> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tryassist.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Client Secret Authentication

Client secret authentication relies on standard Azure App Registration credentials to establish a connection with SharePoint. This approach works well for most straightforward SharePoint integrations

**Note:** Permission sync is not supported with client secret authentication. If you require permission sync, use certificate-based authentication instead.

## Setting Up

## Step 1: Create Azure App Registration

1. Open the Azure Portal and log in with your organization's credentials.
2. Use the search bar to find and navigate to "App registrations."
3. Click **New Registration** to begin creating a new app.
4. Give the app a recognizable name such as "ASSIST AI SharePoint Connector," leave all other fields at their defaults, and click **Register.**
5. From the overview tab under "Essentials," locate and save the **Application (client) ID** and **Directory (tenant) ID** — you'll need these later.

## Step 2: Create Client Secret

1. Go to the **Certificates & secrets** section in the Azure Portal.
2. Click **New client secret** to generate a new secret.
3. Enter a description, set the expiration period to 24 months, and click **Add.**
4. Immediately copy the value shown in the **Value** column and store it securely.

> **Important:** The secret value is only visible once — copy it right away before navigating away.

## Step 3: Configure API Permissions

1. Navigate to the **API Permissions** section in the Azure Portal.
2. Click **Add a permission.**
3. Select **Microsoft Graph**, then choose **Application permissions.**
4. Expand the **Sites** permission group.
5. Check the box for [**Sites.Read**](http://Sites.Read)**.All.**
   * *Advanced:* To restrict access to specific sites only, select **Sites.Selected** instead. Keep in mind that if you choose this option, you'll need to manually grant the registered app access to each site you want to index.

<Accordion title="How to grant site-specific access">
  If you selected **Sites.Selected**, you need to grant your app **read** access to each site you want to index.The steps below use [**Microsoft Graph Explorer**](https://developer.microsoft.com/en-us/graph/graph-explorer), but you can also grant site permissions using:

  * [**PnP PowerShell**](https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html) (`Grant-PnPAzureADAppSitePermission` cmdlet)
  * [**Resource Specific Consent guide**](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online)

  To use Graph Explorer, complete these steps:

  1. **Sign in** Sign in with a **Global Admin** or **SharePoint Admin** account.\\
  2. **Consent to permissions** Click your profile icon → **Consent to permissions** → enable **Sites.FullControl.All**. This grants Graph Explorer (not your Onyx app) permission to manage site access.
  3. **Get the site ID** Run a **GET** request, replacing `{tenant}` and `YourSiteName`:

  ```text theme={null}
  GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/YourSiteName?$select=id
  ```

  Copy the `id` from the response (format: `contoso.sharepoint.com,guid1,guid2`).

  4. **Grant Read permission** Change the method to **POST**:
     ```text theme={null}
     GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/YourSiteName?$select=id
     ```
      Request body:
     ```text theme={null}
     {
       "roles": ["read"],
       "grantedToIdentitiesV2": [{
         "application": {
           "id": "<ASSIST AI App Client ID>",
           "displayName": "ASSIST AI SharePoint Connector"
         }
       }]
     }
     ```
  5. **Verify** Change the method to GET:
     ```text theme={null}
     GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
     ```

          Confirm `"roles": ["read"]` appears for the ASSIST AI app.

  Repeat steps 3–5 for each site you want to index.
</Accordion>

6. **Add and grant** Click **Add permissions**. Finally, click **Grant admin consent for \<Organization name>** (located next to **Add a permission**) and click **Confirm**.

## Step 4: Configure in ASSIST AI

1. **Open SharePoint connector** Navigate to the Onyx Admin Panel and select the **SharePoint** Connector.
2. **Create Client Secret credential** Click **Create New** credential and select the **Client Secret** tab.
3. **Enter credential details**
   * **Application (client) ID** from Step 1
   * **Directory (tenant) ID** from Step 1
   * **Client Secret Value** from Step 2
4. **Save credentials** Click **Create** to save your credentials.

For permission sync capabilities, consider using certificate-based authentication.
