Microsoft SharePoint
Microsoft SharePoint is a web-based collaboration platform that integrates with Microsoft 365, providing document management, storage, intranet, and team collaboration capabilities. SharePoint enables organizations to create sites for sharing information, managing documents, publishing content, and coordinating work across teams.
Authentication Types
Microsoft SharePoint supports 1 authentication method:
- OAuth - Create your own Microsoft Entra (Azure AD) OAuth app. Every user connects with their Microsoft account.
- Pros: Full control, per-user tracking, production-ready, supports both work/school and personal Microsoft accounts
- Cons: Requires Microsoft Entra ID (Azure AD) app registration (~5 min setup)
Setting up OAuth
Step 1: Register an application in Microsoft Entra admin center
-
Go to https://entra.microsoft.com/ or https://portal.azure.com/
-
Navigate to Microsoft Entra ID (formerly Azure Active Directory)
-
In the left sidebar, select App registrations
-
Click New registration
-
Configure your application:
- Name: Enter a descriptive name (e.g., "Webrix SharePoint Integration")
- Supported account types: Select one of:
- Accounts in any organizational directory and personal Microsoft accounts (recommended for multi-tenant)
- Accounts in this organizational directory only (single tenant)
- Redirect URI: Select Web and enter the Redirect URL provided by Webrix
-
Click Register
Step 2: Configure API permissions
-
In your app registration, go to API permissions in the left sidebar
-
Click Add a permission
-
Select Microsoft Graph
-
Choose Delegated permissions
-
Add the following permissions based on your needs:
Essential permissions:
User.Read- Sign in and read user profileSites.Read.All- Read items in all site collectionsoffline_access- Maintain access to data
For document management:
Files.Read.All- Read files in all site collectionsFiles.ReadWrite.All- Read and write files in all site collections
For full site management:
Sites.ReadWrite.All- Read and write items in all site collectionsSites.Manage.All- Create, edit, and delete items and listsSites.FullControl.All- Full control of all site collections (required for permissions management)
For granular access:
Sites.Selected- Access selected site collections (requires additional configuration)
-
Click Add permissions
-
Important: Click Grant admin consent for [Your Organization] if you have admin rights. This pre-approves the permissions for all users in your organization. Without this, each user will need to consent individually.
Step 3: Create a client secret
-
In your app registration, go to Certificates & secrets in the left sidebar
-
Under Client secrets, click New client secret
-
Add a description (e.g., "Webrix Integration Secret")
-
Select an expiration period:
- 6 months (recommended for testing)
- 12 months
- 24 months
- Custom (up to 24 months)
-
Click Add
-
Important: Copy the secret Value immediately - it will only be shown once. Store it securely.
Step 4: Get your Client ID
-
In your app registration, go to Overview
-
Copy the Application (client) ID
Step 5: Configure in Webrix
-
In Webrix, paste the Client ID you copied
-
Paste the Client Secret you copied
-
Select the scopes you need based on the permissions you configured:
- At minimum:
User.Read,Sites.Read.All,offline_access - For read/write operations: Add
Files.ReadWrite.All,Sites.ReadWrite.All - For permissions management: Add
Sites.FullControl.All
- At minimum:
-
Click Save Changes
-
Click Connect to authorize the integration
Available Scopes
The SharePoint connector provides access through the following Microsoft Graph API scopes:
Read Operations
- User.Read - Required for authentication; reads user profile information
- Sites.Read.All - Read-only access to all site collections, lists, and metadata
- Files.Read.All - Read-only access to files in all site collections
Write Operations
- Sites.ReadWrite.All - Read and write access to sites, lists, and list items
- Files.ReadWrite.All - Read and write access to files and folders
Advanced Operations
- Sites.Manage.All - Create, edit, and delete items and lists in all site collections
- Sites.FullControl.All - Full control including permissions management (required for listing/modifying permissions)
- Sites.Selected - Access only specific site collections (requires additional per-site configuration)
Essential
- offline_access - Enables refresh tokens to maintain long-term access without re-authentication
Common Use Cases
Document Management
- List and search for documents across SharePoint sites
- Upload files to document libraries
- Download files using download links
- Create folders to organize documents
- Update existing documents
- Delete documents when no longer needed
Site Discovery
- List all accessible SharePoint sites
- Search for sites by keyword
- Navigate site hierarchies (subsites)
- Get site details and metadata
List Management
- Retrieve data from custom lists (tasks, contacts, custom data)
- Create new list items
- Update existing list items
- Delete list items
- Query lists with filtering and sorting
Content Publishing
- List and view SharePoint pages
- Create new site pages
- Manage page content and layouts
Access Control
- View permissions on sites and items
- Create sharing links for files and folders
- Grant access to specific users
- Revoke access when no longer needed
Working with Site IDs
Most SharePoint operations require a siteId. You can obtain site IDs in several ways:
- List Sites - Returns all accessible sites with their IDs
- Search Sites - Find sites by keyword and get their IDs
- Get Site by Path - Get a site ID using the hostname and server-relative path
Example site ID format: contoso.sharepoint.com,2c712604-1370-44e7-a1f5-426573FDA80A,2D2244C3-251A-49EA-93A8-39E1C3A060FE
Troubleshooting
Error: "Insufficient privileges to complete the operation"
Cause: The user or application doesn't have sufficient permissions for the requested operation.
Solution:
- Verify the required scopes are added in your app registration
- Grant admin consent for the permissions in the Microsoft Entra admin center
- Ensure the user has appropriate SharePoint permissions for the site/item
- For permissions management operations, ensure
Sites.FullControl.Allis granted
Error: "The caller does not have permission"
Cause: Similar to insufficient privileges, but specifically for SharePoint resource access.
Solution:
- Check that the user has access to the specific SharePoint site
- Verify the site exists and the user has at least read permissions
- For write operations, ensure the user has edit permissions on the site
Error: "Access token has expired"
Cause: The OAuth access token has expired (typically after 1 hour).
Solution:
- Ensure
offline_accessscope is included to enable automatic token refresh - The connector should automatically refresh tokens using the refresh token
Error: "AADSTS65001: The user or administrator has not consented"
Cause: The user hasn't consented to the requested permissions, or admin consent is required but not granted.
Solution:
- If you're an admin, grant admin consent in the Microsoft Entra admin center
- If not an admin, contact your IT administrator to grant consent
- Alternatively, remove permissions that require admin consent (like
Sites.FullControl.All)
Error: "Resource not found for the segment"
Cause: Invalid site ID, list ID, or item ID provided.
Solution:
- Verify the ID format is correct
- Use "List Sites" or "Get Site by Path" to get valid site IDs
- Ensure the resource exists and the user has access to it
- Check for typos in IDs
Cannot upload large files
Cause: Files larger than 4MB cannot be uploaded using the simple upload method.
Solution:
- Current limitation: The connector supports files up to 4MB
- For larger files, you'll need to use upload sessions (feature planned for future release)
- As a workaround, split large files into smaller chunks or compress them
Sharing links don't work for external users
Cause: External sharing may be disabled in your SharePoint tenant settings.
Solution:
- Check SharePoint admin center external sharing settings
- Verify your site allows external sharing
- Ensure the sharing link type is appropriate (anonymous links may be disabled)
- Contact your SharePoint administrator to enable external sharing if needed
API Reference
This connector uses Microsoft Graph API v1.0 to interact with SharePoint. The base URL is https://graph.microsoft.com/v1.0.
Key endpoints used:
/sites- Site discovery and management/sites/{siteId}/drive- Document library operations/sites/{siteId}/lists- List operations/sites/{siteId}/pages- Page operations/sites/{siteId}/permissions- Permission management
For more information, see the Microsoft Graph SharePoint API documentation.
Security Best Practices
- Principle of Least Privilege: Only request the scopes your application actually needs
- Admin Consent: Grant admin consent to avoid per-user consent prompts
- Secret Management: Store client secrets securely and rotate them regularly
- Token Security: Never expose access tokens or refresh tokens in logs or client-side code
- Audit Access: Regularly review application permissions and user access
- Expiration: Set appropriate expiration dates for client secrets (recommend 12 months or less)
Limitations
- File Upload Size: Direct upload is limited to 4MB. Larger files require upload sessions (not yet supported)
- Batch Operations: Bulk operations are executed sequentially; no batch API support currently
- Subsites Permissions: Listing permissions for subsites is not supported by Microsoft Graph API
- Rate Limiting: Microsoft Graph API has throttling limits; the connector does not currently implement retry logic for 429 responses
- Personal Sites: OneDrive for Business sites have different endpoints and may require additional configuration