> ## Documentation Index
> Fetch the complete documentation index at: https://prismeai-legacy.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SharePoint Connector

> Deploy and configure the SharePoint connector to synchronize Microsoft SharePoint document libraries with AI Knowledge

The SharePoint connector enables AI Knowledge to index documents from Microsoft SharePoint Online, with per-user permission-based access validation (PBAV) at query time. It relies on a dedicated MCP workspace that bridges the Microsoft Graph API with the Prisme.ai platform.

## Architecture Overview

The connector involves three workspaces working together:

<CardGroup cols={3}>
  <Card title="sharepoint-mcp" icon="plug">
    MCP server that wraps Microsoft Graph API calls. Handles OAuth delegated
    flow, token management, and file operations.
  </Card>

  <Card title="ai-knowledge" icon="brain">
    Orchestrates sync (file listing, download, indexing) and PBAV (per-chunk
    access filtering at query time).
  </Card>

  <Card title="sharepoint-app" icon="cube">
    Shared library imported by sharepoint-mcp. Provides low-level Graph API
    wrappers (list sites, drives, children, download).
  </Card>
</CardGroup>

**Data flow:**

1. An AI Knowledge admin connects their Microsoft account via OAuth and configures a site + library
2. Sync fetches the file list from SharePoint via the MCP server, downloads each file, and indexes it
3. At query time, RAG chunks from SharePoint documents are filtered by probing the querying user's access via their delegated OAuth token

## Prerequisites

Before deploying, ensure the following are in place:

* **Prisme.ai platform** version `v26.03.02xxxx` or later (required for the `secrets` module)
* **Latest Helm charts** pulled for all workspaces
* **Access to the Azure portal** with permissions to register applications and grant admin consent
* The **sharepoint-app** workspace is deployed and available (it is imported by sharepoint-mcp)

## Step 1: Deploy the SharePoint MCP Workspace

Import or create the `sharepoint-mcp` workspace on your Prisme.ai instance. The workspace `index.yml` must include:

```yaml theme={null}
registerWorkspace: true
```

This flag registers the workspace in the global workspaces registry (`global.workspacesRegistry`), which AI Knowledge uses to discover and call the MCP server.

After deployment, verify registration:

1. Open the Prisme.ai admin panel
2. Confirm that `sharepoint-mcp` appears in the global workspaces registry
3. The MCP endpoint will be available at `{API_URL}/workspaces/{WORKSPACE_ID}/webhooks/mcp`

<Note>
  The sharepoint-app workspace must also be deployed, as sharepoint-mcp imports
  it for Graph API wrapper automations.
</Note>

## Step 2: Register an Azure AD Application

Create an app registration in the Azure portal to enable OAuth delegated authentication.

<Steps>
  <Step title="Create the App Registration">
    Navigate to **Azure Portal > Microsoft Entra ID > App registrations > New registration**.

    * **Name**: a descriptive name (e.g. "Prisme.ai SharePoint Connector")
    * **Supported account types**: choose based on your tenant policy (single tenant is recommended for enterprise)
    * **Redirect URI**: leave blank for now (configured in the next step)
  </Step>

  <Step title="Configure the Redirect URI">
    Under **Authentication > Platform configurations > Add a platform > Web**, add the redirect URI:

    ```
    {API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback
    ```

    Replace `{API_URL}` with your Prisme.ai API base URL and `{WORKSPACE_ID}` with the ID of the `sharepoint-mcp` workspace.

    <Info>
      For the SAAS version, on prisme.ai the value is : `https://api.studio.prisme.ai/v2/workspaces/bdpElBM/webhooks/oauthCallback`
    </Info>

    <Warning>
      The redirect URI must match exactly, including the scheme and path. A mismatch will cause the OAuth callback to fail with an `AADSTS50011` error.
    </Warning>
  </Step>

  <Step title="Add API Permissions">
    Under **API permissions > Add a permission > Microsoft Graph > Delegated permissions**, add the following scopes:

    <table>
      <thead>
        <tr>
          <th>Permission</th>
          <th>Type</th>
          <th>Purpose</th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><code>Sites.Read.All</code></td>
          <td>Delegated</td>
          <td>List sites and read site metadata</td>
        </tr>

        <tr>
          <td><code>Files.Read.All</code></td>
          <td>Delegated</td>
          <td>Read files and download content from drives</td>
        </tr>

        <tr>
          <td><code>User.Read</code></td>
          <td>Delegated</td>
          <td>Read the signed-in user's profile</td>
        </tr>

        <tr>
          <td><code>offline\_access</code></td>
          <td>Delegated</td>
          <td>Obtain refresh tokens for long-lived sessions</td>
        </tr>

        <tr>
          <td><code>openid</code></td>
          <td>Delegated</td>
          <td>OpenID Connect sign-in</td>
        </tr>

        <tr>
          <td><code>profile</code></td>
          <td>Delegated</td>
          <td>Read user profile claims</td>
        </tr>

        <tr>
          <td><code>email</code></td>
          <td>Delegated</td>
          <td>Read user email address</td>
        </tr>
      </tbody>
    </table>

    Click **Grant admin consent for \{your tenant}** to pre-approve the permissions for all users in the organization.
  </Step>

  <Step title="Create a Client Secret">
    Under **Certificates & secrets > Client secrets > New client secret**:

    * **Description**: e.g. "Prisme.ai connector"
    * **Expires**: choose an expiration policy per your organization's requirements

    Copy the **Value** immediately — it is only shown once.
  </Step>
</Steps>

## Step 3: Configure Workspace Secrets

In the Prisme.ai admin panel, navigate to the `sharepoint-mcp` workspace and configure the following secrets:

<table>
  <thead>
    <tr>
      <th>Secret Name</th>
      <th>Description</th>
      <th>Example</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>
        <code>azureClientId</code>
      </td>

      <td>Application (client) ID from the Azure AD app registration</td>

      <td>
        <code>a1b2c3d4-e5f6-...</code>
      </td>
    </tr>

    <tr>
      <td>
        <code>azureClientSecret</code>
      </td>

      <td>Client secret value generated in Step 2</td>

      <td>
        <code>\~Abc123...</code>
      </td>
    </tr>

    <tr>
      <td>
        <code>azureTenant</code>
      </td>

      <td>Azure AD Tenant ID (GUID)</td>

      <td>
        <code>f7e8d9c0-...</code>
      </td>
    </tr>

    <tr>
      <td>
        <code>azureSiteId</code>
      </td>

      <td>
        Optional. Default SharePoint site ID (format:{" "}
        <code>hostname,siteCollectionId,siteId</code>). Used when no site is
        specified in tool calls.
      </td>

      <td>
        <code>contoso.sharepoint.com,abc123,def456</code>
      </td>
    </tr>
  </tbody>
</table>

These secrets are referenced in the workspace configuration as `{{secret.azureClientId}}`, etc. They are stored encrypted by the platform's `secrets` module.

## Step 4: Enable the Connector in AI Knowledge

In the AI Knowledge workspace configuration (`index.yml` or via the admin panel), enable the SharePoint connector and choose an authentication mode:

```yaml theme={null}
config:
  value:
    connectors:
      sharepoint:
        enabled: true
        authMode: delegated # or service_account
```

This makes the **Connectors** tab and SharePoint card visible in the AI Knowledge project settings.

### Authentication Modes

The `authMode` setting controls how the connector authenticates with SharePoint and whether per-user access control is enforced:

<table>
  <thead>
    <tr>
      <th>Mode</th>
      <th>Value</th>
      <th>Behavior</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>
        <strong>Delegated</strong> (default)
      </td>

      <td>
        <code>delegated</code>
      </td>

      <td>
        Each user connects their own Microsoft account via OAuth. PBAV is
        active: at query time, each user only sees RAG results from files they
        can access in SharePoint. The connector card shows a "Connect with
        Microsoft" button.
      </td>
    </tr>

    <tr>
      <td>
        <strong>Service Account</strong>
      </td>

      <td>
        <code>service\_account</code>
      </td>

      <td>
        Sync and queries use the workspace-level credentials configured in the
        MCP secrets (<code>azureClientId</code>, <code>azureClientSecret</code>,{" "}
        <code>azureTenant</code>). No per-user OAuth is required. PBAV is
        disabled — all synced documents are visible to all project users. The
        OAuth connection section is hidden from the connector card.
      </td>
    </tr>
  </tbody>
</table>

<Note>
  Service account mode is simpler to operate (no user-level OAuth flows) but
  provides no per-user access control. Use it when all project users should have
  access to the entire synced library.
</Note>

## Verification

After completing the setup, verify each component:

<Steps>
  <Step title="Secrets Module">
    Confirm the secrets module is operational. Navigate to the sharepoint-mcp workspace and verify all four secrets are set (the UI will show them as masked values).
  </Step>

  <Step title="Workspace Registry">
    Confirm `sharepoint-mcp` appears in `global.workspacesRegistry`. Open AI Knowledge workspace and check that it can resolve the MCP server URL.
  </Step>

  <Step title="Redirect URI">
    Verify the redirect URI in Azure AD matches the actual webhook URL. Navigate to:

    ```
    {API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback
    ```

    You should get a `401` response (no session), not a `404`.
  </Step>

  <Step title="Connect Page">
    Open the public connect-sharepoint page:

    ```
    {PAGES_URL}/connect-sharepoint
    ```

    The page should load with a "Connect with Microsoft" button. If OAuth is not configured, a warning banner reading "OAuth is not configured" is displayed instead.
  </Step>

  <Step title="Connectors Tab">
    Open an AI Knowledge project, navigate to the **Advanced > Connectors** tab, and verify the SharePoint connector card appears with a "Configure" button.
  </Step>
</Steps>

## Troubleshooting

<Accordion title="AADSTS50011: The redirect URI does not match">
  **Cause**: The redirect URI configured in Azure AD does not exactly match the one used by the MCP server.

  **Fix**: Verify the redirect URI format is `{API_URL}/v2/workspaces/{WORKSPACE_ID}/webhooks/oauthCallback`. Check for trailing slashes, scheme mismatches (http vs https), and ensure the workspace ID is correct.
</Accordion>

<Accordion title="OAuth is not configured banner on connect-sharepoint page">
  **Cause**: One or more of the `azureClientId`, `azureClientSecret`, or `azureTenant` secrets are missing.

  **Fix**: Navigate to the sharepoint-mcp workspace secrets panel and ensure all three OAuth-related secrets are set. The `azureSiteId` is optional.
</Accordion>

<Accordion title="SharePoint MCP server is not configured error during sync">
  **Cause**: The `sharepoint-mcp` workspace is not registered in `global.workspacesRegistry`.

  **Fix**: Verify that `registerWorkspace: true` is set in the sharepoint-mcp `index.yml` and redeploy the workspace. Check the workspace slug is exactly `sharepoint-mcp`.
</Accordion>

<Accordion title="Token exchange failed during OAuth callback">
  **Cause**: The client secret is incorrect, expired, or admin consent was not granted.

  **Fix**:

  1. Regenerate the client secret in Azure AD and update the `azureClientSecret` workspace secret
  2. Verify admin consent was granted for all required permissions
  3. Check the Azure AD tenant ID matches the `azureTenant` secret
</Accordion>

<Accordion title="Secrets module errors (500 during token storage)">
  **Cause**: The `secrets` module is not available on the platform, typically because the platform version is older than `v26.03.02xxxx`.

  **Fix**: Upgrade the Prisme.ai platform to version `v26.03.02xxxx` or later.
</Accordion>

For any issues not covered here, contact [support@prisme.ai](mailto:support@prisme.ai).
