These frequently asked questions provide an overview of how the SharePoint integration works, including required permissions, data usage, security controls, and common configuration scenarios. This section is designed to help administrators and users understand how access is managed, how data is processed, and how the integration ensures compliance with SharePoint and Azure Active Directory (Azure AD) security standards.

Q. Which permissions are required for SharePoint integration?

A. The permissions below enable secure access, accurate indexing, and enforcement of user-level security when integrating with SharePoint.

• Sites.Read.All (Microsoft Graph)
  Allows discovery and reading of SharePoint sites, folders, and files within the context of the signed-in user.

• AllSites.Read (SharePoint)
  Enables access through SharePoint-native APIs to ensure complete and consistent data retrieval.

• Files.Read.All
  Required to read file content for indexing and AI-powered processing.

• Group.Read.All and GroupMember.Read.All
  Used to resolve SharePoint group memberships for accurate permission enforcement.

• User.Read / User.Read.All / Profile / OpenID
  Identifies the user and enforces user-context security.

• offline_access
  Allows background synchronization without requiring repeated user login.

Q. Where is SharePoint data used?

A. SharePoint data is used only in the following features:

• Project-level SharePoint Search

• ASK (AI-powered question and answer)

• Agents (AI workflows that use SharePoint as a knowledge source)

Only content explicitly selected and authorized by the user is used.

Q. Will all SharePoint data be crawled?

A. No. Only folders and files explicitly selected by the user are crawled and indexed.

Q. Are user permissions respected?

A. Yes. All access strictly respects existing permissions, including:

• Site-level permissions

• Folder-level permissions

• File-level permissions

• Azure Active Directory (Azure AD) permissions

Q. Why is the root URL required?

A. The root URL enables dynamic discovery of SharePoint sites and allows flexible selection of folders and files.

Q. Can the integration be set up without an app (Client ID and Secret)?

A. Yes. You can use Grant Access via delegated login instead of configuring an app.

Q. Are both App-based and Grant Access methods secure?

A. Yes. Both methods are secure but serve different use cases:

• Delegated (Grant Access) – Uses user-based access and is the recommended approach

• App-based (Client ID and Secret) – Uses admin-controlled configuration

Q. Why not use Sites.Selected permission?

A. The Sites.Selected permission requires manual site whitelisting. It does not scale well and does not support dynamic permission handling.

Q. How often does synchronization occur?

A. Manual sync can be triggered at any time. Automatic sync runs every 7 days

Q. Does the application store SharePoint data?

A. Only content that is explicitly selected and authorized is indexed. No additional data is stored.

Q. Can the application access data without user consent?

A. No. All access is strictly based on user consent.

Q. How is data leakage prevented?

A. Strict user-context enforcement ensures that users can only access content they are authorized to view. Cross-user access is not allowed.

Q. Can administrators control access?

A. Yes. Administrators can manage access through Azure AD and SharePoint policies.

Q. Does this integration bypass SharePoint security?

A. No. It fully respects SharePoint’s native security model.

Q. What happens if permissions change?

A. Any changes to permissions are reflected during synchronization and validated at the time of access.

Q. Is any additional content accessed beyond what is selected?

A. No. Only explicitly selected folders and files are accessed.

Q. Why do I see an “Invalid Input” error after clicking Verify Access?

A. Check the following:

• If using Client ID and Secret, ensure all required permissions are granted as outlined in the relevant Help Center article

• Confirm that Grant Permissions was completed successfully

• Verify that the Client Secret value (not the ID) is entered correctly

• Ensure the Client ID matches the registered application

• Confirm that the Redirect URL is configured exactly as specified