> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vivi.bot/llms.txt
> Use this file to discover all available pages before exploring further.

# SharePoint Sites

A **SharePoint Site knowledge base** lets your agents retrieve and reference content from your organization's SharePoint sites. VIVI connects to SharePoint through the Microsoft Graph API using an app registration in Microsoft Entra ID (formerly Azure Active Directory). Once connected, you have access to two types of SharePoint knowledge bases:

<CardGroup cols={2}>
  <Card title="SharePoint Site Pages" icon="file-lines" iconType="regular" color="#0066ff">
    Index and retrieve content from your organization's SharePoint site pages. Ideal for enterprise wikis, team collaboration content, and organizational knowledge.
  </Card>

  <Card title="SharePoint Documents" icon="folder-open" iconType="regular" color="#0066ff">
    Sync and retrieve files from SharePoint document libraries. Ideal for PDFs, Word documents, and other files your agents need to reference.
  </Card>
</CardGroup>

***

## Prerequisites

Before you set up a SharePoint knowledge base, make sure you have the following:

* A Microsoft 365 tenant with SharePoint Online
* Access to the Microsoft Entra admin center (requires at least the Application Developer role)
* A **Global Administrator** or **SharePoint Administrator** to grant admin consent and assign site-level permissions

***

## Set Up

<Steps>
  <Step title="Register an App in Microsoft Entra ID">
    VIVI uses client credentials (Client ID, Client Secret, and Tenant ID) to authenticate with Microsoft Graph and access your SharePoint content.

    1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home)
    2. Navigate to **Entra ID > App registrations**
    3. Click **New registration**
    4. Enter a name for the app (e.g., "VIVI – SharePoint Connector")
    5. Under **Supported account types**, select **Accounts in this organizational directory only**
    6. Leave **Redirect URI** blank
    7. Click **Register**

    Once registration is complete, copy the **Application (client) ID** and **Directory (tenant) ID** from the app's Overview page. You'll enter these into VIVI later.

    Next, create a client secret:

    1. In your app registration, go to **Certificates & secrets**
    2. Under **Client secrets**, click **New client secret**
    3. Add a description and choose an expiration period
    4. Click **Add**
    5. **Copy the secret Value immediately** – it will not be visible again after you leave the page

    For detailed guidance, see Microsoft's official documentation: [Register an application in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).
  </Step>

  <Step title="Configure API Permissions">
    Your app registration needs permission to read SharePoint content through the Microsoft Graph API. Choose the permission model that fits your organization's security requirements.

    <AccordionGroup>
      <Accordion title="Option A: Sites.Read.All">
        This grants the app read access to all SharePoint sites in your tenant. It's the simplest option – one admin consent step and you're done.

        1. In your app registration, go to **API permissions**
        2. Click **Add a permission > Microsoft Graph > Application permissions**
        3. Search for **Sites.Read.All** and select it
        4. Click **Add permissions**
        5. Click **Grant admin consent for \[your organization]**

        No further configuration is needed. The app can now read all sites in your tenant.

        <Warning>
          This permission is broad. The app will have read access to every SharePoint site in your organization. If you need to restrict access to specific sites only, use Option B instead.
        </Warning>
      </Accordion>

      <Accordion title="Option B: Sites.Selected (Recommended)">
        This grants the app access to only the specific SharePoint sites you choose. The app will have zero access until you explicitly grant it to each site. This is the recommended approach for production environments because it follows the principle of least privilege.

        **Add the permission:**

        1. In your app registration, go to **API permissions**
        2. Click **Add a permission > Microsoft Graph > Application permissions**
        3. Search for **Sites.Selected** and select it
        4. Click **Add permissions**
        5. Click **Grant admin consent for \[your organization]**

        At this point, the app has consent for Sites.Selected but cannot access any site yet. A **SharePoint Administrator** or **Global Administrator** must explicitly grant the app read access to each target site using one of the methods below.

        For more details on how Selected permissions work, see Microsoft's documentation: [Overview of Selected Permissions in OneDrive and SharePoint](https://learn.microsoft.com/en-us/graph/permissions-selected-overview).

        **Grant read access to specific sites:**

        <AccordionGroup>
          <Accordion title="Using PnP PowerShell (Recommended)">
            This is the easiest method. It requires the [PnP PowerShell module](https://pnp.github.io/powershell/).

            ```powershell theme={null}
            # Install PnP PowerShell if needed
            Install-Module -Name PnP.PowerShell -Scope CurrentUser

            # Connect as a SharePoint Administrator
            Connect-PnPOnline -Url "https://<yourcompany>.sharepoint.com/sites/<YourSite>" -Interactive

            # Grant read access to the VIVI app
            Grant-PnPAzureADAppSitePermission `
                -AppId "<your-app-client-id>" `
                -DisplayName "VIVI – SharePoint Connector" `
                -Site "https://<yourcompany>.sharepoint.com/sites/<YourSite>" `
                -Permissions Read
            ```

            The account running this command must have **Sites.FullControl.All** delegated permission and hold a **SharePoint Administrator** or **Global Administrator** role. Repeat the command for each additional site the app needs to access.

            See the full cmdlet reference: [Grant-PnPAzureADAppSitePermission](https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html).
          </Accordion>

          <Accordion title="Using the Microsoft Graph API">
            This requires an access token from an app or user with **Sites.FullControl.All** permission.

            First, get the site ID:

            ```http theme={null}
            GET https://graph.microsoft.com/v1.0/sites/yourcompany.sharepoint.com:/sites/YourSite
            ```

            The response will include the full site ID in the format `hostname,siteCollectionId,webId`.

            Then, grant read access to the app:

            ```http theme={null}
            POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
            Content-Type: application/json

            {
                "roles": ["read"],
                "grantedToIdentitiesV2": [
                    {
                        "application": {
                            "id": "<your-app-client-id>",
                            "displayName": "VIVI – SharePoint Connector"
                        }
                    }
                ]
            }
            ```

            A successful request returns a `201 Created` response.

            For step-by-step details, see Microsoft's developer blog: [Controlling app access on specific SharePoint site collections](https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/).
          </Accordion>
        </AccordionGroup>
      </Accordion>
    </AccordionGroup>

    **Permission Comparison**

    |                               | Sites.Read.All                  | Sites.Selected                     |
    | ----------------------------- | ------------------------------- | ---------------------------------- |
    | **Access scope**              | All sites in the tenant         | Only explicitly granted sites      |
    | **Setup complexity**          | Simple – one admin consent step | Moderate – requires per-site grant |
    | **Security**                  | Broad read access               | Least privilege, granular          |
    | **Recommended for**           | Development and testing         | Production environments            |
    | **Site-level grant required** | No                              | Yes                                |
  </Step>

  <Step title="Enter Credentials in VIVI">
    Navigate to the **Knowledge Base** tab and click **Add New**. Select **SharePoint Site** from the Category dropdown menu and fill in the sections marked as required.

    1. Enter the **Client ID**, **Client Secret**, and **Azure Tenant ID** from your app registration
    2. Enter the full SharePoint site URL (e.g., `https://<yourcompany>.sharepoint.com/sites/<YourSite>`)
    3. Click **Test** to verify the connection
    4. Use **+ Add Site** to add additional sites if needed

    Once your SharePoint sites are connected, VIVI will begin indexing the content automatically. A status banner at the top of the page will display the current indexing status. Once indexed successfully, your agent can start referencing the content from your SharePoint sites.
  </Step>
</Steps>

***

## Features

### Monitoring Sync Status

The sync status banner shows the current state of your document sync. You can click directly on failed or skipped file links to view details, and a 24-hour aggregated sync summary gives you a consolidated view of activity over time.

### Exclusions

You may exclude documents and site pages from your knowledge base. Simply select the checkbox to the left of the document name or site page and select the **Exclude Selected** button.

***

## Best Practices

* **Use Sites.Selected in production** to follow the principle of least privilege and restrict access to only the sites your agents need
* **Store your Client Secret securely** and track its expiration date – secrets can't be recovered after creation
* **Limit access to the app registration** in Entra ID to only those who need it
* **Grant only Read access** when assigning site-level permissions unless your use case requires more
* **Monitor indexing status** to ensure all SharePoint content is processed before deploying agents to production
* **Write clear descriptions** for your knowledge base to help your agents understand what SharePoint content is available and when to use it
* **Test the connection** after setup and periodically verify that credentials haven't expired
