SharePoint Setup Guide

This documentation explains how to create and configure credentials for the Q Business SharePoint Connector. You will need to generate and provide these five values:

• Azure App Registration Client ID
• Azure App Registration Secret Value (not the secret ID)
• SharePoint App-Only Client ID
• SharePoint App-Only Secret
• SharePoint Tenant ID

When these values are created, there will be a note to copy them in the relevant step.

Part 1: Azure AD App Registration

1. Sign in to the Azure Portal
2. Navigate to "Azure Active Directory" → "App registrations"
3. Click "New registration"
4. Fill in the registration details:
   • Name: "Q Business SharePoint Connector" (or your preferred name)
   • Supported account types: "Accounts in this organizational directory only"
   • Redirect URI: Leave blank (not required)
5. Click "Register"
6. After registration, copy the following values from the Overview page:
   • Application (client) ID
   • Directory (tenant) ID
7. Create a client secret:
   • Go to "Certificates & secrets" in the left menu
   • Click "New client secret"
   • Add a description (e.g., "Q Business Access")
   • Choose an expiration period
   • Click "Add"

IMPORTANT: Make sure to copy and save the Azure App Registration Secret value immediately, as it cannot be viewed again later. Additionally, don’t forget to copy the Azure App Registration Client ID and Tenant ID for future use.

Part 2: SharePoint Setup and App-Only Registration

In this section, we will be generating the credentials that determine where on the site Q and Numa can read. We recommend using least privilege here. If you only want data from a certain folder to be accessed, we recommend creating a new "Sub-Site" since SharePoint access can only be allocated at the Site level. If you want your whole SharePoint indexed, this isn't something you need to worry about.

Step 1: Create and Use your Sub-Site (Limited Scope Only)

1. Navigate to your SharePoint site
2. Create a new subsite dedicated to Q Business integration
3. Note the full URL of your new subsite (e.g., https://yourcompany.sharepoint.com/sites/YourCompany/QBusiness)

Step 2: Create the SharePoint App-Only Registration

1. Go to the SharePoint site you want to grant access to https://[your-domain].sharepoint.com/_layouts/15/appregnew.aspx
2. Fill out the form:
   • Title: "Q Business SharePoint Access" (or your preferred name)
   • App Domain: www.localhost.com
   • Redirect URI: https://www.localhost.com
   • Click "Generate" for both Client ID and Client Secret
3. Click "Create"

IMPORTANT: Copy both the SharePoint App-Only Client ID and SharePoint App-Only Client Secret immediately. The secret cannot be viewed again and the Client ID is needed by the next step

Step 3: Set Permissions

Choose your desired access scope. Full Access is slightly further down. Only one of these steps should be done. We recommend starting with subsite access:

Recommended: Subsite Access Only

1. Take your subsite URL and add /_layouts/15/appinv.aspx
   • Example: If your subsite is https://contoso.sharepoint.com/sites/YourCompany/QBusiness
   • Use: https://contoso.sharepoint.com/sites/YourCompany/QBusiness/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Paste this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
 </AppPermissionRequests>
 

This XML says the SharePoint App is giving access to everything in this Sub-Site.

Single Site Access Scope

If your company has multiple SharePoint Sites, but only wants these credentials to have access to one SharePoint Site:

1. Go to your site's appinv.aspx: https://contoso.sharepoint.com/sites/YourCompany/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Use this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
 

This XML says to give the credentials access to the whole SharePoint Site.

Tenant-Wide Access Scope

WARNING: This is very permissive. Only use this approach if you understand the implications of giving credentials access to your whole SharePoint.

If you only have one SharePoint, this is a simpler approach and achieves the same as the step above in that scenario. If new SharePoint Sites are created, the credentials will have access to those new Sites too.

1. Go to admin center: https://[your-domain]-admin.sharepoint.com/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Use this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
   <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
 </AppPermissionRequests>
 

This XML says to give the credentials access to every SharePoint Site that is in your tenant.

Step 4: Confirm the App and the Permissions

1. Once you're happy with the XML and the scope, click "Create"
2. The scope of permissions will be shown to you in plain English. Ensure this is what you expect the permissions to be.
3. If everything looks as expected, click "Trust It"

Step 5: Send the Credentials to Arcanum

You should now have 5 pieces of information to send us:

• Azure App Registration Client ID
• Azure App Registration Secret Value (not the secret ID)
• SharePoint App-Only Client ID
• SharePoint App-Only Secret
• SharePoint Tenant ID

Once we have these, we will be able to configure and set up your SharePoint Connector. Make sure these are sent to us in a secure manner. SharePoint offers secure sharing to outside your tenant: Sharing files Externally