active: at query time, each user only sees RAG results from files they can access in SharePoint. The connector card shows a “Connect with Microsoft” button.
service_accountSync and queries use the workspace-level credentials configured in the MCP secrets (azureClientId, azureClientSecret, azureTenant). No per-user OAuth is required. PBAV is disabled — all synced documents are visible to all project users. The OAuth connection section is hidden from the connector card.
Service account mode is simpler to operate (no user-level OAuth flows) but provides no per-user access control. Use it when all project users should have access to the entire synced library.

Verification

After completing the setup, verify each component:
1

Secrets Module

Confirm the secrets module is operational. Navigate to the sharepoint-mcp workspace and verify all four secrets are set (the UI will show them as masked values).
2

Workspace Registry

Confirm sharepoint-mcp appears in global.workspacesRegistry. Open AI Knowledge workspace and check that it can resolve the MCP server URL.
3

Redirect URI

Verify the redirect URI in Azure AD matches the actual webhook URL. Navigate to:
{API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback
You should get a 401 response (no session), not a 404.
4

Connect Page

Open the public connect-sharepoint page:
{PAGES_URL}/connect-sharepoint
The page should load with a “Connect with Microsoft” button. If OAuth is not configured, a warning banner reading “OAuth is not configured” is displayed instead.
5

Connectors Tab

Open an AI Knowledge project, navigate to the Advanced > Connectors tab, and verify the SharePoint connector card appears with a “Configure” button.

Troubleshooting

Cause: The redirect URI configured in Azure AD does not exactly match the one used by the MCP server.Fix: Verify the redirect URI format is {API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback. Check for trailing slashes, scheme mismatches (http vs https), and ensure the workspace ID is correct.
Cause: One or more of the azureClientId, azureClientSecret, or azureTenant secrets are missing.Fix: Navigate to the sharepoint-mcp workspace secrets panel and ensure all three OAuth-related secrets are set. The azureSiteId is optional.
Cause: The sharepoint-mcp workspace is not registered in global.workspacesRegistry.Fix: Verify that registerWorkspace: true is set in the sharepoint-mcp index.yml and redeploy the workspace. Check the workspace slug is exactly sharepoint-mcp.
Cause: The client secret is incorrect, expired, or admin consent was not granted.Fix:
  1. Regenerate the client secret in Azure AD and update the azureClientSecret workspace secret
  2. Verify admin consent was granted for all required permissions
  3. Check the Azure AD tenant ID matches the azureTenant secret
Cause: The secrets module is not available on the platform, typically because the platform version is older than v26.03.02xxxx.Fix: Upgrade the Prisme.ai platform to version v26.03.02xxxx or later.
For any issues not covered here, contact support@prisme.ai.