The SharePoint Data Connector enables federated SQL queries on documents stored in SharePoint.
Returns
:::warning[Limitations] The sharepoint connector does not yet support creating a dataset from a single file (e.g. an Excel spreadsheet). Datasets must be created from a folder of documents (see Document Formats). :::
| Name | Required? | Description |
|---|---|---|
sharepoint_client_id | Yes | The client ID of the Azure AD (Entra) application |
sharepoint_tenant_id | Yes | The tenant ID of the Azure AD (Entra) application. |
sharepoint_client_secret | Optional | For service principal authentication. The client secret of the Azure AD (Entra) application. |
sharepoint_bearer_token | Optional | For user authentication. The bearer access token obtained from the OAuth2 flow (see spice login sharepoint docs). |
:::note
Only one of sharepoint_client_secret or sharepoint_bearer_token is allowed.
:::
from formatsThe from field in a SharePoint dataset takes the following format:
drive_type in a SharePoint Connector from field supports the following types:
| Drive Type | Description | Example |
|---|---|---|
drive | The SharePoint drive's name | from: sharepoint:drive:Documents/... |
driveId | The SharePoint drive's ID | from: sharepoint:driveId:b!Mh8opUGD80ec7zGXgX9r/... |
site | A SharePoint site's name | from: sharepoint:site:MySite/... |
siteId | A SharePoint site's ID | from: sharepoint:siteId:b!Mh8opUGD80ec7zGXgX9r/... |
group | A SharePoint group's name | from: sharepoint:group:MyGroup/... |
groupId | A SharePoint group's ID | from: sharepoint:groupId:b!Mh8opUGD80ec7zGXgX9r/... |
me | A user's OneDrive | from: sharepoint:me/... |
:::note
For the me drive type the user is identified based on sharepoint_client_code and cannot be used with sharepoint_client_secret
:::
For a name-based drive_id, the connector will attempt to resolve the name to an ID at startup.
Within a drive, the SharePoint connector can load documents from:
| Description | Example |
|---|---|
| The root of the drive | from: sharepoint:me/root |
| A specific path within the drive | from: sharepoint:drive:Documents/path:/top_secrets |
| A specific folder ID | from: sharepoint:group:MyGroup/id:01QM2NJSNHBISUGQ52P5AJQ3CBNOXDMVNT |
As outlined in the connector parameters, the SharePoint connector supports two types of authentication:
sharepoint_client_secret parameter.sharepoint_bearer_token parameter. Generally this is obtained by running spice login sharepoint and following the OAuth2 flow.To use the SharePoint connector with service principal authentication, you will need to create an Azure AD application and grant it the necessary permissions. This will also support OAuth2 authentication for users within the tenant (i.e. sharepoint_bearer_token).
API permissions, add the following permissions: Sites.Read.All, Files.Read.All, User.Read, GroupMember.Read.All
Authentication, add http://localhost as Mobile and desktop applications redirect URI.sharepoint_client_id (from the Application (Client) ID field) and sharepoint_tenant_id to the connector configuration.Certificates & secrets, create a new client secret. Use this for the sharepoint_client_secret parameter.For your convenience, Spice AI maintains a default Entra (Azure AD) application that can be used for authentication against your SharePoint instance. This application requires OAuth2 authentication. To use it:
And set the SPICE_SHAREPOINT_BEARER_TOKEN secret via:
Spice integrates with multiple secret stores to help manage sensitive data securely. For detailed information on supported secret stores, refer to the secret stores documentation. Additionally, learn how to use referenced secrets in component parameters by visiting the using referenced secrets guide.