Connect SharePoint Online

You can connect SharePoint Online to your Agentspace Enterprise or search app and search over your SharePoint data.

This page describes the following types of Sharepoint connectors:

  • SharePoint: Connects SharePoint Online, ingests data from your SharePoint site, and indexes the SharePoint data. See Connect SharePoint Online and ingest data.
  • SharePoint Federated: Sends user queries to the SharePoint search API and enables searching SharePoint data without first ingesting and indexing all the data into Agentspace Enterprise. See Use federated search with SharePoint.

Connect SharePoint Online and ingest data

This section describes the authentication methods and the procedure to create a SharePoint Online connector in Agentspace Enterprise and ingest data from your SharePoint Online sites.

Before you begin

Before setting up your connection, set up access control for your data source. For information about setting up access control, see Use data source access control.

Configure Entra application registration

Before you can create the connector in Google Agentspace Enterprise, you must set up an Entra application registration to enable secure access to SharePoint. How you register the application depends on the authentication method that you select when you're creating the connector in Google Agentspace Enterprise. You can choose one of the following methods:

  • Federated credentials:

    • Allows Google to securely access SharePoint using cryptographically signed tokens, avoiding the need for a real user principal.

    • Requires a subject ID to register the Google Agentspace Enterprise in Entra. This is available when you create the SharePoint connector in Google Agentspace Enterprise.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID

      These details are necessary to complete the authentication and create the Sharepoint connector in Google Agentspace Enterprise.

    • Google recommends that you use this method.

  • OAuth 2.0 refresh token:

    • Gives a granular control over who connects to the SharePoint API.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI: This is in the following form:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID
      • Client secret

      These details are necessary to complete the authentication and create the Sharepoint connector in Google Agentspace Enterprise.

    • The authentication process includes signing in to your SharePoint account.

    • This method is suitable when your SharePoint set up requires a two-factor authentication.

    • Requires you to create a new SharePoint user, which might add licensing costs.

  • OAuth 2.0 password grant:

    • Gives a granular control over who connects to the SharePoint API.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI: This is in the following form:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID
      • Client secret

      These details are necessary to complete the authentication and create the Sharepoint connector in Google Agentspace Enterprise.

    • The authentication process includes providing your Entra admin-provided username and password.

    • This method is suitable when your SharePoint set up doesn't require a two-factor authentication.

    • Requires you to create a new SharePoint user, which might add licensing costs.

Set up federated credentials

Use the following steps to configure the app registration, grant permissions, and establish authentication. Google recommends that you use the federated credentials method.

  1. Obtain service account client ID:

    1. In the Google Cloud console, go to the Agentspace Enterprise page.
    2. In the navigation menu, click Data stores.
    3. Click Create data store.
    4. On the Select a data source page, scroll or search for SharePoint Online to connect your third-party source.
    5. Note the Subject identifier. Don't click Continue yet. Perform the next steps in this task and then complete the steps in the Google Cloud console by following the instructions in Create a SharePoint Online connector.
      Note the subject identifier in the Console
      Note the subject ID but don't click Continue yet

  2. Register app in Microsoft Entra:

    1. Navigate to Microsoft Entra admin center.
    2. In the menu, expand the Applications section and select App registrations.
    3. On the App registrations page, select New registration.
      Register a new app in Entra
      Register a new app in Microsoft Entra admin center

    4. Create an app registration on the Register an application page:

      • In the Supported account types section, select Accounts in the organizational directory only.
      • In the Redirect URI section, select Web and enter the redirect URI as https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html
      • Keep other settings default and click Register.
        Register Accounts in the organizational directory only
        Select the account type and enter the redirect URI

    5. Note the Client ID and Tenant ID.

      App details page summary
      App details page

  3. Add federated credentials:

    1. Go to Certificates & secrets > Federated credentials > Add credential.

      Add federated credentials in Entra
      Add federated credentials in Microsoft Entra

    2. Use the following settings:

      • Federated credential scenario: Other issuer
      • Issuer: https://accounts.google.com
      • Subject identifier: Use the value of Subject identifier that you noted in Google Cloud console in Step 1.a.v.
      • Name: Provide a unique name.

    3. Click Add to grant access.

      Connect your Google Account to Microsoft Entra ID
      Connect your Google Account to Microsoft Entra ID

  4. Set API permissions:

    Select the app to set API permissions
    Select the app to set API permissions

    1. Add and grant admin consent for the following Microsoft Graph permissions:

      Permission Description
      GroupMember.Read.All Read all group memberships
      Sites.FullControl.All Full control over all sites
      User.Read.All Read all users' full profiles

    2. Add and grant admin consent for the following Sharepoint permissions:

      Permission Description
      Sites.FullControl.All Have full control of all site collections

    3. For the added permissions, check that the Status column lists the permission as Granted and has a green check icon.

      Select the API permissions
      Request the API permissions (Application) for Microsoft Graph

    Select the API permissions
    Select the API permissions

  5. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

Set up OAuth 2.0 for refresh token and password grant

You can use the OAuth 2.0 method to set up an Entra application registration and enable secure access to SharePoint. This method includes steps to configure the app registration, grant permissions, and establish authentication.

Google recommends that you set up federated credentials instead of configuring OAuth 2.0 authentication.

You can use the following process to register the application in Entra using OAuth 2.0 authentication for refresh token and for password grant. This method is preferred when you need granular control over SharePoint REST API permissions, allowing you to restrict resource access on the user account.

The following table describes the SharePoint roles that are recommended for OAuth 2.0 authentication method:

  1. Create app registration:

    1. Navigate to Entra administrator center.

    2. Create an app registration:

      • Supported account types: Accounts in the organizational directory only.
      • Redirect URI: https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.

    3. Note the Client ID and Tenant ID.

  2. Add client secret:

    1. Go to Certificates & secrets > New client secret.
    2. Note the secret string.

  3. Set API permissions:

    1. Add and grant admin consent for the following Microsoft Graph permissions:

      Permission Description
      GroupMember.Read.All Read all group memberships
      Sites.FullControl.All Full control over all sites
      User.Read.All Read all users' full profiles

    2. Add and grant admin consent for the following Sharepoint permissions:

      Permission Description
      AllSites.FullControl Have full control of all site collections

    3. For the added permissions, check that the Status column lists the permission as Granted and has a green check icon.

    4. Use a dedicated user account with limited access to specific sites.

    5. Make sure the account has Owner access to the selected sites.

  4. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

Create a SharePoint Online connector

After you have registered your application in Entra, you can create the the SharePoint connector in Google Cloud console.

Console

To use the Google Cloud console to sync data from SharePoint to Agentspace Enterprise, follow these steps. These steps demonstrate the federated credentials method, which is the recommended method:

  1. In the Google Cloud console, go to the Agentspace Enterprise page.

    Agentspace Enterprise

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for SharePoint to connect your third-party source.

    Search for Sharepoint in the available daa sources
    Search for and select Sharepoint as the data source

  5. Enter your Sharepoint Online authentication information.

    Add rge authentication info
    Add the authentication information

    1. Enter the SharePoint site URI as the Instance URI.

      • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com
      • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE

      If you were granted the Sites.Selected permission while setting up the federated credentials in Entra, then you must either specify the exact sites that you want to index or specify filters in Step 7 to include or exclude the exact sites.

  6. Select the entities to sync and click Continue.

    Select the entities to sync
    Select the entities to sync and the sync frequency

    If you were granted the Sites.Selected permission while setting up the federated credentials in Entra, then you must either specify the exact sites that you want to index in Step 5 or specify filters to include or exclude the exact sites.

    Specify the filters to include or exclude site entities
    Specify the filters to include or exclude site entities

  7. Select a region for your data store.

  8. Enter a name for your data store.

  9. Select a synchronization frequency for your data store. After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

    • Data synchronization frequencies range from three hours to seven days
    • Identity synchronization frequencies range from 30 minutes to seven days

  10. Click Create. Agentspace Enterprise creates your data store and displays your data stores on the Data stores page.

  11. To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Data store details showing connector status
    Connector status on the data store details page

    Depending on the size of your data, ingestion can take minutes or hours.

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

  1. Enable web app:

    1. Go to the app integration configurations and toggle to Enable the web app.

  2. Test web app:

    1. Click Open next to the web app link and sign in with a user in your workforce pool.

    2. Verify that search results are restricted to items accessible by the logged-in user.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

  1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

    1. Azure OIDC setup
    2. Azure SAML setup
    3. Okta & OIDC setup
    4. Okta & SAML setup

  2. Configure the workforce pool in Agentspace Enterprise > Settings for the region where you create your app.

Next steps

Use the following procedure to search through your SharePoint account using federated search.

You can use federated search connectors to send your queries to third-party search APIs instead of ingesting and indexing all data into Agentspace Enterprise. Using this approach, you can access external data sources immediately, without waiting for ingestion.

However, this approach might not be suitable in all scenarios. While federated search is quick to set up, it has the following limitations:

  • Compared to indexed data, federated search may deliver lower-quality results.
  • Federated search may introduce higher latency, because it depends on the third-party search API.
  • Not all connectors support federated search.

Before you begin

Register Agentspace Enterprise as an OAuth 2.0 application in SharePoint. Make sure you have the following credentials:

  • Client ID
  • Client secret
  • Instance URL
  • Tenant ID

Create a federated search connector with SharePoint

Console

Use the following steps for Google Cloud console to perform federated search through SharePoint from Agentspace Enterprise.

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for SharePoint Federated to connect your third-party source.

    create-data-store
    Search for SharePoint Federated

  5. Under Authentication settings:

    1. Enter the Client ID, Client secret, Instance URL, and Tenant ID.
    2. Click Authenticate.

    3. Click Continue.

      enter-auth-info
      Enter the authentication information

  6. Select the entity types you want to search.

    select-region-enter-name
    Select the entity types

  7. Select a region for your data source.

  8. Enter a name for your data source.

    select-region-enter-name
    Configure your data connector

  9. Click Create. Agentspace Enterprise creates your data store and displays your data stores on the Data stores page.

Once the data store is created, go to the Data stores page and click your data store name to see the status. If the Connector state changes from Creating to Active, the federated search connector is ready to be used.

User authorization

After creating a federated search data store, you can see it listed as one of the data sources in your source management panel. If you haven't previously authorized Agentspace Enterprise, then you can't select the data source. Instead, an Authorize button appears next to it.

To initiate the authorization flow:

  1. Click Authorize. You are redirected to the SharePoint authorization server.

    click-authorize
    Click Authorize

  2. Sign in to your account.

  3. Click Grant access. After granting access, you are redirected back to Agentspace Enterprise to complete the authorization flow. Agentspace Enterprise obtains the access_token, and uses it to access the 3P search.

Query execution

When you enter a search query:

  • If SharePoint is authorized, Agentspace Enterprise sends the query to the SharePoint API.
  • Agentspace Enterprise blends the results with those from other sources and displays them.

Data handling

When using third-party federated search, your query string is sent to the third-party search backend. These third parties may associate queries with your identity. If multiple federated search data sources are enabled, the query may be sent to all of them.

Once the data reaches the third-party system, it is governed by that system's Terms of Service and privacy policies (not by Google Cloud's terms).