Set Up SharePoint Online and OneDrive

Prerequisites

Before starting, ensure you have completed the Azure AD Application setup.

Configure SharePoint Online Access

1. Request Graph API Application Permissions

  • Go to API permissions in your Azure AD application

  • Click Add a permission

  • Choose Microsoft Graph, then Application Permissions

    graph_api_application_permissions__2_.png

  • Request permissions for the following resources:

    • Sites.Read.All (optional)

    • Sites.FullControl.All

    See below why these permissions are needed

2. Request SharePoint API Application Permissions

  • Go to API permissions

  • Click Add a permission

  • Choose SharePoint, then Application Permissions

    sharepoint_application_permissions.png

  • Request permissions for the following resource:

    • User.Read.All

    • Sites.Read.All

    • Sites.FullControl.All

    See below why these permissions are needed

3. Grant Admin Consent

  • Grant admin consent for all requested permissions

  • If the application is registered with the admin account, you can grant the consent directly

  • Otherwise, the admin needs to login, go to App Registrations and accept the permissions requested by the amberSearch application

Certificate Setup

4. Generate or Upload Certificate in Amber Admin Settings

Navigate to Amber Admin Settings > Data Sources > SharePoint Online (https://customerName.ambersearch.de/settings/data-sources/sharepoint_online)

Choose one of the following options:

Option A: Generate Certificate (Recommended)

Click "Generate Certificate" - Amber will automatically create a self-signed certificate for you.

Option B: Upload Your Own Certificate

If you prefer to use your own certificate:

  • Prepare a .pem or .pfx bundle file containing both Private Key and Certificate

  • Select your file and click "Upload Certificate"

5. Download Public Key

After generating or uploading your certificate:

  1. In the Amber Admin Settings, locate the section "Update Certificate in Azure AD App Registration"

  2. Click "Download Public Key (.cer)"

  3. Save the amber_sharepoint.cer file

6. Upload Certificate to Azure Portal

  1. Go to Azure Portal > App registrations

  2. Select your Azure AD Application for amberSearch

  3. Navigate to Manage > Certificates & secrets

  4. Go to the "Certificates" tab

  5. Click "Upload certificate"

  6. Upload the amber_sharepoint.cer file you downloaded

  7. Copy the Thumbprint of the newly uploaded certificate

7. Validate Connection in Amber Admin Settings

Return to the Amber Admin Settings:

  1. In the "3. Validate Connection" section, paste the Thumbprint you copied from Azure

  2. Click "Validate"

  3. You should see a success message: "Connection validated successfully! The certificate is active and working."

Permissions explained

Sites.Read.All

Purpose

Sites.Read.All allows amber to read SharePoint site content and metadata. Amber uses this permission to discover and index SharePoint Online and OneDrive content.

Microsoft documents Sites.Read.All in the learn.microsoft.com.

How amber uses it

Amber uses Sites.Read.All to:

  • discover SharePoint sites;

  • read site and library metadata;

  • read file and folder metadata;

  • retrieve content for indexing;

Common concerns

A common concern is that this permission could allow access to sensitive SharePoint content. amber uses this permission for indexing only, and search results remain permission-aware. This means indexed SharePoint and OneDrive content is shown only to users who are allowed to access it in Microsoft 365.

Sites.FullControl.All

Purpose

Sites.FullControl.All is required so amber can reliably process permission-only changes in SharePoint Online and OneDrive.

A permission-only change occurs when the content itself does not change, but the access rights do. Examples include:

  • a user is granted access to a file;

  • a user’s access is revoked;

  • a file or folder is shared with a group;

  • permission inheritance is changed;

  • permissions change on a site, document library, folder, or document.

Microsoft documents Sites.FullControl.All in the learn.microsoft.com. Microsoft also documents the driveItem: delta API, which is used to track changes in drives, in the learn.microsoft.com.

Why Sites.Read.All is not always sufficient

Sites.Read.All allows amber to read SharePoint and OneDrive content. However, Microsoft’s permission-change processing for Graph delta flows requires the elevated Sites.FullControl.All permission in order to process permissions correctly.

For permission-aware enterprise search, this is important because changes to access rights must be reflected in amber as quickly and reliably as possible. If a user loses access to a SharePoint document, amber must update its internal permissions so the document is no longer shown to that user in search results.

How amber uses it

Amber uses Sites.FullControl.All only to:

  • read permission-change information from Microsoft Graph;

  • detect permission-only changes;

  • read SharePoint / OneDrive permission state;

  • update amber’s internal ACL representation;

  • keep search results aligned with Microsoft 365 permissions.

For incremental permission indexing, Microsoft Graph delta requests can use the driveItem: delta API together with Prefer headers such as deltashowsharingchanges. Microsoft documents the driveItem: delta endpoint and related delta behavior in the learn.microsoft.com.

Example request pattern:

GET /sites/{siteId}/drive/root/delta Prefer: hierarchicalsharing,deltashowsharingchanges,deltashowremovedasdeleted,deltatraversepermissiongaps

When deltashowsharingchanges is used, items returned because of permission changes can be identified through the @microsoft.graph.sharedChanged annotation, as described in Microsoft’s learn.microsoft.com.

Common concerns

A common concern is that the name Sites.FullControl.All suggests write or administrative control over SharePoint. The permission is technically elevated in Microsoft’s permission model, but amber’s connector uses it only for read-based indexing and permission synchronization.

Amber’s usage commitment

Although Microsoft names the permission Sites.FullControl.All, amber uses this permission strictly for read-based indexing and permission synchronization. amber’s SharePoint connector does not write, alter, delete, or modify customer content or permissions in SharePoint Online or OneDrive. The elevated scope is required because Microsoft requires it for reliably reading and processing permission-change information through Microsoft Graph delta permission-scanning flows.

If Microsoft introduces a less-privileged permission that supports the same reliable permission-change detection, amber should align its guidance with that lower-scope permission.

What happens if this permission is not granted?

If Sites.FullControl.All is not granted, amber may still be able to index SharePoint content using read permissions, depending on the configured connector mode. However, permission-only changes may not be returned reliably through the Microsoft Graph delta flow.

This means:

  • revoked access may take longer to be reflected in amber;

  • newly granted access may take longer to appear in amber;

  • permission synchronization may rely more heavily on broader or full indexing runs;

  • full indexing may increase API usage.

Final Checks

After completing the steps above, verify that:

  • Graph API application permissions requested and admin consent granted

  • SharePoint application permissions requested and admin consent granted

  • Certificate uploaded to Azure AD and connection validated in Amber Admin Settings

That's it! Your SharePoint Online and OneDrive connection is now configured and ready to use.

If you need assistance, please reach out to us via IT@ambersearch.de