Microsoft SharePoint configuration

To successfully connect Gemini Enterprise with Microsoft SharePoint, you must complete the following configuration steps.

Set up authentication and permissions

You need to set up authentication and permissions in Microsoft Entra admin center. This is crucial for allowing the connector to access and synchronize data.

Register Microsoft Entra app for Microsoft SharePoint connector

Before creating the Microsoft SharePoint connector in Gemini Enterprise, register a Microsoft Entra application to enable secure access.

To register Gemini Enterprise as an OAuth 2.0 application in Entra, do the following:

Navigate to Microsoft Entra admin center.
In the navigation menu, expand the Entra ID and select App registrations.
On the App registrations page, click New registration.
On the Register an application page, do the following:
1. In the Name field, enter a name for your app.
2. In the Supported account types section, select Accounts in this organizational directory only.
3. In the Redirect URI section, do the following:
  1. In the platform list, select Web.
  2. In the redirect URI field, enter https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.
4. Click Register. Microsoft Entra creates your app and displays the overview page of your app.
In the app navigation menu, click Authentication.
Click Add redirect URI.
In the platform selection pane, do the following:
1. Select Web.
2. In the Redirect URI field, enter https://vertexaisearch.cloud.google.com/oauth-redirect.
3. Click Configure.

Create an OAuth 2.0 configuration

To create a connection using the OAuth 2.0 authentication method, you need to obtain a client ID, client secret, and your Tenant ID from your Microsoft Entra application registration page.

Obtain client ID and client secret

To obtain the client ID and secret for the app, do the following:
1. Navigate to the app page.
2. In the app navigation menu, select Certificates & secrets.
3. Click New client secret.
4. In the client secret pane, do the following:
  1. In the Description field, enter a description for the secret.
  2. In the Expires list, select an expiry duration.
  3. Click Add.
5. Copy the secret displayed in the Value column (Client Secret) and the identifier in the Secret ID column (Client ID), and securely store both for later use.

Obtain Instance URI

The Instance URI has one of the following formats:

For all first-level sites: https://DOMAIN_OR_SERVER.sharepoint.com —for example, mydomain.sharepoint.com.
For a single site: https://DOMAIN_OR_SERVER.sharepoint.com/sites/WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.

Obtain Tenant ID

Your tenant ID can be found in the Tenant ID box on the overview page in the Microsoft Entra admin center.

Configure Microsoft API permissions

To configure the required API permissions for the app, do the following:

Navigate to the app page.
In the app navigation menu, select API permissions.
Click Add permissions.
In the Request API permissions pane, select Microsoft Graph.

Search for and select the following permissions based on your connection mode:

For the Federated search connection mode, no Graph API permissions are required.

For the Data ingestion connection mode with Federated credentials:

Permission	Type	Description
`GroupMember.Read.All`	Application	Allows the connector to read memberships and basic group properties for all groups without a signed-in user.
`User.Read`	Delegated	Allows the connector to read the profile of signed-in users. It also allows the connector to read basic company information of signed-in users.
Site control options
Option 1: `Sites.FullControl.All`	Application	Allows the connector to have full control of all site collections.
Option 2: `Sites.Selected`	Application	Allows the connector to access a subset of site collections. The specific site collections and the permissions granted can be configured in SharePoint Online.
Profile reading options
Option 1: `User.Read.All`	Application	Allows the connector to read user profiles.
Option 2: `User.ReadBasic.All`	Application	Allows the connector to read a basic set of profile properties of other users in the organization.

For the Data ingestion connection mode with OAuth 2.0 refresh token:

Permission	Type	Description
`GroupMember.Read.All`	Application	Allows the connector to read memberships and basic group properties for all groups without a signed-in user.
`User.Read`	Delegated	Allows the connector to read the profile of signed-in users. It also allows the connector to read basic company information of signed-in users.
`User.Read.All`	Application	Allows the connector to read user profiles.
Site control options
Option 1: `Sites.FullControl.All`	Application	Allows the connector to have full control of all site collections.
Option 2: `Sites.Selected`	Application	Allows the connector to access a subset of site collections. The specific site collections and the permissions granted can be configured in SharePoint Online.

If you enable Actions for either the Federated search or Data ingestion connection mode, also select the following permissions:

Permission	Type	Description
`Sites.ReadWrite.All`	Delegated	Allows the connector to edit or delete documents and list items in all site collections on behalf of the signed-in user.
`Files.ReadWrite`	Delegated	Allows the connector to read, create, update and delete the signed-in user's files.
`Files.ReadWrite.All`	Delegated	Allows the connector to read, create, update and delete all files the signed-in user can access.
`Sites.Manage.All`	Delegated	Allows the connector to create or delete document libraries and lists in all site collections on behalf of the user.

Click Add Permissions.
In the Request API permissions pane, select Microsoft SharePoint.