Connect Microsoft SharePoint Online

You can connect SharePoint Online to your Agentspace search app and search over your SharePoint data.

This page describes the following types of SharePoint connectors:

  • SharePoint: Connects SharePoint Online, ingests data from your SharePoint site, and indexes the SharePoint data. See Connect SharePoint Online and ingest data.

  • SharePoint Federated (Preview): Sends user queries to the SharePoint search API and enables searching SharePoint data without first ingesting and indexing all the data into Agentspace. See Use federated search with SharePoint.

Connect SharePoint Online and ingest data

This section describes the authentication methods and the procedure to create a SharePoint Online connector in Agentspace and ingest data from your SharePoint Online sites.

Before you begin

To enforce data source access control and secure data in Agentspace, ensure that you have configured your identity provider.

About Entra application registration

Before you can create the connector in Agentspace, you must set up an Entra application registration to enable secure access to SharePoint. How you register the application depends on the authentication method that you select when you're creating the connector in Agentspace. You can choose one of the following methods:

  • Federated credentials:

    • Allows Google to securely access SharePoint using cryptographically signed tokens, avoiding the need for a real user principal.

    • Requires a subject ID to register the Agentspace in Entra. This is available when you create the SharePoint connector in Agentspace.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID

      These details are necessary to complete the authentication and create the SharePoint connector in Agentspace.

    • Google recommends that you use this method.

  • OAuth 2.0 refresh token:

    • Gives a granular control over who connects to the SharePoint API.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI: This is in the following form:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID
      • Client secret

      These details are necessary to complete the authentication and create the SharePoint connector in Agentspace.

    • The authentication process includes signing in to your SharePoint account.

    • This method is suitable when your SharePoint set up requires a two-factor authentication.

    • Requires you to create a new SharePoint user, which might add licensing costs.

  • OAuth 2.0 password grant:

    • Gives a granular control over who connects to the SharePoint API.

    • When you register your app in Entra, you must gather the following details:

      • Instance URI: This is in the following form:
        • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
        • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.
      • Tenant ID
      • Client ID
      • Client secret

      These details are necessary to complete the authentication and create the SharePoint connector in Agentspace.

    • The authentication process includes providing your Entra admin-provided username and password.

    • This method is suitable when your SharePoint set up doesn't require a two-factor authentication.

    • Requires you to create a new SharePoint user, which might add licensing costs.

Important considerations when granting SharePoint permissions

Google strongly recommends and uses the principle of least privilege to assign only the permissions necessary to complete a given task. For more information about Google's recommended best practices, see Use IAM securely.

However, to successfully register your application in Microsoft Entra and create a SharePoint connector in Agentspace, you must grant full control over all sites or full control over selected sites. This might seem like an excessive permission. The reason is that the Sites.Read.All permission doesn't allow Agentspace to obtain the SharePoint user groups and role assignments, whereas Sites.FullControl.All and Sites.Selected with fullcontrol do.

Considering this, when you configure your connector in Agentspace, you can do the following to restrict what the connector can and can't access:

  • Provide a specific instance URI that limits access to a single site
  • Select specific entities within the site that you want to sync.

If you have any further concerns over the required permissions, Google recommends that you reach out to Microsoft support.

Set up federated credentials

Use the following steps to configure the app registration, grant permissions, and establish authentication. Google recommends that you use the federated credentials method.

Some common error messages that you might encounter during this process are listed in Error messages.

  1. Obtain service account client ID:

    1. In the Google Cloud console, go to the Agentspace page.
    2. In the navigation menu, click Data stores.
    3. Click Create data store.
    4. On the Select a data source page, scroll or search for SharePoint Online to connect your third-party source.
    5. Note the Subject identifier. Don't click Continue yet. Perform the next steps in this task and then complete the steps in the Google Cloud console by following the instructions in Create a SharePoint Online connector.
      Note the subject identifier in the Console
      Note the subject ID but don't click Continue yet

  2. Register app in Microsoft Entra:

    1. Navigate to Microsoft Entra admin center.
    2. In the menu, expand the Applications section and select App registrations.
    3. On the App registrations page, select New registration.
      Register a new app in Entra
      Register a new app in Microsoft Entra admin center

    4. Create an app registration on the Register an application page:

      • In the Supported account types section, select Accounts in the organizational directory only.
      • In the Redirect URI section, select Web and enter the redirect URI as https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html
      • Keep other settings default and click Register.
        Register Accounts in the organizational directory only
        Select the account type and enter the redirect URI

    5. Note the Client ID and Tenant ID.

      App details page summary
      App details page

  3. Add federated credentials:

    1. Go to Certificates & secrets > Federated credentials > Add credential.

      Add federated credentials in Entra
      Add federated credentials in Microsoft Entra

    2. Use the following settings:

      • Federated credential scenario: Other issuer
      • Issuer: https://accounts.google.com
      • Subject identifier: Use the value of Subject identifier that you noted in Google Cloud console in Step 1.a.v.
      • Name: Provide a unique name.

    3. Click Add to grant access.

      Connect your Google Account to Microsoft Entra ID
      Connect your Google Account to Microsoft Entra ID

  4. Set API permissions.

    Select the app to set API permissions
    Select the app to set API permissions

    1. Add and grant the following Microsoft Graph permissions. You can choose between the site control options (Sites.FullControl.All and Sites.Selected) and profile reading options (User.Read.All and User.ReadBasic.All):

      Microsoft Graph permissions for federated credentials

      Permission Type Description Justification
      GroupMember.Read.All Application Read all group memberships This permission allows Agentspace to understand the memberships of the user groups in the SharePoint site.
      User.Read Delegated Sign in and read user's profile

      This is a default permission that must not be removed. When removed, SharePoint displays an error asking you to reinstate this permission.

      Site control options
      Option 1: Sites.FullControl.All Application Full control over all sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across all SharePoint sites.

      If giving full control over all sites seems excessive, use Option 2: Sites.Selected to give granular control.

      Option 2: Sites.Selected Application Control over selected sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across selected SharePoint sites. This permission provides more granular control instead of Sites.FullControl.All
      Profile reading options
      Option 1: User.Read.All Application Read all users' full profiles This permission allows Agentspace to understand the data access control for your SharePoint content.
      Option 2: User.ReadBasic.All Application Read all users' basic profiles This permission allows Agentspace to understand the data access control for your SharePoint content.

    2. Add and grant the following SharePoint permissions. You can choose between Sites.FullControl.All and Sites.Selected:

      SharePoint permissions for federated credentials

      Permission Type Description Justification
      Option 1: Sites.FullControl.All Application Full control over all sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across all SharePoint sites.

      If giving full control over all sites seems excessive, use Option 2: Sites.Selected to give granular control.
      Option 2: Sites.Selected Application Control over selected sites This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across selected SharePoint sites.

    3. For the added permissions, check that the Status column lists the permission as Granted and has a green check icon.

      Select the API permissions
      Request the API permissions (Application) for Microsoft Graph

    Verify the API permissions
    Verify the API permissions

  5. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

Set up OAuth 2.0 for refresh token and password grant

You can use the OAuth 2.0 method to set up an Entra application registration and enable secure access to SharePoint. This method includes steps to configure the app registration, grant permissions, and establish authentication.

Google recommends that you set up federated credentials instead of configuring OAuth 2.0 authentication.

You can use the following process to register the application in Entra using OAuth 2.0 authentication for refresh token and for password grant. This method is preferred when you need granular control over SharePoint REST API permissions, allowing you to restrict resource access on the user account.

Some common error messages that you might encounter during this process are listed in Error messages.

The following table describes the SharePoint roles that are recommended for OAuth 2.0 authentication methods:

  1. Create app registration:

    1. Navigate to Entra administrator center.

    2. Create an app registration:

      • Supported account types: Accounts in the organizational directory only.
      • Redirect URI: https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.

    3. Note the Client ID and Tenant ID.

  2. Add client secret:

    1. Go to Certificates & secrets > New client secret.
    2. Note the secret string.

  3. Set API permissions.

    1. Add and grant the following Microsoft Graph permissions. You can choose between Sites.FullControl.All and Sites.Selected:

      Microsoft Graph permissions for OAuth 2.0 authentication

      Permission Type Description Justification
      GroupMember.Read.All Application Read all group memberships This permission allows Agentspace to understand the memberships of the user groups in the SharePoint site.
      User.Read Delegated Sign in and read user's profile

      This is a default permission that must not be removed. When removed, SharePoint displays an error asking you to reinstate this permission.

      Option 1: Sites.FullControl.All Application Full control over all sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across all SharePoint sites.

      Option 2: Sites.Selected Application Control over selected sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across selected SharePoint sites. This permission provides more granular control instead of Sites.FullControl.All
      User.Read.All Application Read all users' full profiles This permission allows Agentspace to understand the data access control for your SharePoint content.

    2. Add and grant the following SharePoint permissions for OAuth 2.0 authentication. You can choose between AllSites.FullControl and Sites.Selected:

      Sharepoint permissions for OAuth 2.0 authentication

      Permission Type Description Justification
      Option 1: AllSites.FullControl Delegated Full control over all sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across all SharePoint sites.

      Option 2: Sites.Selected Delegated Control over selected sites

      This permission allows Agentspace to obtain the SharePoint user groups and role assignments, which aren't included in the Sites.Read.All permission. It also allows Agentspace to index documents, events, comments, attachments, and files across selected SharePoint sites. This permission provides more granular control instead of AllSites.FullControl

    3. For the added permissions, check that the Status column lists the permission as Granted and has a green check icon.

    4. Use a dedicated user account with limited access to specific sites. Verify that this account has Owner access to the selected sites.

  4. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

Grant fullcontrol permission selected sites

If you choose the Sites.Selected option to grant control over selected sites in Microsoft Graph, you must grant the fullcontrol permission to the Agentspace application. You can do so using one of the following methods:

PowerShell

For a generic syntax to grant permissions using PnP PowerShell, see Granting permissions via PnP PowerShell.

  1. Run the following command that provides the FullControl permission:

    Grant-PnPAzureADAppSitePermission -AppId CLIENT_ID -DisplayName DISPLAY_NAME -Permissions FullControl -Site SITE_URL

    Replace the following:

    • CLIENT_ID: the client ID of the Microsoft Entra application.
    • SITE_URL: the site URL for your SharePoint site, for example, https://example.sharepoint.com/sites/ExampleSite1.
    • DISPLAY_NAME: a description for the Microsoft Entra application.

Microsoft Graph

For the overall process to grant permissions using Microsoft Graph, see Granting permissions via Microsoft Graph.

Use Microsoft Graph Explorer to call the following methods. These methods can be called only by a site owner.

  1. Get the site ID:

    GET `https://graph.microsoft.com/v1.0/sites/HOSTNAME:SITE_PATH`

    Replace the following:

    • HOSTNAME: the Sharepoint site's hostname—for example, example.sharepoint.com.
    • SITE_PATH: the SharePoint site's path—for example, /sites/ExampleSite1 or /teams/ExampleSite2.

  2. Give fullcontrol access to the site whose ID you retrieved in the previous step.

    • Send the following POST request:

         POST `https://graph.microsoft.com/v1.0/sites/SITE_ID/permissions`

    • Use the following request body:

      {
  "roles": ["fullcontrol"],
  "grantedToIdentities": [{
    "application": {
      "id": "CLIENT_ID",
      "displayName": "DISPLAY_NAME"
    }
  }]
}

      Replace the following:

      • SITE_ID: the site ID for your SharePoint site that you received in the previous step. It has the format example.sharepoint.com,48332b69-85ab-0000-00o0-dbb7132863e7,2d165439-0000-0000-b0fe-030b976868a0.
      • CLIENT_ID: the client ID of the Microsoft Entra application.
      • DISPLAY_NAME: a description for the Microsoft Entra application.

Error messages

The following table describes the common error messages and their descriptions that you might encounter when connecting SharePoint with Agentspace.

Error code Error message
SHAREPOINT_MISSING_PERMISSION_1 Missing required REST API role (Sites.FullControl.All or Sites.Selected). For delegated permissions, missing AllSites.FullControl or Sites.Selected.
SHAREPOINT_MISSING_PERMISSION_2 Missing required Graph API role (Sites.FullControl.All or Sites.Selected).
SHAREPOINT_MISSING_PERMISSION_3 Missing required Graph API role GroupMember.Read.All.
SHAREPOINT_MISSING_PERMISSION_4 Missing required Graph API role (User.Read.All or User.ReadBasic.All).
SHAREPOINT_INVALID_SITE_URI Failed to retrieve Graph API access token. Possible causes: invalid client ID, secret value, or missing federated credentials.
SHAREPOINT_INVALID_AUTH Failed to retrieve Graph API access token. Possible causes: invalid client ID, secret value, or missing federated credentials.
SHAREPOINT_INVALID_JSON Failed to parse JSON content.
SHAREPOINT_TOO_MANY_REQUESTS Too many HTTP requests sent to SharePoint; received 429 HTTP response.

Create a SharePoint Online connector

After you have registered your application in Entra, you can create the the SharePoint connector in Google Cloud console.

Console

To use the Google Cloud console to sync data from SharePoint to Agentspace, follow these steps. These steps demonstrate the federated credentials method, which is the recommended method:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for SharePoint to connect your third-party source.

    Search for SharePoint in the available daa sources
    Search for and select SharePoint as the data source

  5. Enter your SharePoint Online authentication information.

    Add the authentication info
    Add the authentication information

    • Enter the SharePoint site URI as the Instance URI.

      • For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com
      • For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/[sites/]WEBSITE

      If you were granted the Sites.Selected permission while setting up the federated credentials in Entra, then you must either specify the exact sites that you want to index or specify filters in Step 7 to include or exclude the exact sites.

  6. Select the entities to sync:

    • Attachment

    • Comment

    • Event

    • Page

    • File

    Select the entities to sync
    Select the entities to sync and the sync frequency

  7. To filter site entities out of the index or ensure that they are included in the index, click Filter.

    Specify the filters to include or exclude site entities
    Specify the filters to include or exclude site entities

  8. Click Save.

  9. Click Continue.

  10. Select a region for your data store.

  11. Enter a name for your data store.

  12. Select a synchronization frequency for your data store. After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

    • Data synchronization frequencies range from three hours to seven days
    • Identity synchronization frequencies range from 30 minutes to seven days

  13. Click Create. Agentspace creates your data store and displays your data stores on the Data stores page.

  14. To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Data store details showing connector status
    Connector status on the data store details page

    Depending on the size of your data, ingestion can take minutes or hours.

After configuring your search engine, test its capabilities. Make sure that it returns accurate results based on user access.

  1. Enable web app:

    1. Go to the app integration configurations and toggle to Enable the web app.

  2. Test web app:

    1. Click Open next to the web app link and sign in with a user in your workforce pool.

    2. Verify that search results are restricted to items accessible by the logged-in user.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

  1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

    1. Azure OIDC setup
    2. Azure SAML setup
    3. Okta & OIDC setup
    4. Okta & SAML setup

  2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps

  • To attach your data store to an app, create an app and select your data store following the steps in Create an app.

  • To preview how your search results appear after your app and data store are set up, see Preview search results.

Before you begin

Before you can create the connector in Agentspace, you must set up an Entra application registration to enable secure access to SharePoint.

  1. Register Agentspace as an OAuth 2.0 application in Entra.

    1. Navigate to Microsoft Entra admin center.
    2. In the menu, expand the Applications section and select App registrations.
    3. On the App registrations page, select New registration.
    4. Create an app registration on the Register an application page:
    5. In the Supported account types section, select Accounts in the organizational directory only.

    6. In the Redirect URI section, select Web and enter the following URLs as web callback URLs (or redirect URLs):

      • https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html
      • https://vertexaisearch.cloud.google.com/oauth-redirect

    7. Add a client secret:

      1. Go to Certificates & secrets and click New client secret.
      2. Copy and note the secret string.

  2. Collect the following credentials:

    • Client ID
    • Client secret
    • Instance URL
    • Tenant ID

  3. Configure these SharePoint API (Application) permissions with administrator consent:

    Permission Type
    AllSites.Read Delegated
    MyFiles.Read Delegated
    Sites.Search.All Delegated

  4. Use a dedicated user account with limited access to specific sites.

  5. Make sure the account has Owner access to the selected sites.

Create a federated search connector with SharePoint

Console

Use the following steps for Google Cloud console to perform federated search through SharePoint from Agentspace.

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for SharePoint Federated to connect your third-party source.

  5. Under Authentication settings:

    1. Enter the Client ID, Client secret, Instance URL, and Tenant ID.
    2. Click Authenticate.

    3. Click Continue.

  6. Select the entity types you want to search.

  7. Select a region for your data source.

  8. Enter a name for your data source.

  9. Click Create. Agentspace creates your data store and displays your data stores on the Data stores page.

Once the data store is created, go to the Data stores page and click your data store name to see the status. If the Connector state changes from Creating to Active, the federated search connector is ready to be used.

User authorization

After creating a federated search data store, you can see it listed as one of the data sources in your source management panel. If you haven't previously authorized Agentspace, then you can't select the data source. Instead, an Authorize button appears next to it.

To initiate the authorization flow:

  1. Click Authorize. You are redirected to the SharePoint authorization server.

  2. Sign in to your account.

  3. Click Grant access. After granting access, you are redirected back to Agentspace to complete the authorization flow. Agentspace obtains the access_token, and uses it to access the 3P search.

Query execution

When you enter a search query:

  • If SharePoint is authorized, Agentspace sends the query to the SharePoint API.
  • Agentspace blends the results with those from other sources and displays them.

Data handling

When using third-party federated search, your query string is sent to the third-party search backend. These third parties may associate queries with your identity. If multiple federated search data sources are enabled, the query may be sent to all of them.

Once the data reaches the third-party system, it is governed by that system's Terms of Service and privacy policies (not by Google Cloud's terms).