Skip to main content
Client secret authentication relies on standard Azure App Registration credentials to establish a connection with SharePoint. This approach works well for most straightforward SharePoint integrations Note: Permission sync is not supported with client secret authentication. If you require permission sync, use certificate-based authentication instead.

Setting Up

Step 1: Create Azure App Registration

  1. Open the Azure Portal and log in with your organization’s credentials.
  2. Use the search bar to find and navigate to “App registrations.”
  3. Click New Registration to begin creating a new app.
  4. Give the app a recognizable name such as “ASSIST AI SharePoint Connector,” leave all other fields at their defaults, and click Register.
  5. From the overview tab under “Essentials,” locate and save the Application (client) ID and Directory (tenant) ID — you’ll need these later.

Step 2: Create Client Secret

  1. Go to the Certificates & secrets section in the Azure Portal.
  2. Click New client secret to generate a new secret.
  3. Enter a description, set the expiration period to 24 months, and click Add.
  4. Immediately copy the value shown in the Value column and store it securely.
Important: The secret value is only visible once — copy it right away before navigating away.

Step 3: Configure API Permissions

  1. Navigate to the API Permissions section in the Azure Portal.
  2. Click Add a permission.
  3. Select Microsoft Graph, then choose Application permissions.
  4. Expand the Sites permission group.
  5. Check the box for Sites.Read.All.
    • Advanced: To restrict access to specific sites only, select Sites.Selected instead. Keep in mind that if you choose this option, you’ll need to manually grant the registered app access to each site you want to index.
If you selected Sites.Selected, you need to grant your app read access to each site you want to index.The steps below use Microsoft Graph Explorer, but you can also grant site permissions using:To use Graph Explorer, complete these steps:
  1. Sign in Sign in with a Global Admin or SharePoint Admin account.\
  2. Consent to permissions Click your profile icon → Consent to permissions → enable Sites.FullControl.All. This grants Graph Explorer (not your Onyx app) permission to manage site access.
  3. Get the site ID Run a GET request, replacing {tenant} and YourSiteName:
GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/YourSiteName?$select=id
Copy the id from the response (format: contoso.sharepoint.com,guid1,guid2).
  1. Grant Read permission Change the method to POST: 
    GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/YourSiteName?$select=id
     Request body: 
    {
  "roles": ["read"],
  "grantedToIdentitiesV2": [{
    "application": {
      "id": "<ASSIST AI App Client ID>",
      "displayName": "ASSIST AI SharePoint Connector"
    }
  }]
}
  2. Verify Change the method to GET: 
    GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
        Confirm "roles": ["read"] appears for the ASSIST AI app.Repeat steps 3–5 for each site you want to index.
  1. Add and grant Click Add permissions. Finally, click Grant admin consent for <Organization name> (located next to Add a permission) and click Confirm.

Step 4: Configure in ASSIST AI

  1. Open SharePoint connector Navigate to the Onyx Admin Panel and select the SharePoint Connector.
  2. Create Client Secret credential Click Create New credential and select the Client Secret tab.
  3. Enter credential details
    • Application (client) ID from Step 1
    • Directory (tenant) ID from Step 1
    • Client Secret Value from Step 2
  4. Save credentials Click Create to save your credentials.
For permission sync capabilities, consider using certificate-based authentication.