Overview
To authenticate your Sharepoint account, you will need to provide the following information: Sharepoint username and password
Prerequisites
Non-admins may require admin consent to utilize the full capabilities of the integration, such as write permissions.
If admin consent is necessary, please read the guide here and follow the instructions here to ask your SharePoint administrator to grant user consent. You must start the linking flow over to re-link once you get consent from your admin.
Step 1: Select permissions
Select the permissions option that fits your use case
Read-only for non-admins
Read access to Files, Folders, and Drives that only you have access to.
It does not allow access to Groups, upload Files, and create Folders.
Read-only for admins
Read all the Files, Folders, and Drives in your Sites.
This does not allow the integration to upload Files and create Folders.
Read & Write for admins
Read all the Files, Folders, and Drives in your Sites, as well as upload Files and create Folders.
Select Submit to proceed to the next page
Step 2: Authorize using SharePoint's website
Select Open window, to be redirected to SharePoint's website. Enter your SharePoint credentials when prompted.
Specific OAuth scopes will be requested, depending on the permissions you previously selected. Learn more.
Read-only for admins
Microsoft Graph
Files.Read: Read user filesFiles.Read.All: Read all files that user can accessFiles.Read.All: Read files in all site collectionsGroup.Read.All: Read all groupsGroup.Read.All: Read all groupsGroupMember.Read.All: Read group membershipsGroupMember.Read.All: Read all group membershipsSites.Read.All: Read items in all site collectionsSites.Read.All: Read items in all site collectionsUser.Read: Read all users' full profilesUser.Read.All: Read all users' full profiles
SharePoint
Sites.Search.All: Run search queries as a user
Read & Write for admins
Microsoft Graph
Files.Read: Read user filesFiles.Read.All: Read all files that user can accessFiles.ReadWrite: Have full access to user filesFiles.ReadWrite.All: Have full access to all files user can accessFiles.ReadWrite.All: Read and write files in all site collectionsGroup.Read.All: Read all groupsGroup.Read.All: Read all groupsGroupMember.Read.All: Read group membershipsGroupMember.Read.All: Read all group membershipsSites.Manage.All: Create, edit, and delete items and lists in all site collectionsSites.ReadWrite.All: Edit or delete items in all site collectionsUser.Read: Sign in and read user profileUser.Read.All: Read all users' full profiles
Read-only for non-admins
Microsoft Graph
Files.Read.All: Read all files that user can accessSites.Read.All: Read items in all site collectionsUser.Read: Sign in and read user profileUser.ReadBasic.All: Read all users' basic profiles
--- You're done! See below to learn more about why certain scopes are required ---
Why each scope is needed
Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also, see the attached screenshots at the bottom of the article for a description of each requested scope.
Explanation of differences between delegated and application permissions.
Read scopes
Sites.Read.All, Sites.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Sites.Search.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Files: Files.Read, Files.Read.All, Files.Read.All
Sample relevant endpoint that requires these scopes:
We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.
We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.
User.Read, User.Read.All, User.ReadBasic.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate information about users, such as names and email addresses.
Write scopes
Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All
Sample relevant endpoints that require these scopes:
POST /drives/{drive-id}/items/{parent-item-id}/children
POST /groups/{group-id}/drive/items/{parent-item-id}/children
POST /me/drive/items/{parent-item-id}/children
POST /sites/{site-id}/drive/items/{parent-item-id}/children
POST /users/{user-id}/drive/items/{parent-item-id}/children
We use information enabled by these scopes to read and create files and folders.
Sites.Manage.All, Sites.ReadWrite.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.