Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.genow.ai/llms.txt

Use this file to discover all available pages before exploring further.

To securely connect our service to your SharePoint environment, you need to create and configure a Service Principal Name (SPN) in your Microsoft Entra ID (formerly Azure Active Directory). This process ensures that the Genow platform has the necessary, limited permissions to access your SharePoint data without requiring a user’s personal login credentials.
If you have already created a SPN for the SSO via Microsoft you can reuse this SPN for the connection to SharePoint. This makes particular sense if you do not plan to create multiple SPNs for different SharePoint sites.
This guide will walk you through the entire process, which consists of three main parts:
  1. Creating an App Registration in Microsoft Entra ID to generate the required credentials.
  2. Configuring API Permissions to define what the application is allowed to do.
  3. Granting Access to Specific SharePoint Sites to connect the SPN to the data.
To complete the setup, you will need the following three pieces of information:
  • Client ID (Application ID)
  • Tenant ID (Directory ID)
  • Client Secret (Application Password)
If you create a new SPN please share the client ID, tenant ID and client secret with us as we also have to store the mapping via the SPN. The information is stored securely.
Prerequisites: You must have administrative privileges in both Microsoft Entra ID and the target SharePoint sites to perform these actions.

Part 1: Create the App Registration and Credentials

First, you need to register a new application in your Microsoft Entra ID portal. This registration represents the identity of our service within your Microsoft environment.
  1. Navigate to App Registrations:
  2. Create a New Registration:
    • Click + New registration.
    • Give the application a descriptive name, such as “SharePoint Integration Service”.
    • Leave the other settings at their default values and click Register.
  3. Save the Client ID and Tenant ID:
    • Once the app is created, you will be taken to its Overview page.
    • Copy the Application (client) ID and the Directory (tenant) ID. Save them in a secure location, as you will need them to configure the integration in our platform.
  4. Create a Client Secret:
    • In the navigation for your app registration, go to Certificates & secrets.
    • Click on the Client secrets tab and select + New client secret.
    • Provide a description (e.g., “SharePoint API Key”) and choose an expiration period.
    • Click Add.
    IMPORTANT: A secret value will be displayed immediately. Copy this value now. It will be hidden permanently after you leave this page. This is your Client Secret.

Part 2: Configure API Permissions

Next, you must specify the exact permissions the application needs. We will use the Sites.Selected permission, which follows the principle of least privilege by allowing you to grant access only to specific SharePoint sites instead of all of them.
  1. Go to API Permissions:
    • In your app registration’s navigation menu, select API permissions.
  2. Add a Permission:
    • Click + Add a permission and select Microsoft Graph.
  3. Select Application Permissions:
    • Choose Application permissions. This type is required for services that run in the background without a signed-in user.
  4. Add Sites.Selected Permission:
    • In the “Select permissions” search box, type Sites.Selected.
    • Check the box next to Sites.Selected under the “Sites” category and click Add permissions.
  5. Grant Admin Consent:
    • The newly added permission will have a status indicating that admin consent is required.
    • Click the Grant admin consent for [Your Tenant Name] button at the top of the permissions list.
    • Click Yes to confirm. The status should now update to show a green checkmark, meaning the permissions are active at the tenant level.

Part 3: Grant Access to SharePoint Sites

The final step is to grant the newly created SPN access to each SharePoint site it needs to read. This process must be repeated for every top-level SharePoint site that you intend to use with our service.
1

Grant access for a selected site to the SharePoint app

  1. Navigate to the site your SharePoint site and add ‘_api/site/id’ after your site name. Afterwards the url should look like: genow.sharepoint.com/sites/sitename/_api/site/id in your browser 
  2. Make a note of the site ID in the JSON response as shown below. You will require this site ID in further steps.
  3. Sign in to Microsoft Graph Explorer with an account that has a SharePoint Administrator or higher role.
  4. In Graph Explorer, on the top right, click your avatar.
  5. Select Consent to permissions (by clicking on the “Modify Permissions” tab - see screenshot below) and then choose Consent for Sites.FullControl.All to provide the Graph Explorer tool the ability to modify site permissions for your tenant.
  6. Make a POST request to the endpoint https://graph.microsoft.com/v1.0/sites/{site_id}/permissions with Request Header Content-Type: application/json and Request Body:
body
{
"roles": ["read"],
"grantedToIdentities": [
{
"application": {
"id": "<application_client_id>",
"displayName": "<application_name>"
}
}
]
}
Replace site_id, application_client_id, and application_name from the steps above.
You have now successfully configured the SPN for one SharePoint site. Remember to repeat this “Part 3” for all other required SharePoint sites.

Final Step

You have now successfully created an SPN and assigned it the necessary permissions. You can now use the Client ID, Tenant ID, and Client Secret you saved earlier to configure the SharePoint connection in our application. Please provide us with these variables. Credits / more information here