Skip to main content

SharePoint - Centralized Integration Guide

A
Written by Alexander
Updated over a week ago

Introduction

Sana Agents is a cutting-edge AI agent designed to streamline information retrieval and knowledge management within an organization. Leveraging advanced AI and machine learning techniques, Sana Agents can answer queries, summarize documents, and provide insights based on the data it has access to. With the SharePoint integration, Sana Agents can seamlessly access and utilize data stored in SharePoint, enhancing its ability to provide accurate, context-specific responses. This centralized integration reflects the same access permissions found in Microsoft SharePoint within Sana Agents. Note: Site items are not supported by this integration.

Integration Capabilities

  • Query Information from the Integrated System: Users can search and query SharePoint data directly within Sana Agents, leveraging its advanced AI capabilities. The integration respects SharePoint's file and folder access permissions, ensuring data access remains consistent and secure.

  • Note: The integration is designed for data retrieval and discussion within Sana Agents and does not support pushing data back to SharePoint.

Type of Integration

  • Centralized Integration: Mirrors SharePoint permissions on a user basis, ensuring that only authorized users can access specific data. The integration does not support site items.

Availability

The integration is available in the Team and Enterprise tiers, ensuring flexibility and scalability for various organizational needs.

Scope and Permission

The integration requests the following scopes and permissions:

Graph API

  • email: Read users' primary email addresses.

  • Files.Read.All: Read all files the signed-in user can access.

  • openid: Sign in with work or school accounts and access basic user profile information.

  • Sites.Read.All: Read documents and list items in all site collections on behalf of the signed-in user.

  • User.Read.All: Sign in to the app and read the profile of signed-in users, including basic company information.

  • Group.Read.All: understand which groups the user is a member of and if they belong to the owners group for a SharePoint site

REST API

  • AllSites.FullControl: We use this API to access additional group information that is not available through the Graph API. This allows us to better mirror the access control of SharePoint in Sana Agents.

Managing Access

The integration has access to all the sites and files that the connecting user account has access to. While you can connect to Sana with any account, if you want to manage this access in Microsoft Azure, we suggest this approach that ensures the principle of least-privilege:

  1. In the Azure Portal, create a user with 'member' role (this will ensure that it will not be part of any site unless specified).

  2. You will use this email (redacted above) and the password when you connect Sana and SharePoint. Make sure that you can retrieve it easily.

  3. In SharePoint, add the user email address with the role 'Member' to the sites that it needs access to.


  4. Add the SharePoint integration to Sana Agents with the created user.
    Here, you will click “Use another account” and put in the email/password combination that you created in Microsoft Entra.

5. Add Directory Reader Assignment

In your admin portal, go to Roles and admins from the left-side navigation.

In the search bar, type Directory Reader. Select the Directory Reader role from the results.

Click + Add assignments.

In the user search, find the user you created or want to update. Select the user.

Click Add to assign the Directory Reader role.

The user now has Directory Reader at the directory level. Next, make sure they have the right site permissions.

Give the user the right site access

Make sure the user matches one of the valid combinations:

  • Option 1: Guest user with full control

    1. Add the user as a Guest to the desired sites.

    2. Grant them Full Control on each relevant site.

    3. Confirm they also have Directory Reader assigned.

  • Option 2: Member user with read-only access

    1. Add the user as a Member.

    2. Grant them Read access to each site where they must pull lists.

    3. Confirm they also have Directory Reader assigned.

  • Option 3: Member user with full control

    1. Add the user as a Member.

    2. Grant them Full Control access on the required sites.

    3. Confirm they also have Directory Reader assigned.

Tip: If a user cannot pull lists, first check their site role (Guest or Member) and permission level (Read or Full Control), then confirm the Directory Reader assignment.

Integration Set-up

Note: Before starting the integration setup, configure the custom OAuth app for SharePoint.

  1. Sign in to your Sana Agents account.

  2. Navigate to the Integrations section of the platform.

  3. Click on Microsoft SharePoint and select Connect centralized.

  4. Follow the prompts to authorize Sana Agents to access your SharePoint data.

    • If you are a SharePoint administrator, select “Consent on behalf of your organization” to allow any user within your organization to connect the integration.

    • If you are a user, contact your Microsoft administrator to request access.

  5. For a shared / centralized SharePoint integration, additional steps are required:

    • Navigate to the 'Shared Integrations' section and select your SharePoint integration to adjust settings.

    • Open a separate browser tab to navigate to your SharePoint and copy the URL of the site or folder you want to import to Sana.

      Valid URL formats:

      • Root site
        * https://<company-domain>.sharepoint.com
        * https://<company-domain>.sharepoint.com/SitePages/Home.aspx
        * https://<company-domain>.sharepoint.com/sites/<site-name>
        *https://<company-domain>.sharepoint.com/sites/<site-name>/SitePages/CollabHome.aspx

      • Document library
        *https://<company-domain>.sharepoint.com/<document-library-name>/Forms/AllItems.aspx
        *https://<company-domain>.sharepoint.com/sites/<site-name>/<document-library-name>

      • Folder within document library
        -https://<company-domain>.sharepoint.com/<document-library-name>/Forms/AllItems.aspx?...&id=%2F<document-library-name>%2F<path-to-folder>&...
        *https://<company-domain>.sharepoint.com/sites/<site-name>/<document-library-name>?...&id=%2Fsites%2F<site-name>%2F<document-library-name>%2F<path-to-folder>&...

      • Microsoft Office file within document library
        *https://<company-domain>.sharepoint.com/:w:/r/_layouts/15/Doc.aspx?sourcedoc=%7B<file-id>%7D&file=<file-name>&...
        *https://<company-domain>.sharepoint.com/:w:/r/sites/<site-name>/_layouts/15/Doc.aspx?sourcedoc=%7B<dile-id>%7D&file=<file-name>&...

      • Non Microsoft Office file within document library
        *https://<company-domain>.sharepoint.com/<document-library-name>/<path-to-file>/<file-name>
        *https://<company-domain>.sharepoint.com/sites/<site-name>/<document-library-name>/<path-to-file>/<file-name>

      • Site Page
        *https://<company-domain>.sharepoint.com/SitePages/<site-page-name>.aspx
        *https://<company-domain>.sharepoint.com/sites/<site-name>/SitePages/<site-page-name>.aspx

      • All Site Pages within a site
        *https://<companydomain>.sharepoint.com/SitePages/Forms/ByAuthor.aspx
        *https://<company-domain>.sharepoint.com/sites/<site-name>/SitePages/Forms/ByAuthor.aspx

      • List
        *https://<company-domain>.sharepoint.com/Lists/<list-name>/AllItems.aspx
        *https://<company-domain>.sharepoint.com/sites/<site-name>/Lists/<list-name>/AllItems.aspx

      • OneDrive URLs (only available if OneDrive is activated in Microsoft account)
        *MyFiles: https://<company-domain>-my.sharepoint.com/my
        *Folder: https://<company-domain>-my.sharepoint.com/my?id=<path-to-folder>
        *Microsoft Office file: https://<company-domain>-my.sharepoint.com/:x:/r/personal/.../_layouts/15/Doc.aspx?sourcedoc=%7B<file-id>%7D&file=<file-name>&...
        *Non Microsoft Office file: https://<company-domain>-my.sharepoint.com/personal/.../Documents/<file-name>

    • Return to the Sana Agents settings modal and paste the URL under 'sites'. Click “Validate URL” and confirm that the site is valid.

    • After that, you will get a notification if the site URL is correct or incorrect

  6. Enter your SharePoint domain and click "Connect REST API."

  7. Configure additional settings as needed and click save.

Known Limitations

When a file or folder link from SharePoint is used, the owner of integration must have access to all parent folders in the hierarchy leading to the target location. If the integration owner has permission for a specific file or subfolder but lacks access to its parent folders, Sana Agents will fail to validate the used SharePoint link.

Data Handling & Privacy

Sana Agents is fully committed to data security and privacy. All data accessed by Sana Agents is encrypted both in transit and at rest. Sana does not train any underlying language models on your data, ensuring the privacy of your information. Furthermore, Sana Agents respects the underlying permissions of SharePoint with the individual integration, ensuring that users can only access data they are authorized to view. Sana Agents is ISO 27001 certified, GDPR compliant, and adheres to the highest standards of data security.

For further information about Sana Agents or the SharePoint integration, please contact [email protected] via email.

Did this answer your question?