SharePoint Setup Guide

This documentation explains how to create and configure credentials for the Q Business SharePoint Connector. You will need to generate and provide these five values:

• Azure App Registration Client ID
• Azure App Registration Secret Value (not the secret ID)
• SharePoint App-Only Client ID
• SharePoint App-Only Secret
• SharePoint Tenant ID

When these values are created, there will be a note to copy them in the relevant step.

Part 1: Azure AD App Registration

1. Sign in to the Azure Portal
2. Navigate to "Azure Active Directory" → "App registrations"
3. Click "New registration"
4. Fill in the registration details:
   • Name: "Q Business SharePoint Connector" (or your preferred name)
   • Supported account types: "Accounts in this organizational directory only"
   • Redirect URI: Leave blank (not required)
5. Click "Register"
6. After registration, copy the following values from the Overview page:
   • Application (client) ID
   • Directory (tenant) ID
7. Create a client secret:
   • Go to "Certificates & secrets" in the left menu
   • Click "New client secret"
   • Add a description (e.g., "Q Business Access")
   • Choose an expiration period
   • Click "Add"

IMPORTANT: Make sure to copy and save the Azure App Registration Secret value immediately, as it cannot be viewed again later. Additionally, don’t forget to copy the Azure App Registration Client ID and Tenant ID for future use.

Part 2: SharePoint Setup and App-Only Registration

In this section, we will be generating the credentials that determine where on the site Q and Numa can read. We recommend using least privilege here. If you only want data from a certain folder to be accessed, we recommend creating a new "Sub-Site" since SharePoint access can only be allocated at the Site level. If you want your whole SharePoint indexed, this isn't something you need to worry about.

Step 1: Create and Use your Sub-Site (Limited Scope Only)

1. Navigate to your SharePoint site
2. Create a new subsite dedicated to Q Business integration
3. Note the full URL of your new subsite (e.g., https://yourcompany.sharepoint.com/sites/YourCompany/QBusiness)

Step 2: Create the SharePoint App-Only Registration

1. Go to the SharePoint site you want to grant access to https://[your-domain].sharepoint.com/_layouts/15/appregnew.aspx
2. Fill out the form:
   • Title: "Q Business SharePoint Access" (or your preferred name)
   • App Domain: localhost
   • Redirect URI: https://localhost
   • Click "Generate" for both Client ID and Client Secret
3. Click "Create"

IMPORTANT: Copy both the SharePoint App-Only Client ID and SharePoint App-Only Client Secret immediately. The secret cannot be viewed again and the Client ID is needed by the next step

Step 3: Set Permissions

Choose your desired access scope. Full Access is slightly further down. Only one of these steps should be done. We recommend starting with subsite access:

Recommended: Subsite Access Only

1. Take your subsite URL and add /_layouts/15/appinv.aspx
   • Example: If your subsite is https://contoso.sharepoint.com/sites/YourCompany/QBusiness
   • Use: https://contoso.sharepoint.com/sites/YourCompany/QBusiness/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Paste this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
   <AppPermissionRequest Scope="<http://sharepoint/content/sitecollection/web>" Right="FullControl" />
 </AppPermissionRequests>
 

This XML says the SharePoint App is giving access to everything in this Sub-Site.

Single Site Access Scope

If your company has multiple SharePoint Sites, but only wants these credentials to have access to one SharePoint Site:

1. Go to your site's appinv.aspx: https://contoso.sharepoint.com/sites/YourCompany/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Use this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
   <AppPermissionRequest Scope="<http://sharepoint/content/sitecollection>" Right="FullControl" />
 </AppPermissionRequests>
 

This XML says to give the credentials access to the whole SharePoint Site.

Tenant-Wide Access Scope

WARNING: This is very permissive. Only use this approach if you understand the implications of giving credentials access to your whole SharePoint.

If you only have one SharePoint, this is a simpler approach and achieves the same as the step above in that scenario. If new SharePoint Sites are created, the credentials will have access to those new Sites too.

1. Go to admin center: https://[your-domain]-admin.sharepoint.com/_layouts/15/appinv.aspx
2. Enter your Client ID into the "App Id" field and click "Lookup"
3. Use this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
   <AppPermissionRequest Scope="<http://sharepoint/content/tenant>" Right="FullControl" />
 </AppPermissionRequests>
 

This XML says to give the credentials access to every SharePoint Site that is in your tenant.

Step 4: Confirm the App and the Permissions

1. Once you're happy with the XML and the scope, click "Create"
2. The scope of permissions will be shown to you in plain English. Ensure this is what you expect the permissions to be.
3. If everything looks as expected, click "Trust It"

Step 5: Send the Credentials to Arcanum

You should now have 5 pieces of information to send us:

• Azure App Registration Client ID
• Azure App Registration Secret Value (not the secret ID)
• SharePoint App-Only Client ID
• SharePoint App-Only Secret
• SharePoint Tenant ID

Once we have these, we will be able to configure and set up your SharePoint Connector. Make sure these are sent to us in a secure manner. SharePoint offers secure sharing to outside your tenant: Sharing files Externally

OneDrive Setup Guide

1. Sign in to the Azure Portal
   • Go to https://portal.azure.com and log in with the appropriate organizational account.
2. Create a New App Registration
   • Navigate to Azure Active Directory > App registrations > New registration.
   • Fill in the details:
     • Name: Enter a name like “Q Business OneDrive Access”.
     • Supported account types: Choose "Accounts in this organizational directory only".
     • Redirect URI: Leave this empty for now.
3. Configure API Permissions
   • Once the app registration is created, go to API Permissions > Add a permission.
   • Choose Microsoft Graph, then add the following permissions:
     • Delegated Permissions:
       • Files.Read.All – To allow access to files across OneDrive for Business accounts.
       • User.Read – To access basic user profile information.
     • Application Permissions:
       • Files.Read.All – To allow reading files from any user's OneDrive.
4. Generate a Client Secret
   • Go to Certificates & secrets > New client secret.
   • Add a description, set an expiration period (e.g., 6 months or 12 months). Once this period is up, the period will have to be extended to maintain access.
   • Copy the client secret value, and store it securely.
5. Retrieve Tenant ID and Client ID
   • In the Overview section of the app registration, note the Tenant ID and Client ID.
6. Grant Admin Consent
   • Go to API Permissions and click Grant admin consent to enable the permissions for the app.
7. Share the Connection Infomation to Arcanum
   • For Arcanum to connect Numa to your data, we require some infomation from your App Register
   • Provide the following information:
     • Tenant ID: The Tenant ID from Azure AD.
     • Client ID: The Client ID from Azure AD.
     • Client Secret: Store this in AWS Secrets Manager and link it here.
     • User's OneDrive URLs: Enter user-specific OneDrive URLs, such as https://yourcompany-my.sharepoint.com/personal/username_domain_com

S3 Setup Guide

1. S3 Bucket Configuration

   • Ensure the external S3 bucket you want Arcanum to access is properly set up. Make sure the data you want to share is organized and in a readable format (e.g., CSV, JSON, documents).
   • If necessary, review your bucket's security policies to ensure it’s configured to allow access.

2. Create an IAM Role for Access

   • In the AWS Management Console, navigate to IAM > Roles.
   • Click on Create Role and select Another AWS Account.
     • For Account ID, use the account ID provided by Arcanum.
     • External ID: If Arcanum provides an external ID for added security, enter it here.
   • Proceed to permissions.

3. Attach S3 Access Policy

   • Attach a policy that grants read-only access to the external S3 bucket:

4. {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket",
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::your-bucket-name",
           "arn:aws:s3:::your-bucket-name/*"
         ]
       }
     ]
   }
   

   • This policy allows Arcanum to list and read the objects from your specified S3 bucket.

5. Finalize the IAM Role

   • Once the permissions are set, create the role.
   • Save the Role ARN, as Arcanum will need this information.

6. Provide Arcanum with the Following Information

   • S3 Bucket Name: The name of the S3 bucket you want Arcanum to access.
   • Bucket Region: The AWS region where the bucket is located.
   • IAM Role ARN: The Amazon Resource Name (ARN) of the role you created for Arcanum to access the S3 bucket.

Once you’ve completed the setup and provided the necessary details (S3 bucket name, bucket region, and IAM role ARN), Arcanum will:

1. Use the provided IAM role to securely access the S3 bucket.
2. Handle all syncing and configuration related to Q Business.

Google Drive Setup Guide

1. Create a Google Cloud Project
   • Go to Google Cloud Console.
   • Create or select an existing project.
   • Name your project (e.g., “Q Business Google Drive Access”) and note the Project ID.
2. Enable Google Drive API
   • In the Google Cloud Console, go to APIs & Services > Library.
   • Search for Google Drive API and click Enable.
3. Create OAuth 2.0 Credentials
   • Go to APIs & Services > Credentials.
   • Click Create Credentials and select OAuth 2.0 Client IDs.
   • Configure the OAuth consent screen:
     • Choose the Internal option (for company-specific access) or External if other external parties need access.
     • Provide your App Name, User Support Email, and Scopes.
   • In the credentials screen, select Web Applicationand provide a name.
     • Under Authorized redirect URIs, leave it empty for now, as Arcanum will handle the final integration.
   • Click Create and note the generated Client ID and Client Secret.
4. Set Permissions for Google Drive Access
   • Once you’ve created the OAuth credentials, you need to configure the correct API permissions.
   • Go back to Credentialsand ensure you have the following scopes added:
     • https://www.googleapis.com/auth/drive.readonly – Allows read-only access to Google Drive files.
     • https://www.googleapis.com/auth/drive.metadata.readonly – Allows read-only access to metadata.
5. Generate Access for Arcanum
   • Arcanum will need the following:
     • Client ID: The client ID generated when creating OAuth credentials.
     • Client Secret: The client secret generated when creating OAuth credentials.
     • Project ID: The ID of the Google Cloud project you created.
6. Share Specific Folders with Arcanum
   • In Google Drive, you can restrict access to specific folders instead of the entire drive.
   • Right-click the folder(s) you want to share, select Share, and ensure that Arcanum’s service account or email (which they will provide) has Viewer access.
7. Provide Arcanum with the Following Information
   • Client ID: The OAuth client ID for your Google Drive.
   • Client Secret: The OAuth client secret for your Google Drive.
   • Project ID: The Google Cloud project ID.
   • Google Drive Folder Links: Links to the specific Google Drive folders you want Arcanum to access.

Once you’ve completed the setup and provided the necessary details (Client ID, Client Secret, Project ID, and folder links), Arcanum will:

1. Use the OAuth credentials to authenticate and securely access your Google Drive.
2. Handle all syncing and configuration related to Q Business.