Skip to main content

Set Up the OneDrive/SharePoint Connector

The OneDrive/SharePoint Connector allows you to ingest documents from your Microsoft 365 storage directly into your project. To use the connector, you will authenticate via your Azure account. Decide on OAuth configuration - Airia managed with required scopes for all Microsoft integrations or Bring your own OAuth connector with custom scopes that best fit your integration and security requirements.

Set Up with Airia managed OAuth

This one-time setup registers the Airia Microsoft Connector application in your Azure Active Directory (Microsoft Entra ID), allowing it to access organizational data from OneDrive and SharePoint.
💡 Note:
  • Application Name: Airia Connector – Web
  • Your tenant ID: you can see it in platform settings
  1. Construct Admin Consent URL Use the following format, replacing <CUSTOMER_TENANT_ID> with your specific Microsoft tenant ID: https://login.microsoftonline.com/<CUSTOMER_TENANT_ID>/adminconsent?client_id=4969aaba-cdb0-4777-829d-63a9dde52671
    💡 Example: https://login.microsoftonline.com/your-tenant-id-here/adminconsent?client_id=4969aaba-cdb0-4777-829d-63a9dde52671
  2. Open Consent URL Open the constructed URL in a web browser (preferably in an incognito or private browsing window).
  3. Log In as Azure Admin Log in using an Azure Admin user account that has permissions to grant consent for enterprise applications.
  4. Review and Grant Consent Review the requested permissions displayed on the screen and click Accept or Grant consent to approve them on behalf of your organization.
    💡 Note: After successful consent, the browser will redirect back to the Airia platform.
  5. Confirm Application Registration Log into the Microsoft Entra ID portal and navigate to Enterprise applications. Confirm that Airia Connector – Web is listed in this section.

Set up with your custom managed OAuth

This guide explains how to configure SharePoint with Site Selected access, SharePoint with all sites read access and OneDrive connectors in Azure AD and integrate it with Airia, allowing Airia to access specific SharePoint sites.

Configure Your Azure AD App

1. Register Your Application in Azure AD

  1. Navigate to Azure Portal > Microsoft Entra ID > App registrations.
  2. Click New registration.
  3. Configure the application details:
    • Name: Enter a descriptive name, such as Airia SharePoint Site Selected.
    • Supported account types: Select Accounts in any organizational directory.
    • Redirect URI: Enter Airia Chat.
  4. Click Register.
  5. From the app’s Overview page, save the Application (client) ID. You will need this later.

2. Configure API Permissions

  1. In your registered application’s left menu, navigate to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Choose Application permissions.
  5. Add the following permissions: For more limited permissions add the following scopes. Note that Microsoft Admin is required to whitelist the sites for syncing. Only one site can be ingested in a given data source.
    • User.Read
    • Sites.Selected
    • offline.access
    • (Optional for permission-aware RAG) Directory.Read.All
Alternatively, you can list the following scopes without the need for whitelisting sites and the limitation of one site per data source. The app can access only the sites and files that the user who is authenticating has access to (delegated permissions).
  • Sites.Read.All
  • offline.access
  • Files.Read
  • Files.ReadWrite
  • User.Read
Scopes required for OneDrive connector
  • offline.access
  • Files.Read
  • Files.ReadWrite
  • User.Read
  1. Click Add permissions.
  2. Click Grant admin consent for [Your Tenant Name] and confirm.
💡 Note: If permission-aware RAG (where the AI agent respects end-user permissions) is required, Directory.Read.All is necessary. This scope often replaces the need for User.Read.All, Group.Read.All, and GroupMember.Read.All in most read-only scenarios.

3. Obtain Your Client Secret

  1. In your registered application’s left menu, navigate to Certificates & secrets.
  2. Click New client secret.
  3. Provide a Description (e.g., Airia Client Secret) and set an appropriate Expires duration.
  4. Click Add.
  5. Copy the Value of the client secret immediately. It will only be shown once and is required for Airia integration.

Grant Site-Level Permissions Using Graph Explorer (required if you listed sites.selected scope for SharePoint only)

Before granting your app access, you need to obtain the specific SharePoint Site ID.

Prerequisites

  • Access to Graph Explorer.
  • A Global Administrator or SharePoint Administrator account to sign into Graph Explorer.

1. Grant Temporary Admin Permissions for Setup

  1. Open Graph Explorer and sign in with a Global Administrator or SharePoint Administrator account.
  2. In Graph Explorer, navigate to the Permissions tab.
  3. Enable and consent to the Sites.FullControl.All permission.
  4. Click Consent.
⚠️ Warning: This permission is only for your admin session to configure site access. You can revoke it after completing this phase if desired.

2. Get Your SharePoint Site ID

  1. In Graph Explorer, make a GET request to retrieve the site ID.
    • Replace {hostname} with your SharePoint hostname (e.g., yourcompany.sharepoint.com).
    • Replace {site-name} with the name of your SharePoint site.
    GET https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{site-name}
  2. From the response, copy the entire id field. This is your Site ID. 
    {
  "id": "airiaqe.sharepoint.com,3e6f8b32-6e9b-4b88-8c33-0c44f5c6a789,7b8c3b24-68c1-4a11-b12b-1ad4dcaa8a12",
  "displayName": "SharePointSiteSelectedTestWebsite",
  "name": "SharePointSiteSelectedTestWebsite",
  "webUrl": "https://airiaqe.sharepoint.com/sites/SharePointSiteSelectedTestWebsite"
}

3. Grant Your App Access to the SharePoint Site

  1. In Graph Explorer, make a POST request to grant your registered app read permissions to the specific SharePoint site.
    • Replace {site-id} with the Site ID you obtained in the previous step.
    • Replace {application-id} with the Application (client) ID you saved from Azure AD (Phase 1, Step 1).
    • Replace {application-display-name} with the display name of your registered application (e.g., Airia SharePoint Site Selected).
    POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

4. Verify App Access (Optional)

  1. To confirm the permissions were set correctly, make a GET request in Graph Explorer. Replace {site-id} with your SharePoint Site ID. 
    GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
  2. The response should include an entry for your application with the read role. 
    {
  "value": [
    {
      "id": "some-guid",
      "roles": ["read"],
      "grantedToIdentities": [
        {
          "application": {
            "id": "56708dc4-880d-4858-86a0-936a052fdc0f",
            "displayName": "Airia SharePoint Site Selected"
          }
        }
      ]
    }
  ]
}

Create Your OAuth Connector in Airia

1. Add a New Microsoft OAuth Connector

  1. In the Airia platform, navigate to Settings > OAuth connectors.
  2. Select the Microsoft card.
  3. Enter the following details for your new OAuth connector:
    • Name: A descriptive name (e.g., SharePoint Site Selected Connector).
    • Client ID: The Application (client) ID you saved from Azure AD (Phase 1, Step 1).
    • Client Secret: The client secret value you saved from Azure AD (Phase 1, Step 3).
    • Scopes: Add the following scopes (matching those configured in Azure AD):
      • User.Read
      • Sites.Selected
      • offline.access
      • (Optional for permission-aware RAG) Directory.Read.All
  4. Click Create.

Create a SharePoint Data Source

1. Add a New SharePoint Data Source

  1. In the Airia platform, navigate to Available data sources.
  2. Select the SharePoint card.

2. Configure Data Source Details

  1. Provide the following details:
    • Name: A mandatory, descriptive name for your data source (e.g., SharePoint Site Selected Data).
    • Description: (Optional) A brief description.
    • Scope: Select the Airia project for this data source.
    • OAuth connector: From the dropdown, select the Microsoft OAuth connector you created in Phase 3 or Airia managed OAuth.
  2. For Credentials, choose Create new credential (this is the only option if you just created the OAuth connector).
  3. Enter a Name for the new credential.
  4. Confirm the required scopes for the user authenticating that match the scopes for the Oauth configuration.
  5. Click Authenticate. Complete the OAuth flow by logging in with an account that has access to the SharePoint site.

3. Specify SharePoint Site (only for sites.selected) and Ingestion Settings

  1. Enter the Site ID or Site URL of the SharePoint site you wish to sync (obtained in Phase 2, Step 2).
  2. Enable permission check or user specific if access control is required for the files in the data source.
  3. (Optional) Configure the ingestion settings based on your specific use case and data requirements.
  4. Click Next

4. Select Folders and Start Ingestion

Browse and select the content you want to ingest. You can select and deselect individual items. Supported content types for ingestion include:
  • SharePoint sites
  • SharePoint subsites
  • SharePoint document libraries
  • Folders
  • Files
  • Shared content
💡 Tip: Selecting a SharePoint site, library, or folder will sync all supported content within it, including files, subfolders, and their content. Reprocessing the data source will automatically sync newly added content, update modified content, and delete removed items within the selected content. 💡 Note: To edit your content selection, go to the data source and click Edit. You may need to reauthenticate. Then click Next to make your new selections. If you reauthenticate with new user credentials, the content selector will not show previous selections, and you will need to reselect all desired items.

Permissions Enforcement

Airia filters query results based on the end-user’s access permissions in OneDrive/Sharepoint.

Prerequisites

To enable permission enforcement for your data source:
  • Single Sign-On (SSO) must be enabled for your Airia project.
  • Permission check must be enabled when configuring the specific data source (e.g., when setting up the OneDrive/SharePoint data source).

Next Steps

After your data has been successfully ingested, the OneDrive/SharePoint data source is ready to be used with an Agent.