Documentation
  1. Knowledge Management
  2. Integrations

SharePoint(Upcoming)

Securely connect Leena AI to your Microsoft SharePoint tenant using the modern Microsoft Graph API and certificate-based authentication. This guide walks you through configuring Azure AD permissions and syncing your documents.

Overview


Leena AI integrates with Microsoft SharePoint using the modern Microsoft Graph API, providing a single, secure, and unified connection method. This allows you to sync documents from your entire SharePoint tenant or just specific sites directly into your Leena AI Knowledge Management (KM) system.

This guide will walk you through the two main steps:

  1. Creating an Application in Microsoft Entra ID to grant Leena AI the necessary permissions.
  2. Configuring the connection in the Leena AI dashboard using the credentials from Entra.

Step 1: Configure Permissions in Microsoft Entra ID

Follow these steps to register an application using the Azure Active Directory admin center:

A. Create a New App Registration

  1. Go to the Microsoft Entra admin center and login using a Global administrator account.

  2. Navigate to App registrations.

  3. Click + New registration.

  4. Name: Give your application a clear name (e.g., "Leena AI SharePoint Connector").

  5. Supported account types: Select "Single tenant only".

  6. Redirect URI: Leave this blank.

  7. Click Register.

  8. On the application's Overview page, copy the value of the Application (client) ID and Directory (tenant) ID and save them; you will need these values in the next step.

B. Configure API Permissions

  1. In your new app registration, select API permissions from the left menu.

  2. Click + Add a permission, then select Microsoft Graph.

  3. Select Application permissions .

  4. Now, choose the permission level based on your needs. This is the most important step:

    • For Tenant-Level Access (Sync all sites): Search for and select Sites.Read.All. This allows Leena AI to read all site collections in your SharePoint tenant.
    • For Site-Level Access (Sync only specific sites): Search for and select Sites.Selected. This permission allows you to grant Leena AI read access to an explicit list of sites, adhering to the principle of least privilege. Note that if you go with site-level access, you will need to follow extra steps detailed at the bottom of this section.

  5. (Required for Permission Syncing) In addition to the choice above, you must also add the following permissions to ensure document access rights are synced correctly:

    • Group.Read.All

    • User.Read.All

    Note: User.Read.All is recommended over User.ReadBasic.All for better user mapping.

  6. After adding the permissions, click the Add permissions button at the bottom.

  7. Finally, you must grant consent for these permissions. Click the Grant admin consent for [Your Tenant Name] button and accept the prompt. The status for all permissions should update to show a green checkmark.

Important Note on Sites.Selected: Microsoft's configuration for Sites.Selected permission requires additional steps using API calls or PowerShell to grant the application access to each specific site. This is a Microsoft requirement for this high-security permission type. For detailed instructions, please refer to the official Microsoft documentation: Develop applications that use Sites.Selected permissions.

Reference APIs (for Sites.Selected configuration)

a. API to fetch the auth token This token will be used to grant read permissions to the "Leena AI" application. This token has to be generated using another application which has Sites.FullControl.All permission.

curl --location --request GET 'https://login.microsoftonline.com/{{tenant id}}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={{clientid}}' \
--data-urlencode 'client_secret={{clientsecret}}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'grant_type=client_credentials'

b. API to fetch site ids

curl --location 'https://graph.microsoft.com/v1.0/sites/' \
--header 'authorization: Bearer {{token}}'

c. API to grant the site-level permissions to "Leena AI" application

curl --location 'https://graph.microsoft.com/v1.0/sites/{{site id}}/permissions' \
--header 'Authorization: Bearer {{token}}' \
--header 'Content-Type: application/json' \
--data '{
	"roles": [
		"read"
	],
	"grantedToIdentities": [{
		"application": {
			"id": "{{leena ai application id}}",
			"displayName": "Leena AI"
		}
	}]
}'

C. Granting Access to SharePoint Permissions

Note: Microsoft has deprecated the REST API method (appinv.aspx). You must now fetch permissions directly through the SharePoint API in Azure AD.

  1. In your Azure app registration, select API permissions from the left navigation menu.

  2. Go to Request API permission.

  3. Select SharePoint from the list of available APIs.

  4. Choose Application permissions (not Delegated).

  5. Select the specific permissions based on your required access level:

Option 1: For Full Tenant Access (Read All Sites)

  • Search for and check the box for Sites.FullControl.All.
  • Search for and check the box for User.Read.All.

Option 2: For Restricted Access (Read Selected Sites Only)

  • Search for and check the box for Sites.Selected.
  • Search for and check the box for User.Read.All.

Finalizing Consent

  1. Click the Add permissions button at the bottom.
  2. Once the permissions are added, click the Grant admin consent for [Your Tenant Name] button.
  3. Accept the prompt to ensure the status for all new permissions updates to show a green checkmark.

D. Configure Certificate-based Authentication

Note: For enhanced security, Leena AI now utilizes certificate-based authentication instead of client secrets.

  1. Open a new tab and log in to your Leena AI Dashboard.

  2. Navigate to the Knowledge Management (KM) Integration settings. You can find this within Settings-->Integrations--->SharePoint.

  3. Locate the SharePoint connector and click on 'Connect'. A side-sheet will open. Then click Generate Certificate and subsequently click on Download Certificate. Save this file locally to your computer.

  4. Return to your Azure Active Directory app registration portal.

  5. Select Certificates & secrets from the left navigation menu.

  6. Click the Certificates tab.

  7. Click Upload certificate.

  8. Select the certificate file you just downloaded from the Leena AI dashboard.

  9. Enter a brief description (e.g., "Leena AI Auth Certificate") and click Add.


Step 2: Integrating with Leena AI’s KM Dashboard

The “Integration” option under KM settings will enable you to integrate KM with third-party apps so that we can pull documents from there and display them in Leena AI's KM.

For SharePoint Integration via Graph APIs, users need to provide the following details:

  1. Navigate to the KM Settings > Integrations page in your Leena AI dashboard.
  2. Select the SharePoint connector.
  3. You will see a single, unified configuration screen. Enter the credentials you saved from Azure AD:
    • Tenant ID: The Directory (tenant) ID you copied.
    • Client ID: The Application (client) ID you copied.
    • Certificate: Ensure you have downloaded the certificate from this dashboard and uploaded it to Azure as outlined in Step 1D.
  4. (For Site-Level Access Only) If you used the Sites.Selected permission, you must provide the list of SharePoint Site URLs you wish to sync. Note, you will have to follow extra steps for ensuring site-level access as mentioned above in Step 1.
  5. Click the Connect button. The system will verify if your credentials and permissions are correct.
  6. Once the connection is established, you can proceed to select the sites you wish to sync by choosing the sites and syncing them. You can also choose which libraries to sync within each site by clicking on the Configure Site button for each site and then choosing the libraries to sync. By default, Leena AI will sync the "Shared Documents" library from each site unless otherwise configured.

Metadata filtering of content: After connecting to the SharePoint sites, you could select 'Configure site' and then provide metadata based on which you would want to filter content within SharePoint sites. For configuring sites, you will have to first select libraries and then configure the libraries based on the available metadata filters.

SharePoint Graph API Integration: FAQs

Configuration & Permissions

Q: What credentials do I need from Azure AD to set up the connection? A: You will need the following values from your Azure App Registration:

  1. Directory (tenant) ID
  2. Application (client) ID

Q: What's the difference between the Sites.Read.All and Sites.Selected permissions? A:

  • Sites.Read.All grants Leena AI permission to read all site collections across your entire tenant.
  • Sites.Selected is a more restrictive permission that allows Leena AI to read only the specific sites you explicitly grant it access to.

Q: Why do I need to add Group.Read.All and User.Read.All permissions? A: These permissions are required to ensure that document access rights are synced correctly from SharePoint to Leena AI. This allows for accurate user mapping and maintains your existing document security.

Q: I used the Sites.Selected permission, but my sites aren't syncing. What did I miss? A: The Sites.Selected permission requires an additional step. Due to Microsoft's security rules, you must use API calls (as referenced in the documentation) or PowerShell to manually grant your new application read access to each specific site you want to sync.

Updated 2 days ago