Skip to main content
A SharePoint Site knowledge base lets your agents retrieve and reference content from your organization’s SharePoint sites. VIVI connects to SharePoint through the Microsoft Graph API using an app registration in Microsoft Entra ID (formerly Azure Active Directory) to read and index the content of every site page. SharePoint knowledge bases are ideal for enterprise content, team collaboration documents, and organizational knowledge you want your agents to access securely.

Prerequisites

Before you set up a SharePoint Site knowledge base, make sure you have the following:
  • A Microsoft 365 tenant with SharePoint Online
  • Access to the Microsoft Entra admin center (requires at least the Application Developer role)
  • A Global Administrator or SharePoint Administrator to grant admin consent and assign site-level permissions

Set Up

Setting up a SharePoint Site knowledge base requires three main steps: registering an app in Microsoft Entra ID, configuring API permissions, and entering credentials in VIVI.

Step 1: Register an App in Microsoft Entra ID

VIVI uses client credentials (Client ID, Client Secret, and Tenant ID) to authenticate with Microsoft Graph and access your SharePoint content.
  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Entra ID > App registrations
  3. Click New registration
  4. Enter a name for the app (e.g., “VIVI – SharePoint Connector”)
  5. Under Supported account types, select Accounts in this organizational directory only
  6. Leave Redirect URI blank
  7. Click Register
Once registration is complete, copy the Application (client) ID and Directory (tenant) ID from the app’s Overview page. You’ll enter these into VIVI later. Next, create a client secret:
  1. In your app registration, go to Certificates & secrets
  2. Under Client secrets, click New client secret
  3. Add a description and choose an expiration period
  4. Click Add
  5. Copy the secret Value immediately – it will not be visible again after you leave the page
For detailed guidance, see Microsoft’s official documentation: Register an application in Microsoft Entra ID.

Step 2: Configure API Permissions

Your app registration needs permission to read SharePoint content through the Microsoft Graph API. VIVI supports two permission models. Choose the one that fits your organization’s security requirements.

Option A: Sites.Read.All

This grants the app read access to all SharePoint sites in your tenant. It’s the simplest option – one admin consent step and you’re done.
  1. In your app registration, go to API permissions
  2. Click Add a permission > Microsoft Graph > Application permissions
  3. Search for Sites.Read.All and select it
  4. Click Add permissions
  5. Click Grant admin consent for [your organization]
No further configuration is needed. The app can now read all sites in your tenant.
Note: This permission is broad. The app will have read access to every SharePoint site in your organization. If you need to restrict access to specific sites only, use Option B instead.
This grants the app access to only the specific SharePoint sites you choose. The app will have zero access until you explicitly grant it to each site. This is the recommended approach for production environments because it follows the principle of least privilege. Step 2a: Add the Permission
  1. In your app registration, go to API permissions
  2. Click Add a permission > Microsoft Graph > Application permissions
  3. Search for Sites.Selected and select it
  4. Click Add permissions
  5. Click Grant admin consent for [your organization]
At this point, the app has consent for Sites.Selected but cannot access any site yet. A SharePoint Administrator or Global Administrator must explicitly grant the app read access to each target site using one of the methods below. For more details on how Selected permissions work, see Microsoft’s documentation: Overview of Selected Permissions in OneDrive and SharePoint. Step 2b: Grant Read Access to Specific Sites There are two ways to grant site-level permissions: PnP PowerShell (recommended for most admins) or the Microsoft Graph API. Using PnP PowerShell This is the easiest method. It requires the PnP PowerShell module. 
# Install PnP PowerShell if needed
Install-Module -Name PnP.PowerShell -Scope CurrentUser

# Connect as a SharePoint Administrator
Connect-PnPOnline -Url "https://<yourcompany>.sharepoint.com/sites/<YourSite>" -Interactive

# Grant read access to the VIVI app
Grant-PnPAzureADAppSitePermission `
    -AppId "<your-app-client-id>" `
    -DisplayName "VIVI – SharePoint Connector" `
    -Site "https://<yourcompany>.sharepoint.com/sites/<YourSite>" `
    -Permissions Read
The account running this command must have Sites.FullControl.All delegated permission and hold a SharePoint Administrator or Global Administrator role. Repeat the command for each additional site the app needs to access. See the full cmdlet reference: Grant-PnPAzureADAppSitePermission. Using the Microsoft Graph API Use the Create permission endpoint to grant the app read access. This requires an access token from an app or user with Sites.FullControl.All permission. First, get the site ID by making a GET request: 
GET https://graph.microsoft.com/v1.0/sites/yourcompany.sharepoint.com:/sites/YourSite
The response will include the full site ID in the format hostname,siteCollectionId,webId. Then, grant read access to the app: 
POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
Content-Type: application/json

{
    "roles": ["read"],
    "grantedToIdentitiesV2": [
        {
            "application": {
                "id": "<your-app-client-id>",
                "displayName": "VIVI – SharePoint Connector"
            }
        }
    ]
}
A successful request returns a 201 Created response. For step-by-step details, see Microsoft’s developer blog: Controlling app access on specific SharePoint site collections. Permission Comparison
Sites.Read.AllSites.Selected
Access scopeAll sites in the tenantOnly explicitly granted sites
Setup complexitySimple – one admin consent stepModerate – requires per-site grant
SecurityBroad read accessLeast privilege, granular
Recommended forDevelopment and testingProduction environments
Site-level grant requiredNoYes

Step 3: Enter Credentials in VIVI

Navigate to the Knowledge Base tab and click Add New. Select SharePoint Site from the Category dropdown menu and fill in the sections marked as required. Once you’ve configured your app registration and permissions:
  1. Enter the Client ID, Client Secret, and Azure Tenant ID from your app registration
  2. Enter the full SharePoint site URL (e.g., https://<yourcompany>.sharepoint.com/sites/<YourSite>)
  3. Click Test to verify the connection
  4. Use + Add Site to add additional sites if needed
Once your SharePoint sites are connected, VIVI will begin indexing the content automatically. A status banner at the top of the page will display the current indexing status. Once indexed successfully, your agent can start referencing the content from your SharePoint sites.

Best Practices

  • Use Sites.Selected in production to follow the principle of least privilege and restrict access to only the sites your agents need
  • Store your Client Secret securely and track its expiration date – secrets can’t be recovered after creation
  • Limit access to the app registration in Entra ID to only those who need it
  • Grant only Read access when assigning site-level permissions unless your use case requires more
  • Monitor indexing status to ensure all SharePoint content is processed before deploying agents to production
  • Write clear descriptions for your knowledge base to help your agents understand what SharePoint content is available and when to use it
  • Test the connection after setup and periodically verify that credentials haven’t expired