Prerequisites for connecting Amazon Q Business to SharePoint (Online) - Amazon Q Business
Prerequisites for using basic authenticationPrerequisites for using OAuth 2.0 authenticationPrerequisites for using Azure AD App-Only authenticationPrerequisites for using SharePoint App-Only authentication

Prerequisites for connecting Amazon Q Business to SharePoint (Online)

The following page outlines the prerequisites you need to complete before connecting SharePoint (Online) to Amazon Q, based on the authentication mode of your choice.

Note

For more information on connecting SharePoint (Online) to Amazon Q Business, see Connect Amazon Q Business to Microsoft SharePoint Online using least privilege access controls and Find answers accurately and quickly using Amazon Q Business with the SharePoint Online connector in the AWS Machine Learning Blog.

Prerequisites for using basic authentication

If you're using basic authentication, make sure you've completed the following steps in SharePoint (Online):

  • Copied your SharePoint (Online) instance URLs. The format for the host URL you enter is https://yourdomain.sharepoint.com/sites/mysite or https://yourcompany.sharepoint.com. Your URL must start with https and contain sharepoint.com.

  • Copied the domain name of your SharePoint (Online) instance URL.

  • Noted your basic authentication credentials containing the username and password that you use to connect to SharePoint (Online) Online.

  • Deactivated Security Defaults in your Azure portal using an administrative user. For more information on managing security default settings in the Azure portal, see Microsoft documentation on how to enable/disable security defaults.

  • Deactivated multi-factor authentication (MFA) in your SharePoint account, so that Amazon Q is not blocked from crawling your SharePoint content.

Note

No API permissions are required for crawling entities using Basic authentication.

In your AWS account, make sure you have:

  • Created a Amazon Q Business application.

  • Created a Amazon Q Business retriever and added an index.

  • Created an IAM role for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.

  • Stored your SharePoint (Online) authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.

    Note

    If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.

For a list of things to consider while configuring your data source, see Data source connector configuration best practices.

Prerequisites for using OAuth 2.0 authentication

If you're using OAuth 2.0 authentication, make sure you've completed the following steps in SharePoint (Online):

  • Copied your SharePoint (Online) instance URLs. The format for the host URL you enter is https://yourdomain.sharepoint.com/sites/mysite or https://yourcompany.sharepoint.com. Your URL must start with https and contain sharepoint.com.

  • Copied the domain name of your SharePoint (Online) instance URL.

  • Copied the tenant ID of your Microsoft SharePoint (Online) instance. For details on how to find your tenant ID, see Find your Microsoft 365 tenant ID on the Microsoft website.

  • Noted the username and password that you use to connect to SharePoint (Online).

  • Noted the Client ID and Client secret generated after SharePoint (Online) Azure App registration.

  • If you're not using ACL, added the following permissions:

    Microsoft Graph SharePoint

    • Notes.Read.All (Application) – Read all OneNote notebooks

    • Sites.Read.All (Application) – Read items in all site collections

    • AllSites.Read (Delegated) – Read items in all site collections
    Note

    Note.Read.All and Sites.Read.All are required only if you want to crawl OneNote Documents.

  • If you're using ACL, added the following permissions:

    Microsoft Graph SharePoint

    • GroupMember.Read.All (Application) – Read all group memberships

    • Notes.Read.All (Application) – Read all OneNote notebooks

    • Sites.FullControl.All (Delegated) – Have full control of all site collections

    • Sites.Read.All (Application) – Read items in all site collections

    • User.Read.All (Application) – Read all users' full profiles

    • AllSites.Read (Delegated) – Read items in all site collections
    Note

    GroupMember.Read.All and User.Read.All are required only if Identity crawler is activated.

  • Deactivated multi-factor authentication (MFA) in your SharePoint account, so that Amazon Q is not blocked from crawling your SharePoint content.

In your AWS account, make sure you have:

  • Created a Amazon Q Business application.

  • Created a Amazon Q Business retriever and added an index.

  • Created an IAM role for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.

  • Stored your SharePoint (Online) authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.

    Note

    If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.

For a list of things to consider while configuring your data source, see Data source connector configuration best practices.

Prerequisites for using Azure AD App-Only authentication

If you're using Azure AD App-Only authentication, make sure you've completed the following steps in SharePoint (Online):

  • Copied your SharePoint (Online) instance URLs. The format for the host URL you enter is https://yourdomain.sharepoint.com/sites/mysite or https://yourcompany.sharepoint.com. Your URL must start with https and contain sharepoint.com.

  • Copied the domain name of your SharePoint (Online) instance URL.

  • Copied the tenant ID of your Microsoft SharePoint (Online) instance. For details on how to find your tenant ID, see Find your Microsoft 365 tenant ID on the Microsoft website.

  • Noted the file path to a X.509 certificate you have created and stored in an Amazon S3 bucket. For more information on how to do this, see Granting access via Azure AD App-Only and New-PnPAzureCertificate in Microsoft developer documentation

  • Noted the private key and the Client ID you generated after SharePoint (Online) Azure App registration.

  • If you're not using ACL, added the following permissions:

    SharePoint

    • Sites.Read.All (Application) – Read items in all site collections

  • If you're using ACL, added the following permissions:

    SharePoint

    • Sites.FullControl.All (Application) – Have full control of all site collections
    Note

    If you want to crawl specific sites, you can choose to restrict permissions to specific sites rather than all sites available in the domain. To do this, use the Sites.Selected (Application) permission. With this API permission, you need to set access permission on every site explicitly through the Microsoft Graph API. For more information, see Microsoft's blog on Sites.Selected permissions.

In your AWS account, make sure you have:

  • Created a Amazon Q Business application.

  • Created a Amazon Q Business retriever and added an index.

  • Created an IAM role for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.

  • Stored your SharePoint (Online) authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.

    Note

    If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.

For a list of things to consider while configuring your data source, see Data source connector configuration best practices.

Prerequisites for using SharePoint App-Only authentication

If you're using SharePoint App-Only authentication, make sure you've completed the following steps in SharePoint (Online):

  • Copied your SharePoint (Online) instance URLs. The format for the host URL you enter is https://yourdomain.sharepoint.com/sites/mysite or https://yourcompany.sharepoint.com. Your URL must start with https and contain sharepoint.com.

  • Copied the domain name of your SharePoint (Online) instance URL.

  • Copied the tenant ID of your Microsoft SharePoint (Online) instance. For details on how to find your tenant ID, see Find your Microsoft 365 tenant ID on the Microsoft website.

  • Noted your SharePoint (Online) client ID and client secret generated while granting permission to SharePoint App-Only, and your Client ID and Client secret generated after SharePoint (Online) Azure App registration.

  • If you're crawling OneNote documents and using Identity crawler, added the following permissions:

    Microsoft Graph

    • GroupMember.Read.All (Application) – Read all group memberships

    • Notes.Read.All (Application) – Read all OneNote notebooks

    • Sites.Read.All (Application) – Read items in all site collections

    • User.Read.All (Application) – Read all users' full profiles
    Note

    No API permissions are required for crawling entities using SharePoint (Online) App-Only authentication.

In your AWS account, make sure you have:

  • Created a Amazon Q Business application.

  • Created a Amazon Q Business retriever and added an index.

  • Created an IAM role for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.

  • Stored your SharePoint (Online) authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.

    Note

    If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.

For a list of things to consider while configuring your data source, see Data source connector configuration best practices.