--- title: 'Sharepoint Online Access Requirements (KBs & Files) [NEW]' deprecated: false hidden: false metadata: robots: index --- # 1. Architecture Overview Before we start integrating **Sharepoint Online** with **Moveworks**, We need to understand the approach Admins can follow to provide the access. Customer will need their Azure Admin to carry out the steps here. The below sections outline what Azure API Access needs to be provided respectively for either scenario and details of how Moveworks consumes them. ## File Ingestion from Sharepoint Sites In order for Moveworks to ingest **Files and their Permissions** the admin needs to provide the following permissions, To Learn more about File Search please visit the guide [File Search - Respecting File Permissions](/docs/file-search-respecting-file-permissions). ![](https://files.readme.io/e39f645fc90a2880dd205e1fb8c8985e4bc29d8d979dcfb4a44148867ae1da3b-Screenshot_2025-08-22_at_5.12.49_PM.png) **Microsoft Graph API Group** * **Sites.Read.All** - Application Permission which provides access to read all Sharepoint Site Content across all Sites. Moveworks requires this access to ingest Files from all Sites. **Note :** If your organisation does not want to provide access to All sites, you can instead provide **Sites.Selected** * **Sites.Selected** - Application Permission which is an **alternate option** allows you to narrow down Moveworks search to content from only SPECIFIC sub sites in the tenant. This requires additional setup, Please ensure [these instructions](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online) are followed if **Sites.Selected** Permission is being provided. _**Note: With Sites.Selected, Files.Read.All is no longer required**_ * **Files.Read.All** (OPTIONAL if using _Sites.Selected_) - Application Permission which is provides access to read File content inside a Sharepoint Site. Moveworks requires this access to ingest the Files. * **Group.Read.All** - Application Permission which provides access to read Microsoft AD Group details to the Files in the Sharepoint Site. Moveworks requires this access to ingest Microsoft AD Groups for respecting Permissions * **User.Read** - Delegated Permission which allows signed in users to Read User Profile information. * **User.Read.All** - Application Permission which allows access to read all user information in the tenant. Moveworks requires this access to ingest user details from the Azure tenant which will be used to respect permissions **SharePoint API Group** * **Sites.Read.All** - Application Permission which provides access to read all Sharepoint Site Content across all Sites. Moveworks requires this access to ingest Files from all Sites. **Note :** If your organisation does not want to provide access to All sites, you can instead provide **Sites.Selected** * **Sites.Selected** - Application Permission which is an **alternate option** allows you to narrow down Moveworks search to content from only SPECIFIC sub sites in the tenant. This requires additional setup, Please ensure [these instructions](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online) are followed if **Sites.Selected** Permission is being provided. > 📘 The Sites.Read.All or Sites.Selected Permission needs to be provided to Both API Groups. In this approach we will maintain a **single Azure Application** which will provide access to **both SharePoint and Microsoft Graph APIs** list above. **Note : You can also set up multiple Azure Applications to provide the permissions, this would mean creating extra connectors in Moveworks Setup to interface with each App** ## Knowledge Ingestion from Sharepoint Sites In order for Moveworks to ingest **Knowledge Articles and their Permissions** the admin needs to provide the following permissions : ![](https://files.readme.io/696cac74e4aeb57be93838471708d3613544ef28a88064df015851adca54c694-Screenshot_2025-08-22_at_5.13.54_PM.png) **Microsoft Graph API Group** * **Group.Read.All** - Application Permission which provides access to read Microsoft AD Group details to the Files in the Sharepoint Site. Moveworks requires this access to ingest Microsoft AD Groups for respecting Permissions * **Sites.Read.All** - Application Permission which provides access to read all Sharepoint Site Content across all Sites. Moveworks requires this access to ingest Knowledge Articles from all Sites. **Note :** If your organisation does not want to provide access to All sites, you can instead provide **Sites.Selected** * **Sites.Selected** - Application Permission which is an **alternate option** allows you to narrow down Moveworks search to content from only SPECIFIC sub sites in the tenant. This requires additional setup, Please ensure [these instructions](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online) are followed if **Sites.Selected** Permission is being provided. * **User.Read** - Delegated Permission which allows signed in users to Read User Profile information. * **User.Read.All** - Application Permission which allows access to read all user information in the tenant. Moveworks requires this access to ingest user details from the Azure tenant which will be used to respect permissions **SharePoint API Group** * **Sites.Read.All** - Application Permission which provides access to read all Sharepoint Site Content across all Sites. Moveworks requires this access to ingest Knowledge Articles from all Sites. **Note :** If your organisation does not want to provide access to All sites, you can instead provide **Sites.Selected** * **Sites.Selected** - Application Permission which is an **alternate option** allows you to narrow down Moveworks search to content from only SPECIFIC sub sites in the tenant. This requires additional setup, Please ensure [these instructions](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online) are followed if **Sites.Selected** Permission is being provided. > ❗️ Please read the following Approach for setting up the Access Requirements # 2. Azure App Registration Approach In this approach we will maintain a **single Azure Application** which will provide access to **both SharePoint and Microsoft Graph APIs** listed above so Moveworks can leverage them via the API calls. It is Recommended to create a new Azure Application to provide the API permissions. App can be created by following the steps from the [Setting Up an Azure AD App for App-Only Access](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access) section from the Microsoft Azure AD App-Only Authentication guide. 1. Ensure you have generated the **App ID** and **App Client Credentials** which will be used later to configure the connector. 2. Next we need to use the [New-SelfSignedCertificate cmdlet](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps) to generate the certificates which will be used to create the Connector. In this step, you will: 1. First generate the **.pfx** and **.cer** files using the Powershell script outlined above. 2. Save the **.pfx** and .**cer** files for the following step. 3. Register an Azure Application for Moveworks in your Azure AD App Directory. 4. Connect your certificate (the **.cer** file) to the Application. 3. Run Powershell Commands to **Generate X5t and Private Key** values 1. There are two options for generating an **X5t value**. Either using **SHA256** (modern, more secure) or **SHA1**. Either option below is sufficient. 1. For SHA256, run the following Powershell command to generate the **X5t value** using SHA256 needed for Moveworks’ Sharepoint Connector. ``` $certPath = "path\to\your\certificate.cer" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath) $sha256 = [System.Security.Cryptography.HashAlgorithm]::Create("SHA256") $hash = $sha256.ComputeHash($cert.RawData) $x5t = [Convert]::ToBase64String($hash) -replace '\+','-' -replace '/','_' -replace '=' Write-Output $x5t ``` 2. For SHA1, run the following Powershell command, to generate the **X5t value** using SHA1 needed for Moveworks’ Sharepoint Connector. ``` $certPath = "path\to\your\certificate.cer" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath) $sha1 = [System.Security.Cryptography.HashAlgorithm]::Create("SHA1") $hash = $sha1.ComputeHash($cert.RawData) $x5t = [Convert]::ToBase64String($hash) -replace '\+','-' -replace '/','_' -replace '=' Write-Output $x5t ``` 2. Save the **X5t value** generated to create the connector. 3. Run the following Powershell command, to generate the Private Key needed for the Moveworks’ Sharepoint Connector. ``` openssl pkcs12 -in "C:\path\to\your\file.pfx" -nocerts -nodes -out "C:\path\to\output\privateKey.pem" ``` 4. Save the Private Key (the **privateKey.pem** file) value generated for Step 3 ([Create Connectors in Moveworks Setup](/docs/file-search-sharepoint-online-configuration-using-azure-ad-app-only-authentication-new#3-create-connectors-in-moveworks-setup)). 4. Now we will grant the API permissions via the Azure admin portal by modifying your existing app. 1. Go to your Microsoft Azure portal, and select Enterprise applications. ![](https://files.readme.io/184c276-Untitled_-_2024-02-06T132706.421.png) 2. Search for the application to which you’ll be granting the new permissions. Note down its Application ID (aka App Id). ![](https://files.readme.io/4034c9b-Untitled_-_2024-02-06T132725.877.png) 3. Navigate to this URL, replacing the end of the URL with your App Id: `https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/CallAnAPI/appId/{Application ID}` 4. This will bring you to the _API Permissions_ page for that application. You may already see some permissions configured for this application, some of which may already be ones we need. In the image below, however, you’ll see this app only has User.Read, and that is not one of the required permissions we need, so we need to add the others. ![](https://files.readme.io/7745ffb-Untitled_-_2024-02-06T132736.606.png) 5. Click **Add Permission**. ![](https://files.readme.io/3d66d8e-Untitled_-_2024-02-06T132813.126.png) 6. This will open a panel on the right side: ![](https://files.readme.io/0e71bd6-Untitled_-_2024-02-06T132825.467.png) 7. Click on **Microsoft Graph**. ![](https://files.readme.io/843b85a-Untitled_-_2024-02-06T132838.037.png) 8. Click on **Application permissions**. ![](https://files.readme.io/18bb279-Untitled_-_2024-02-06T132851.397.png) 9. A search bar will appear. ![](https://files.readme.io/3b1d653-Untitled_-_2024-02-06T132918.068.png) 10. Search for the permissions you need to grant (noted above) and check the box for each. ![](https://files.readme.io/94b3915-Untitled_-_2024-02-06T132932.781.png) 11. Once they’ve all been checked, click **Add permissions**. ![](https://files.readme.io/d025cc4-Untitled_-_2024-02-06T132945.301.png) 12. You’ll now see all the newly added permissions alongside any you previously had granted the app, however, the new ones will have a status of “Not granted for” your organization. ![](https://files.readme.io/e1a6d0661601e0685698a708245b0059fb4b66eb97ce7f727c0782ec773f5000-image.png) 13. **[Important]** Grant specifically the _**Sites.Read.All**_ access, as **Sites.FullControl.All** is not necessary. Note, this must be done for the **Sharepoint API** during this step. ![](https://files.readme.io/e2a33b2-image.png) 1. Alternate Option: _**Sites.Selected**_ (more information [here](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online)) This permission allow you to narrow down Moveworks search to content from only SPECIFIC sub sites in the tenant. This requires additional setup, where instructions can be found [here](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online). 2. **Disclaimer:** If using a GCCH Microsoft tenant, the _Sharepoint_ permission is not available. You will want to use the **Office 365 Sharepoint Online** permission instead. 3. Note: **For each Sharepoint Group**, it must have the following setting in order for members of those Sharepoint groups to access the files (unless they have access via another Sharepoint Group, or Azure AD Group): 1. Within **"Group Settings"**, the settle **"who can view the membership of this group"** must be set to **"Everyone"**, **in order for Moveworks to read the group members** 2. If it's not set, please change the setting, or rely on Azure AD Groups or other Sharepoint Groups to manage permissions for those files 14. To complete the process, click **Grant admin consent for** your organization. ![](https://files.readme.io/48d163d-Untitled_-_2024-02-06T132956.742.png) 15. If this panel appears, click **Yes, add other granted permissions to configured permissions** then **Save and continue**, then **Grant admin consent,** and then **Yes**. ![](https://files.readme.io/4867617-Untitled_-_2024-02-06T133103.875.png) ![](https://files.readme.io/1da7bde-Untitled_-_2024-02-06T133105.650.png) 16. You will see green checkmarks on the newly added permissions if this was successful. This completes the creation of the Azure App which now has all the required API Permissions. # 3. Configuring Sharepoint Integration The below Guides will walk you through the steps of creating the Connectors in your **Moveworks Setup** portal, using the credentials that you have configured above and setting up **Sharepoint Integration for File Search or Answers Plugin.** **Note: If you have not been granted access to Moveworks Setup, please reach out to your Customer Success Team to enable this.** * [How To Configure Sharepoint File Search](/docs/file-search-sharepoint-online-configuration-using-azure-ad-app-only-authentication-new) * [How To Configure Sharepoint Answers Plugin](/docs/how-to-guides-for-answers-plugin#/how-to-configure-the-answers-plugin-for-sharepoint)