The SharePoint Data Connector enables federated SQL queries on documents and tabular data stored in SharePoint or OneDrive.
Returns
The SharePoint connector supports two from: URL styles:
sharepoint:… — single colon): one row per drive item with optional file content. Best for browsing folders of PDFs, PPTX, DOCX, etc. as document tables.sharepoint://… — double slash): tabular access via DataFusion's ListingTable. Enables SELECT, INSERT INTO, COPY TO, COPY FROM, and CREATE EXTERNAL TABLE against CSV, JSON, NDJSON, Parquet, and similar formats stored on SharePoint.| Name | Required? | Description |
|---|---|---|
sharepoint_client_id | Conditional | The client ID of the Azure AD (Entra) application. Required for every flow except sharepoint_bearer_token. |
sharepoint_tenant_id | Conditional | The tenant ID of the Azure AD (Entra) application. Required for every flow except sharepoint_bearer_token. |
sharepoint_client_secret | Conditional | The client secret of the Azure AD (Entra) application. Required for client-credentials, authorization-code, and refresh-token flows. |
sharepoint_bearer_token | Conditional | A pre-acquired bearer access token. Generally obtained via spice login sharepoint (see docs). |
sharepoint_auth_code | Conditional | OAuth2 authorization code (auth_code flow). Requires sharepoint_client_secret and sharepoint_redirect_uri. |
sharepoint_refresh_token | Conditional |
:::note
Exactly one of sharepoint_client_secret (alone, for client-credentials), sharepoint_bearer_token, sharepoint_auth_code (with sharepoint_client_secret + sharepoint_redirect_uri), sharepoint_refresh_token (with sharepoint_client_secret), sharepoint_device_code, or sharepoint_saml_assertion must be supplied. Combining unrelated auth credentials is rejected at startup.
:::
When using the sharepoint:// URL scheme, the standard listing-table parameters (file_format, csv_has_header, csv_delimiter, json_pointer, hive_partitioning_enabled, etc.) all apply — see File Formats and the Object Store File Formats reference for the full list.
from formatsThe SharePoint connector accepts two from: URL styles.
sharepoint: (single colon)Returns one row per drive item, optionally with the parsed content column. Use for document workflows over folders of PDF, PPTX, DOCX, XLSX, etc.
drive_type supports the following types:
| Drive Type | Description | Example |
|---|---|---|
drive | The SharePoint drive's name | from: sharepoint:drive:Documents/... |
driveId | The SharePoint drive's ID | from: sharepoint:driveId:b!Mh8opUGD80ec7zGXgX9r/... |
site | A SharePoint site's name | from: sharepoint:site:MySite/... |
siteId | A SharePoint site's ID | from: sharepoint:siteId:b!Mh8opUGD80ec7zGXgX9r/... |
group | A SharePoint group's name | from: sharepoint:group:MyGroup/... |
groupId | A SharePoint group's ID | from: sharepoint:groupId:b!Mh8opUGD80ec7zGXgX9r/... |
user | A user's drive by user ID | from: sharepoint:user:48d31887-5fad-4d73-a9f5-3c356e68a038/... |
:::note
For the me drive type the user is identified based on sharepoint_bearer_token and cannot be used with sharepoint_client_secret.
:::
For a name-based drive_id, the connector will attempt to resolve the name to an ID at startup.
Within a drive, the SharePoint connector can load documents from:
| Description | Example |
|---|---|
| The root of the drive | from: sharepoint:me/root |
| A specific path within the drive | from: sharepoint:drive:Documents/path:/top_secrets |
| A specific folder ID | from: sharepoint:group:MyGroup/id:01QM2NJSNHBISUGQ52P5AJQ3CBNOXDMVNT |
sharepoint:// (double slash)Routes through an ObjectStore plus DataFusion's ListingTable. Enables SELECT, INSERT INTO, COPY TO, COPY FROM, and CREATE EXTERNAL TABLE for CSV, JSON, NDJSON, Parquet, and other tabular formats — and binary round-trips for blobs (PDF, etc.) via (FORMAT binary).
| URL form | Description |
|---|---|
sharepoint://me/{item-path} | The authenticated user's OneDrive |
sharepoint://drives/{drive-id}/{item-path} | A specific drive by ID |
sharepoint://sites/{site-id}/{item-path} | A site's default document library |
sharepoint://users/{user-id}/{item-path} | A user's default drive |
sharepoint://groups/{group-id}/{item-path} | A group's default drive |
Path segments are percent-decoded, so site IDs containing , (e.g. contoso.sharepoint.com,abc-def,ghi-jkl) and file paths containing spaces work without extra escaping beyond standard URL encoding.
file_format is auto-inferred from the URL extension when omitted, so from: sharepoint://me/Documents/Q4.xlsx resolves without specifying file_format: xlsx.
The SharePoint connector supports six authentication flows. Configure exactly one — the connector picks the flow based on which auth parameter is set. See the Required Microsoft Graph permissions section below for the API permissions each flow requires.
| Flow | Parameters | Notes |
|---|---|---|
| Client credentials | sharepoint_client_secret | Service principal / daemon workloads. |
| Bearer token (passthrough) | sharepoint_bearer_token | Short-lived broker-minted token. Typically obtained via spice login sharepoint. |
| Authorization code | sharepoint_auth_code + sharepoint_client_secret + sharepoint_redirect_uri | Caller has already completed the user-agent redirect and captured the auth_code. |
| Refresh token | sharepoint_refresh_token + sharepoint_client_secret | Renewal from a prior grant. |
| Device code | sharepoint_device_code | Caller has already obtained a device code. |
| SAML 2.0 bearer (RFC 7522) | sharepoint_saml_assertion | Federated IdP (Okta, Ping, ADFS, …) assertion → Azure AD token. |
To use the SharePoint connector with service principal authentication, create an Azure AD application and grant it the necessary permissions. This same app registration also supports the OAuth2 user flows above.
API permissions, add the permissions listed in Required Microsoft Graph permissions.
Authentication, add http://localhost as a Mobile and desktop applications redirect URI.sharepoint_client_id (from the Application (Client) ID field) and sharepoint_tenant_id to the connector configuration.Certificates & secrets, create a new client secret. Use this for the sharepoint_client_secret parameter.Read-only workflows require:
Sites.Read.AllFiles.Read.AllUser.ReadGroupMember.Read.AllWrite workflows (INSERT INTO, COPY TO, CREATE EXTERNAL TABLE over sharepoint://) additionally require:
Files.ReadWrite (for personal drive / specific drive writes), andSites.ReadWrite.All (for site-scoped writes).For your convenience, Spice AI maintains a default Entra (Azure AD) application that can be used for authentication against your SharePoint instance. This application requires OAuth2 authentication. To use it:
And set the SPICE_SHAREPOINT_BEARER_TOKEN secret via:
sharepoint://)Reading a CSV from a site library:
Inserting rows:
Copying a query result out as Parquet:
Creating an external table over a folder of Parquet files:
Round-tripping a binary blob (e.g. a PDF):
:::warning[Limitations]
sharepoint: (metadata-listing) syntax cannot create a dataset from a single file (e.g. an Excel spreadsheet) — datasets must be created from a folder of documents. Use the sharepoint:// object-store syntax for single-file workflows.INSERT INTO and COPY TO, only sharepoint_conflict_behavior=replace is supported. fail and rename cause writes to be rejected with a clear error.
:::Spice integrates with multiple secret stores to help manage sensitive data securely. For detailed information on supported secret stores, refer to the secret stores documentation. Additionally, learn how to use referenced secrets in component parameters by visiting the using referenced secrets guide.
OAuth2 refresh token. Requires sharepoint_client_secret. |
sharepoint_device_code | Conditional | A pre-acquired OAuth2 device code (device_code flow). |
sharepoint_saml_assertion | Conditional | SAML 2.0 bearer assertion (RFC 7522) — exchanges a federated IdP assertion for an Azure AD token. |
sharepoint_redirect_uri | Conditional | OAuth2 redirect URI. Required when using sharepoint_auth_code. |
sharepoint_scope | Optional | OAuth2 scope. Defaults to https://graph.microsoft.com/.default. |
sharepoint_conflict_behavior | Optional | How writes to an existing path are handled. One of replace (default; SharePoint stores a new version), fail (reject), or rename (write under a unique name). Only replace is compatible with INSERT INTO / COPY TO. Applies only to sharepoint://. |
sharepoint_max_put_bytes | Optional | Hard cap, in bytes, on a single put/multipart upload. Writes above this size are rejected rather than silently buffered. Default: 1073741824 (1 GiB). Applies only to sharepoint://. |
me | A user's OneDrive | from: sharepoint:me/... |