> ## Documentation Index > Fetch the complete documentation index at: https://explore.airia.com/llms.txt > Use this file to discover all available pages before exploring further. # OneDrive and SharePoint # Set Up the OneDrive/SharePoint Connector The OneDrive/SharePoint Connector allows you to ingest documents from your Microsoft 365 storage directly into your project. To use the connector, you will authenticate via your Azure account. Decide on OAuth configuration - Airia managed with required scopes for all Microsoft integrations or Bring your own OAuth connector with custom scopes that best fit your integration and security requirements. ## Set Up with Airia managed OAuth This one-time setup registers the Airia Microsoft Connector application in your Azure Active Directory (Microsoft Entra ID), allowing it to access organizational data from OneDrive and SharePoint. > 💡 Note: > > * **Application Name:** `Airia Connector – Web` > * **Your tenant ID:** you can see it in platform settings 1. **Construct Admin Consent URL** Use the following format, replacing `` with your specific Microsoft tenant ID: `https://login.microsoftonline.com//adminconsent?client_id=4969aaba-cdb0-4777-829d-63a9dde52671` > 💡 Example: `https://login.microsoftonline.com/your-tenant-id-here/adminconsent?client_id=4969aaba-cdb0-4777-829d-63a9dde52671` 2. **Open Consent URL** Open the constructed URL in a web browser (preferably in an incognito or private browsing window). 3. **Log In as Azure Admin** Log in using an Azure Admin user account that has permissions to grant consent for enterprise applications. 4. **Review and Grant Consent** Review the requested permissions displayed on the screen and click **Accept** or **Grant consent** to approve them on behalf of your organization. > 💡 Note: After successful consent, the browser will redirect back to the Airia platform. 5. **Confirm Application Registration** Log into the [Microsoft Entra ID portal](https://entra.microsoft.com/) and navigate to **Enterprise applications**. Confirm that `Airia Connector – Web` is listed in this section. ## Set up with your custom managed OAuth This guide explains how to configure SharePoint with Site Selected access, SharePoint with all sites read access and OneDrive connectors in Azure AD and integrate it with Airia, allowing Airia to access specific SharePoint sites. ### Configure Your Azure AD App #### 1. Register Your Application in Azure AD 1. Navigate to **Azure Portal** > **Microsoft Entra ID** > **App registrations**. 2. Click **New registration**. 3. Configure the application details: * **Name**: Enter a descriptive name, such as `Airia SharePoint Site Selected`. * **Supported account types**: Select `Accounts in any organizational directory`. * **Redirect URI**: Enter `Airia Chat`. 4. Click **Register**. 5. From the app's **Overview** page, save the **Application (client) ID**. You will need this later. #### 2. Configure API Permissions 1. In your registered application's left menu, navigate to **API permissions**. 2. Click **Add a permission**. 3. Select **Microsoft Graph**. 4. Choose **Application permissions**. 5. Add the following permissions: For more limited permissions add the following scopes. Note that Microsoft Admin is required to whitelist the sites for syncing. Only one site can be ingested in a given data source. * `User.Read` * `Sites.Selected` * `offline.access` * (Optional for permission-aware RAG) `Directory.Read.All` Alternatively, you can list the following scopes without the need for whitelisting sites and the limitation of one site per data source. The app can access only the sites and files that the user who is authenticating has access to (delegated permissions). * `Sites.Read.All` * `offline.access` * `Files.Read` * `Files.ReadWrite` * `User.Read` Scopes required for OneDrive connector * `offline.access` * `Files.Read` * `Files.ReadWrite` * `User.Read` 6. Click **Add permissions**. 7. Click **Grant admin consent for \[Your Tenant Name]** and confirm. > 💡 Note: If permission-aware RAG (where the AI agent respects end-user permissions) is required, `Directory.Read.All` is necessary. This scope often replaces the need for `User.Read.All`, `Group.Read.All`, and `GroupMember.Read.All` in most read-only scenarios. #### 3. Obtain Your Client Secret 1. In your registered application's left menu, navigate to **Certificates & secrets**. 2. Click **New client secret**. 3. Provide a **Description** (e.g., `Airia Client Secret`) and set an appropriate **Expires** duration. 4. Click **Add**. 5. Copy the **Value** of the client secret immediately. It will only be shown once and is required for Airia integration. ### Grant Site-Level Permissions Using Graph Explorer (required if you listed sites.selected scope for SharePoint only) Before granting your app access, you need to obtain the specific SharePoint Site ID. #### Prerequisites * Access to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). * A Global Administrator or SharePoint Administrator account to sign into Graph Explorer. #### 1. Grant Temporary Admin Permissions for Setup 1. Open [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in with a Global Administrator or SharePoint Administrator account. 2. In Graph Explorer, navigate to the **Permissions** tab. 3. Enable and consent to the `Sites.FullControl.All` permission. 4. Click **Consent**. > ⚠️ Warning: This permission is only for your admin session to configure site access. You can revoke it after completing this phase if desired. #### 2. Get Your SharePoint Site ID 1. In Graph Explorer, make a `GET` request to retrieve the site ID. * Replace `{hostname}` with your SharePoint hostname (e.g., `yourcompany.sharepoint.com`). * Replace `{site-name}` with the name of your SharePoint site. ```http theme={null} GET https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{site-name} ``` **Example:** ```http theme={null} GET https://graph.microsoft.com/v1.0/sites/airiaqe.sharepoint.com:/sites/SharePointSiteSelectedTestWebsite ``` 2. From the response, copy the entire `id` field. This is your **Site ID**. ```json theme={null} { "id": "airiaqe.sharepoint.com,3e6f8b32-6e9b-4b88-8c33-0c44f5c6a789,7b8c3b24-68c1-4a11-b12b-1ad4dcaa8a12", "displayName": "SharePointSiteSelectedTestWebsite", "name": "SharePointSiteSelectedTestWebsite", "webUrl": "https://airiaqe.sharepoint.com/sites/SharePointSiteSelectedTestWebsite" } ``` #### 3. Grant Your App Access to the SharePoint Site 1. In Graph Explorer, make a `POST` request to grant your registered app read permissions to the specific SharePoint site. * Replace `{site-id}` with the Site ID you obtained in the previous step. * Replace `{application-id}` with the **Application (client) ID** you saved from Azure AD (Phase 1, Step 1). * Replace `{application-display-name}` with the display name of your registered application (e.g., `Airia SharePoint Site Selected`). ```http theme={null} POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions ``` **Request Body:** ```json theme={null} { "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "{application-id}", "displayName": "{application-display-name}" } } ] } ``` **Example Request:** ```http theme={null} POST https://graph.microsoft.com/v1.0/sites/airiaqe.sharepoint.com,3e6f8b32-6e9b-4b88-8c33-0c44f5c6a789,7b8c3b24-68c1-4a11-b12b-1ad4dcaa8a12/permissions ``` **Example Body:** ```json theme={null} { "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "56708dc4-880d-4858-86a0-936a052fdc0f", "displayName": "Airia SharePoint Site Selected" } } ] } ``` #### 4. Verify App Access (Optional) 1. To confirm the permissions were set correctly, make a `GET` request in Graph Explorer. Replace `{site-id}` with your SharePoint Site ID. ```http theme={null} GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions ``` **Example:** ```http theme={null} GET https://graph.microsoft.com/v1.0/sites/airiaqe.sharepoint.com,3e6f8b32-6e9b-4b88-8c33-0c44f5c6a789,7b8c3b24-68c1-4a11-b12b-1ad4dcaa8a12/permissions ``` 2. The response should include an entry for your application with the `read` role. ```json theme={null} { "value": [ { "id": "some-guid", "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "56708dc4-880d-4858-86a0-936a052fdc0f", "displayName": "Airia SharePoint Site Selected" } } ] } ] } ``` ### Create Your OAuth Connector in Airia #### 1. Add a New Microsoft OAuth Connector 1. In the Airia platform, navigate to **Settings** > **Ecosystem** > **App Connections**. 2. Select the **Microsoft** card. 3. Enter the following details for your new OAuth connector: * **Name**: A descriptive name (e.g., `SharePoint Site Selected Connector`). * **Client ID**: The Application (client) ID you saved from Azure AD (Phase 1, Step 1). * **Client Secret**: The client secret value you saved from Azure AD (Phase 1, Step 3). * **Scopes**: Add the following scopes (matching those configured in Azure AD): * `User.Read` * `Sites.Selected` * `offline.access` * (Optional for permission-aware RAG) `Directory.Read.All` 4. Click **Create**. ## Create a SharePoint Data Source ### 1. Add a New SharePoint Data Source 1. In the Airia platform, navigate to **Available data sources**. 2. Select the **SharePoint** card. ### 2. Configure Data Source Details 1. Provide the following details: * **Name**: A mandatory, descriptive name for your data source (e.g., `SharePoint Site Selected Data`). * **Description**: (Optional) A brief description. * **Scope**: Select the Airia project for this data source. * **OAuth connector**: From the dropdown, select the Microsoft OAuth connector you created in Phase 3 or Airia managed OAuth. 2. For **Credentials**, choose `Create new credential` (this is the only option if you just created the OAuth connector). 3. Enter a **Name** for the new credential. 4. Confirm the required scopes for the user authenticating that match the scopes for the Oauth configuration. 5. Click **Authenticate**. Complete the OAuth flow by logging in with an account that has access to the SharePoint site. ### 3. Specify SharePoint Site (only for sites.selected) and Ingestion Settings 1. Enter the **Site ID** or **Site URL** of the SharePoint site you wish to sync (obtained in Phase 2, Step 2). 2. Enable permission check or user specific if access control is required for the files in the data source. 3. (Optional) Configure the **ingestion settings** based on your specific use case and data requirements. 4. Click **Next** ### 4. Select Folders and Start Ingestion Browse and select the content you want to ingest. You can select and deselect individual items. Supported content types for ingestion include: * SharePoint sites * SharePoint subsites * SharePoint document libraries * Folders * Files * Shared content > 💡 Tip: Selecting a SharePoint site, library, or folder will sync all supported content within it, including files, subfolders, and their content. Reprocessing the data source will automatically sync newly added content, update modified content, and delete removed items within the selected content. > 💡 Note: To edit your content selection, go to the data source and click **Edit**. You may need to reauthenticate. Then click **Next** to make your new selections. If you reauthenticate with new user credentials, the content selector will not show previous selections, and you will need to reselect all desired items. ## Filter SharePoint Documents by Metadata Refine which documents are ingested from a folder using SharePoint metadata filters. Add include/exclude rules based on column values — Status, Department, Document Type, or any other column on your library — and only matching documents enter your data source. > 💡 Note: Metadata filtering is available for **SharePoint** folders only. OneDrive folders do not have list-item metadata. ### When to Use It Folder selection scopes ingestion by location. Use metadata filters when location alone is not enough — for example, a single library that mixes active and archived content, or documents tagged for several teams in the same folder. If folder selection covers your use case, prefer it. Filters add overhead on every sync. ### 1. Open the Filter Panel In the folder picker, every SharePoint folder shows a funnel icon at the right end of its row. Click the funnel to open the filter panel for that folder. A small badge next to the funnel shows the rule count when filters are active. ### 2. Add Rules Each rule has three parts: | Part | What to enter | | ------------ | ------------------------------------------------------------------------------------------------------------------------ | | **Field** | The SharePoint column's display name, exactly as it appears in SharePoint (e.g. `Document Type`, `Status`, `Department`) | | **Operator** | `equals`, `not equals`, `contains`, or `not contains` | | **Value** | The value as it appears in SharePoint (case-insensitive) | Click **+ Add rule** for additional rules. Click the **×** icon on a row to remove a rule. The `contains` and `not contains` operators behave differently depending on whether the column holds one value or many: * **Multi-valued field** (e.g. multi-select Choice or Managed Metadata) — `contains` matches when **at least one** of the field's values matches your filter value; `not contains` matches when **none** of them do. * **Single-valued field** — `contains` matches when your filter value is a **substring** of the field's value; `not contains` matches when it is not. ### 3. Choose a Match Mode * **All** — every rule must match (AND). Use to narrow down. * **Any** — at least one rule must match (OR). Use for permissive matching. ### 4. Save the Data Source Filter rules save when you save the data source. The folder is auto-selected when you add its first rule; deselecting the folder clears its rules. > 💡 Tip: Re-run the sync after editing filters on an existing data source — Airia does not auto-re-sync when filters change. ### Supported Field Types | Field type | Enter as the value | | --------------------------- | -------------------------------------------------------------------- | | Single line of text, Choice | The value as displayed in SharePoint | | Managed Metadata (taxonomy) | The term **label** (e.g. `Research`) — not the GUID | | Person | The person's display name | | Content Type | The content type name (use field name `Content Type`) | | Date | ISO 8601 (e.g. `2026-01-15T00:00:00Z`); `equals` / `not equals` only | | Number | The number as a string | | Yes/No | `Yes` or `No` | | Hyperlink | The URL as it appears in SharePoint | Lookup columns are not supported in v1. ### Example: Active, Non-Defence Policies Only Folder: **Shared Documents/Policies** Match mode: **All** | Field | Operator | Value | | --------------- | ---------- | --------- | | `Status` | equals | `Active` | | `Department` | not equals | `Defence` | | `Document Type` | equals | `Policy` | This ingests only documents tagged as Active Policies that are not assigned to the Defence department; everything else in the folder is skipped. ### Limits and Behavior * Filters apply to a single folder only — child folders are not filtered unless you configure them too. * If a column you reference doesn't exist on a document, that rule is skipped for that document and a warning is logged. Ingestion continues. * Rules with empty **Field** or **Value** are not saved. ### Troubleshooting | Symptom | Likely cause | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Nothing ingests | Value mismatch — check spelling and exact wording against SharePoint | | Field appears unknown in logs | Column name typo, or the column was renamed in SharePoint after it was created (Airia matches the current display name; ask your SharePoint admin if needed) | | Managed Metadata field not matching | Used the GUID or a parent term — use the leaf term **label** | | Filter ignored on subfolder | Filters don't inherit; configure each folder explicitly | ## Permissions Enforcement Airia filters query results based on the end-user's access permissions in OneDrive/Sharepoint. ### Prerequisites To enable permission enforcement for your data source: * **Single Sign-On (SSO)** must be enabled for your Airia project. * **Permission check** must be enabled when configuring the specific data source (e.g., when setting up the OneDrive/SharePoint data source). ## Next Steps After your data has been successfully ingested, the OneDrive/SharePoint data source is ready to be used with an Agent.