# Microsoft SharePoint Online
{% hint style="info" %}
Prerequisites: You must have an existing [Azure integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) configured before setting up SharePoint discovery.
{% endhint %}
To enable SharePoint discovery for an [Azure tenant configuration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md), you will need to upload an X.509 certificate for authentication. Once provided, Veza will automatically extract permissions metadata for SharePoint Online resources, and show effective permissions for AzureAD users and groups to SharePoint servers, sites, libraries, and folders.
**1. Prepare certificate**
{% hint style="warning" %}
Microsoft and Veza recommend using a valid signed certificate, but you can use a self-signed certificate if needed.
{% endhint %}
{% tabs %}
{% tab title="Generate with Veza" %}
1. In the **Auth Certificate Password** field, enter a password to protect the certificate file. This step is optional but recommended.
2. Click **Generate & Download Certificate and Key Pair File**. Veza generates and downloads two files: `azure-certificate.pfx` (private key) and `azure-certificate.crt` (public certificate).
3. Upload the `.crt` file to configure the App Registration in Azure (see step 2.4).
4. Upload the `.pfx` file using the **Upload the Certificate Key** field in Veza (see step 3).
{% endtab %}
{% tab title="Windows (PowerShell)" %}
To create a self-signed certificate and private key using Windows PowerShell:
1. Open PowerShell as an Administrator and run the following commands to create a certificate:
```powershell
# Set your certificate name and password
$certname = "VezaSharePoint"
$mypwd = ConvertTo-SecureString -String "YourSecurePassword" -Force -AsPlainText
# Create the self-signed certificate (valid for 2 years)
$cert = New-SelfSignedCertificate -Subject "CN=$certname" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(2)
# Export the .CER file (public key for Azure app registration)
Export-Certificate -Cert $cert -FilePath "$HOME\Desktop\$certname.cer"
# Export the .PFX file (private key for Veza)
Export-PfxCertificate -Cert $cert -FilePath "$HOME\Desktop\$certname.pfx" -Password $mypwd
```
2. Use the `.CER` file to configure the App Registration in Azure (see step 2.4)
3. Use the `.PFX` file and password to configure the Azure integration in Veza (see step 3)
For more details, see Microsoft's documentation on [creating self-signed certificates](https://learn.microsoft.com/azure/active-directory/develop/howto-create-self-signed-certificate) and the [New-SelfSignedCertificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate) cmdlet reference.
{% endtab %}
{% tab title="Linux / macOS (OpenSSL)" %}
For Linux, macOS, or other platforms, use OpenSSL to generate a self-signed certificate:
1. Run the following commands to create a certificate and PFX bundle:
```sh
# Set your certificate name and password
CERTNAME="VezaSharePoint"
PASSWORD="YourSecurePassword"
# Create directory
mkdir -p ~/certs && cd ~/certs
# Generate private key
openssl genrsa -out ${CERTNAME}.key 2048
# Generate self-signed certificate (valid 2 years)
openssl req -new -x509 -sha256 -key ${CERTNAME}.key -out ${CERTNAME}.cer -days 730 \
-subj "/CN=${CERTNAME}"
# Export to PFX format (for Veza)
openssl pkcs12 -export -out ${CERTNAME}.pfx -inkey ${CERTNAME}.key -in ${CERTNAME}.cer \
-name "${CERTNAME}" -password pass:${PASSWORD}
```
2. Use the `.cer` file to configure the App Registration in Azure (see step 2.4)
3. Use the `.pfx` file and password to configure the Azure integration in Veza (see step 3)
{% endtab %}
{% endtabs %}
**2. Configure the Veza Enterprise App**
If you haven't already completed the steps to [configure a Microsoft Azure integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md), you should do so before continuing.
1. From your Microsoft Azure Portal, go to *Azure Active Directory* and select "App Registrations"
2. Select the app registration used by Veza for discovery of the Azure tenant
3. Click on API permissions, and "Add a permission" Grant the following *Application Permissions*:
Required Permissions Checklist:
* [ ] SharePoint permissions:
* [ ] `User.Read.All`
* [ ] `Sites.Read.All`
* [ ] Microsoft Graph permissions:
* [ ] `Directory.Read.All`
* [ ] `Files.Read.All`
* [ ] `Sites.Read.All`
* [ ] `Reports.Read.All`
* [ ] Grant Admin Consent is enabled on the API permissions screen
> See the [Expanded Functionality](#expanded-functionality) section below for optional permissions.
4. Go to the app registration's Certificates & Secrets, click "Upload certificate," and provide the public key from the key pair from step 1.
5. Verify that the certificate has been uploaded by selecting "Manifest" and checking the `keyCredentials` property.
#### 3. Configure Veza
Upload the `.pfx` file when [adding a new Azure account](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md#8-add-the-azure-tenant-to-veza) to Veza or by editing an existing Azure tenant configuration on the Integrations page. To authenticate using the certificate without a client secret, contact Veza support to enable this for your tenant.
**Enabling Last Activity Date for SharePoint Sites**
To enable parsing of `Last Activity Date` as a searchable property for SharePoint sites, you will need to disable [hidden user details in Office 365 Reports](https://docs.microsoft.com/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide#show-user-details-in-the-reports):
1. From the Office 365 admin center, go to Settings > Org Settings > Services
2. Select Reports
3. Clear the checkbox for Display concealed user, group, and site names in all reports, and save your changes
{% hint style="info" %}
Note: Last activity stats are only obtainable for top-level sites (not sub-sites).
{% endhint %}
#### Core SharePoint Entities
The SharePoint integration discovers and analyzes the following core entities within your SharePoint environment, creating relationships between resources, permissions, and identities:
{% @mermaid/diagram content="graph TB
subgraph "Azure AD"
AAD\_U\[Azure AD Users]
AAD\_G\[Azure AD Groups]
end
```
subgraph "SharePoint Online"
SPO[SharePoint OnlineTenant]
SPO --> Sites[SharePoint Sites]
Sites --> Libraries[Libraries]
Sites --> Lists[Lists]
Sites --> SM[Site Memberships]
Libraries --> Folders[Folders]
SPO --> SP_Users[SharePoint Users]
SPO --> SP_Groups[SharePoint Groups]
SPO --> Roles[SharePoint Roles]
SPO --> RA[Role Assignments]
Sites -.->|Site Hierarchy| Sites
SP_Users -.->|HAS_ROLE| Roles
SP_Groups -.->|HAS_ROLE| Roles
RA -.->|CONNECTS| Roles
SM -.->|ADMIN/GUEST| Sites
end
subgraph "SharePoint Term Store"
TS[Term Store]
TSM[Term Store Membership]
TS --> TSM
end
%% Cross-Service Connections
AAD_U -.->|Identity Correlation| SP_Users
AAD_G -.->|Identity Correlation| SP_Groups
AAD_U -.->|HAS_MEMBERSHIP| TSM
AAD_G -.->|HAS_MEMBERSHIP| TSM
AAD_U -.->|HAS_MEMBERSHIP| SM" %}
```
SharePoint Sites
Individual SharePoint sites including both Communication sites and Team sites, with activity metrics and permission tracking.
| Attribute | Notes |
| ----------------------------- | ------------------------------------------------------- |
| `web_url` | Direct URL to access the SharePoint site |
| `description` | Site description and purpose |
| `root` | Boolean indicating if this is the root site collection |
| `is_personal` | Boolean indicating if this is a personal OneDrive site |
| `inherits_parent_permissions` | Boolean indicating permission inheritance from parent |
| `active_file_count` | Number of files with recent activity |
| `file_count` | Total number of files in the site |
| `page_view_count` | Number of page views for analytics |
| `visited_page_count` | Number of unique pages visited |
| `storage_used` | Storage space consumed in bytes |
| `storage_allocated` | Total storage allocation in bytes |
| `has_stats` | Boolean indicating if activity statistics are available |
| `parent_site_id` | Identifier of parent site for hierarchy |
| `is_deleted` | Boolean indicating if site is in recycle bin |
| `last_activity_date` | Timestamp of most recent site activity |
| `owner_display_name` | Display name of the site owner |
| `created_at` | Site creation timestamp |
| `azure_tenant_id` | Azure tenant identifier for cross-service correlation |
SharePoint Users
Individual user accounts with access to SharePoint resources, including both internal users and external guests with activity tracking.
| Attribute | Notes |
| ------------------------------ | ------------------------------------------------------------ |
| `member_login_name` | SharePoint-specific login identifier |
| `email` | User email address for contact and identification |
| `is_guest` | Boolean indicating external guest user status |
| `guest` | Boolean indicating guest access permissions |
| `is_site_admin` | Boolean indicating site administrator privileges |
| `user_principal_name` | Azure AD user principal name for identity correlation |
| `is_deleted` | Boolean indicating if user account is deleted |
| `deleted_date` | Timestamp when user was deleted |
| `last_activity_date` | Timestamp of most recent SharePoint activity |
| `viewed_or_edited_file_count` | Number of files viewed or edited by user |
| `synced_file_count` | Number of files synchronized to local devices |
| `shared_internally_file_count` | Number of files shared within the organization |
| `shared_externally_file_count` | Number of files shared with external users |
| `visited_page_count` | Number of SharePoint pages visited |
| `assigned_products` | String listing Microsoft products assigned to user |
| `has_stats` | Boolean indicating if user activity statistics are available |
| `created_at` | Account creation timestamp |
| `description` | User description or role information |
| `web_url` | URL to user's profile or personal site |
| `quota` | Storage quota assigned to user |
SharePoint Libraries
Document libraries and other content repositories within SharePoint sites, with permission inheritance and content management features.
| Attribute | Notes |
| ----------------------------- | ---------------------------------------------------------- |
| `library_type` | Type of library (Document, Picture, etc.) |
| `web_url` | Direct URL to access the library |
| `description` | Library description and purpose |
| `quota` | Storage quota allocated to the library |
| `inherits_parent_permissions` | Boolean indicating permission inheritance from parent site |
| `created_at` | Library creation timestamp |
SharePoint Folders
Organizational folders within SharePoint libraries, with hierarchical structure and sharing capabilities.
| Attribute | Notes |
| ----------------------------- | ---------------------------------------------- |
| `parent_id` | Identifier of parent folder for hierarchy |
| `library_id` | Identifier of containing library |
| `parent_path` | Full path to parent folder |
| `depth` | Folder depth level in hierarchy |
| `scope` | Permission scope (inherited, unique, etc.) |
| `library_type` | Type of containing library |
| `is_shared` | Boolean indicating if folder has sharing links |
| `sharing_links` | List of active sharing links and permissions |
| `web_url` | Direct URL to access the folder |
| `inherits_parent_permissions` | Boolean indicating permission inheritance |
| `created_at` | Folder creation timestamp |
SharePoint Lists
SharePoint lists for structured data, task management, and custom applications within sites.
| Attribute | Notes |
| ----------------------------- | ------------------------------------------------------------- |
| `hidden` | Boolean indicating if list is hidden from site navigation |
| `template` | SharePoint list template type (Custom, Tasks, Calendar, etc.) |
| `web_url` | Direct URL to access the list |
| `description` | List description and purpose |
| `inherits_parent_permissions` | Boolean indicating permission inheritance from parent site |
| `created_at` | List creation timestamp |
SharePoint Groups
SharePoint-specific security groups for managing permissions to sites, libraries, and lists.
| Attribute | Notes |
| ---------------- | ------------------------------------------------------ |
| `global_members` | List of user login names who are members of this group |
| `created_at` | Group creation timestamp |
| `description` | Group description and purpose |
| `web_url` | URL to group management page |
| `quota` | Storage quota associated with group |
SharePoint Site Memberships
Administrative relationship nodes that connect Azure AD users to special site-level roles such as Site Administrator or Guest access.
| Attribute | Notes |
| ---------------- | ------------------------------------------------------------------- |
| `name` | Role type: "Admin" for site administrators, "Guest" for guest users |
| `global_members` | List of user login names with this membership type |
| `site_id` | Identifier of the site this membership applies to |
Site Memberships represent elevated permissions that go beyond standard SharePoint group memberships:
* **Admin Memberships**: Connect users who have site administrator privileges
* **Guest Memberships**: Connect users who have guest access to the site
These memberships are automatically created when users are granted site admin privileges or guest access through SharePoint's administrative interfaces.
{% hint style="info" %}
The entities listed above reflect the limitations of read-only SharePoint API and Microsoft Graph API access. Additional entities are supported with optional permissions described in the [Expanded Functionality](#expanded-functionality) section below.
{% endhint %}
#### Cross-Service Identity Correlation
When deployed alongside an [Azure integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md), Veza automatically correlates SharePoint users and groups with their corresponding Azure AD identities. This correlation enables access analysis across both platforms.
{% hint style="success" %}
Cross-service correlation requires both Azure and SharePoint integrations to be configured and running. The correlation happens automatically when both integrations are present.
{% endhint %}
#### SharePoint Permissions
SharePoint uses a complex permission system that combines role-based access control with granular permissions. Veza discovers and analyzes all permission types to provide visibility into access rights.
Permission Categories:
Standard Access Levels:
* `read` - Read-only access to content
* `write` - Ability to modify existing content
* `owner` - Full control including permission management
Permission Inheritance:
* `inherited_read` - Read permissions inherited from parent
* `inherited_write` - Write permissions inherited from parent
* `inherited_owner` - Owner permissions inherited from parent
* `direct_read` - Direct read permissions assigned at resource level
* `direct_write` - Direct write permissions assigned at resource level
* `direct_owner` - Direct owner permissions assigned at resource level
SharePoint-Specific Permissions:
SharePoint provides 34 granular permissions organized into functional categories:
{% tabs %}
{% tab title="List & Library Permissions" %}
* `View List Items` - View items in lists and document libraries
* `Add List Items` - Add items to lists and document libraries
* `Edit List Items` - Edit items in lists and document libraries
* `Delete List Items` - Delete items from lists and document libraries
* `Approve Items` - Approve minor versions of list items or documents
* `Open Items` - View items in lists, documents in document libraries, view Web discussion comments
* `View Versions` - View past versions of list items or documents
* `Delete Versions` - Delete past versions of list items or documents
* `Cancel Checkout` - Discard or check in documents checked out to other users
* `Manage Personal Views` - Create, change, and delete personal views of lists
* `Manage Lists` - Create and delete lists, add or remove columns, and add or remove public views
* `View Form Pages` - View forms, views, and application pages; enumerate lists
{% endtab %}
{% tab title="Site Permissions" %}
* `Open` - Allows users to open sites, lists, or folders to access items
* `View Pages` - View pages in sites
* `Add And Customize Pages` - Add, change, or delete HTML or Web Part pages
* `Apply Theme And Border` - Apply themes or borders to entire sites
* `Apply Style Sheets` - Apply style sheets to entire sites
* `View Usage Data` - View reports on site usage
* `Create SSC Site` - Create subsites (Self-Service Site Creation)
* `Manage Subwebs` - Create subsites and manage subsite permissions
* `Create Groups` - Create SharePoint groups
* `Manage Permissions` - Create and change permission levels and assign permissions
* `Browse Directories` - Enumerate files and folders in sites using SharePoint Designer
* `Browse User Info` - View information about users of sites
* `Add Del Private Web Parts` - Add or delete personal Web Parts on Web Part pages
* `Update Personal Web Parts` - Update Web Parts to display personalized information
* `Manage Web` - Grants ability to perform site administration tasks and manage content
{% endtab %}
{% tab title="System & Integration" %}
* `Use Remote APIs` - Use SOAP, Web DAV, or SharePoint Designer interfaces
* `Manage Alerts` - Manage alerts for all users of sites
* `Create Alerts` - Create email alerts
* `Edit My User Info` - Allows user to change their own user information
* `Enumerate Permissions` - Enumerate permissions for sites, lists, folders, documents, or list items
* `Use Client Integration` - Use features that launch client applications
{% endtab %}
{% endtabs %}
Azure Enterprise Application Permissions:
When integrated with Azure AD, SharePoint also supports enterprise application permissions for sites and files:
{% tabs %}
{% tab title="Site Access Permissions" %}
* `Office365SharePointOnline.Sites.Read.All` - Read site collections and sites
* `Office365SharePointOnline.Sites.ReadWrite.All` - Read and write site collections and sites
* `Office365SharePointOnline.Sites.FullControl.All` - Full control of site collections and sites
* `Office365SharePointOnline.Sites.Manage.All` - Manage site collections and sites
* `MicrosoftGraph.Sites.Read.All` - Read site collections via Microsoft Graph
* `MicrosoftGraph.Sites.ReadWrite.All` - Read and write sites via Microsoft Graph
* `MicrosoftGraph.Sites.FullControl.All` - Full control of sites via Microsoft Graph
* `MicrosoftGraph.Sites.Manage.All` - Manage sites via Microsoft Graph
* `AllSites.FullControl` - Full control of all sites
* `AllSites.Manage` - Manage all sites
* `AllSites.Write` - Write to all sites
* `AllSites.Read` - Read all sites
* `Sites.FullControl.All` - Full control of all sites (shorter form)
* `Sites.ReadWrite.All` - Read and write all sites (shorter form)
* `Sites.Manage.All` - Manage all sites (shorter form)
* `Sites.Read.All` - Read all sites (shorter form)
{% endtab %}
{% tab title="File & Content Permissions" %}
* `Office365SharePointOnline.Files.ReadWrite.All` - Read and write all files
* `Office365SharePointOnline.Files.ReadWrite.AppFolder` - Read and write app folder files
* `Office365SharePointOnline.Files.Read.All` - Read all files
* `Office365SharePointOnline.Files.Read` - Read user files
* `Office365SharePointOnline.MyFiles.Write` - Write to user's files
* `Office365SharePointOnline.MyFiles.Read` - Read user's files
* `MicrosoftGraph.Files.Read.All` - Read all files via Microsoft Graph
* `MicrosoftGraph.Files.ReadWrite.All` - Read and write all files via Microsoft Graph
* `MicrosoftGraph.Files.ReadWrite.AppFolder` - Read and write app folder files via Microsoft Graph
* `MicrosoftGraph.Files.ReadWrite.Selected` - Read and write selected files via Microsoft Graph
* `MicrosoftGraph.Files.Read.Selected` - Read selected files via Microsoft Graph
* `MicrosoftGraph.Files.ReadWrite` - Read and write user files via Microsoft Graph
* `MicrosoftGraph.Files.Read` - Read user files via Microsoft Graph
* `Files.ReadWrite.All` - Read and write all files (shorter form)
* `Files.Read.All` - Read all files (shorter form)
* `Files.ReadWrite.AppFolder` - Read and write app folder files (shorter form)
* `Files.ReadWrite.Selected` - Read and write selected files (shorter form)
* `Files.Read.Selected` - Read selected files (shorter form)
* `Files.ReadWrite` - Read and write user files (shorter form)
* `Files.Read` - Read user files (shorter form)
{% endtab %}
{% endtabs %}
Permission Inheritance Patterns:
{% hint style="info" %}
SharePoint permissions follow a hierarchical inheritance model. Users can have unique permissions at any level, breaking inheritance from parent objects.
{% endhint %}
SharePoint Permission Inheritance Hierarchy
1. **Tenant Level** - SharePoint Online tenant settings
2. **Site Collection Level** - Individual sites inherit from tenant
3. **Site Level** - Subsites inherit from parent sites
4. **Library/List Level** - Content containers inherit from sites
5. **Item Level** - Individual files/items inherit from containers
Key Points:
* Permissions cascade down the hierarchy by default
* Breaking inheritance creates unique permissions at that level
* Unique permissions override inherited permissions
* Changes to parent permissions don't affect objects with broken inheritance
#### Term Store Entities
When the Term Store permissions are configured (see [Expanded Functionality](#expanded-functionality)), Veza discovers SharePoint Term Store administrative access and creates the following graph entities and relationships:
{% @mermaid/diagram content="graph TB
subgraph "Azure AD"
U\[Azure AD Users]
G\[Microsoft 365 Groups]
end
```
subgraph "SharePoint"
TS[Term Store]
TSM[Term Store Membership]
TSM --> TS
end
%% Cross-Service Connections
U -.->|HAS_MEMBERSHIP| TSM
G -.->|HAS_MEMBERSHIP| TSM" %}
```
Term Store
Centralized taxonomy management resource that allows administrators to create, organize, and manage metadata across SharePoint sites through terms, term sets, and term groups.
| Attribute | Notes |
| ---------------------- | ---------------------------------------------- |
| `name` | Term Store display name |
| `id` | Unique Term Store identifier |
| `default_language_tag` | Default language for taxonomy terms |
| `language_tags` | List of supported languages for the term store |
Term Store Membership
Administrative relationship nodes that connect Azure AD principals (users and groups) to Term Store administrator roles, representing who has administrative control over the taxonomy management system.
| Attribute | Notes |
| ---------------- | ------------------------------------------------------------------------------------------- |
| `principal_id` | Azure AD User or Group identifier |
| `principal_type` | "AzureADUser" or "AzureADGroup" |
| `resource_id` | Term Store identifier this membership applies to |
| `permissions` | Administrative role (currently "Administrator", may include additional roles in the future) |
### Expanded Functionality
When granted write-level or admin-level permissions, Veza can gather additional entities and properties. The following table identifies our expanded support and the required permissions:
| Entity / Property | API Permissions |
| --------------------------- | ------------------------------------------------------------------------------------------------------------ |
| Sharing Capability | Microsoft Graph: `SharePointTenantSettings.Read.All` |
| SharePoint Site Permissions | Microsoft Graph: Sites.FullControl.All
SharePoint: Sites.FullControl.All
|
| SharePoint List Permissions | SharePoint: `Sites.FullControl.All` |
| SharePoint Role Assignments | SharePoint: `Sites.FullControl.All` |
| Term Store Permissions | SharePoint: `http://sharepoint/taxonomy` (Read) |
#### Additional Entities
SharePoint Roles
Role definitions that define sets of granular permissions for SharePoint sites, lists, and libraries.
| Attribute | Notes |
| ------------- | ------------------------------------------------------- |
| `name` | Role name (e.g., "Full Control", "Design", "Edit") |
| `description` | Description of the role's purpose and scope |
| `hidden` | Boolean indicating if role is hidden from UI |
| `permissions` | List of granular SharePoint permissions granted by role |
Common SharePoint roles include:
* **Full Control** - Complete administrative access
* **Design** - Create lists, libraries, and pages
* **Edit** - Add, edit, and delete items and documents
* **Contribute** - Add, edit, and delete items
* **Read** - View-only access to sites and content
SharePoint Role Assignments
Connections between principals (users/groups) and roles on specific SharePoint resources, enabling granular permission tracking.
| Attribute | Notes |
| --------------------------- | ---------------------------------------------------------- |
| `permissions` | List of specific permissions granted by this assignment |
| `sharepoint_global_user_id` | SharePoint user login name for cross-service correlation |
| `principal_type` | Type of principal: User, SecurityGroup, or SharePointGroup |
| `role_name` | Name of the role being assigned |
Role assignments connect:
* SharePoint Users → Roles → Resources (Sites, Libraries, Lists, Folders)
* SharePoint Groups → Roles → Resources
* Azure AD Users → Roles → Resources (via cross-service connection)
* Azure AD Groups → Roles → Resources (via cross-service connection)
SharePoint Grouped Resources
Performance optimization entities that group multiple resources sharing identical permission patterns, reducing graph complexity for large SharePoint environments.
| Attribute | Notes |
| --------------- | ----------------------------------------------------- |
| `resource_type` | Type of resources being grouped (Site, Library, etc.) |
| `tenant_id` | Azure tenant identifier |
| `site_id` | SharePoint site identifier |
Grouped Resources improve performance by:
* Consolidating identical permission patterns across multiple resources
* Reducing the number of direct permission edges in large environments
* Maintaining accurate permission representation while optimizing query performance
When multiple SharePoint resources (folders, libraries, etc.) have identical permission assignments, Veza creates a Grouped Resource node that represents the shared permission pattern, then connects individual resources to this grouped node rather than creating duplicate permission edges.
Enabling List and Site Permissions will create distinct Permission nodes connecting principal-type entities such as users to SharePoint Site and List entities.
Sharing Capability is a property on the tenant-level `SharePoint Online` Server entity indicating the maximum-permitted sharing settings for sharable objects within the tenant. The value can be:
| Value | Description |
| ------------------------------- | ------------------------------------------------------------------- |
| disabled | Users can share only with people in the organization. |
| externalUserSharingOnly | Users can share with new and existing guests. |
| externalUserAndGuestSharing | Users can share with anyone, with no sign-in requirement. |
| existingExternalUserSharingOnly | Users can share with existing guests in the organization directory. |
{% hint style="warning" %}
Sharing capability is not currently provided for child Sites and Libraries due to Microsoft API limitations.
{% endhint %}
Term Store Permissions enable Veza to discover SharePoint Term Store administrators and their access relationships. Term Store is a centralized taxonomy management system that allows administrators to create, organize, and manage metadata across SharePoint sites through terms (categories, tags, or keywords) grouped into term sets.
Veza discovers Term Store administrative access for:
* Azure AD Users
* Microsoft 365 Groups (Azure AD Groups)
{% hint style="info" %}
Only Term Store and corresponding admins are supported (term sets are not included). Security groups are not supported due to SharePoint API limitations.
{% endhint %}
Additional Setup Requirements for Term Store:
{% hint style="warning" %}
Prerequisites: You must have an existing [Azure integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) configured before proceeding with Term Store setup.
{% endhint %}
Term Store discovery requires additional configuration beyond the standard Azure app registration.
Step 1: Configure SharePoint App Permissions
Follow these steps to register your existing Azure app with SharePoint and grant it the additional taxonomy permissions needed for Term Store discovery:
1. Navigate to `https://-admin.sharepoint.com/_layouts/15/appinv.aspx`
2. In the App Id field, paste the Client ID from the app registration you're currently using for SharePoint
3. Click Lookup to auto-populate the form fields
4. If the App Domain and Redirect URL fields are empty, enter:
* App Domain: `localhost`
* Redirect URL: `https://localhost/`
These values are not used for Entra ID Apps but are required fields.
5. In the Permission Request XML field, paste the complete XML below to grant necessary permissions:
```xml
```
6. Click Create
7. When prompted, click Trust It to grant the permissions.
{% hint style="success" %}
After trusting the app, you should be redirected to the SharePoint home page, indicating successful registration.
{% endhint %}
Step 2: Configure PowerShell Settings
This step is required to prevent "Token Type Not Allowed" errors. SharePoint has the `DisableCustomAppAuthentication` property set to `True` by default, which blocks the authentication method needed for Term Store access.
{% hint style="info" %}
The commands below must be run on a Windows machine. PowerShell on Linux or macOS is not fully compatible and does not support the required commands.
{% endhint %}
PowerShell Configuration Steps:
* [ ] Install the SharePoint Online Management Shell module
* [ ] Connect to your SharePoint Online tenant
* [ ] Disable custom app authentication restriction
* [ ] Verify the setting was applied
Detailed PowerShell Commands
1. Install the SharePoint Online Management Shell module:
```powershell
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
```
2. Connect to your SharePoint Online tenant:
```powershell
$orgName="your-organization-name" # Replace with your organization name
Connect-SPOService -Url https://$orgName-admin.sharepoint.com
```
You will be prompted to enter credentials. Use an account with SharePoint Administrator permissions.
3. Disable the custom app authentication restriction:
```powershell
Set-SPOTenant -DisableCustomAppAuthentication $false
```
4. Verify the setting was applied:
```powershell
Get-SPOTenant | Select-Object DisableCustomAppAuthentication
```
{% hint style="success" %}
The value should be `False`, confirming that custom app authentication is now enabled.
{% endhint %}
Additional Resources:
* [SharePoint add-in permissions](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint)
* [Register SharePoint add-ins using AppRegNew.aspx](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/register-sharepoint-add-ins#to-register-by-using-appregnewaspx)
{% hint style="danger" %}
Important: Term Store support is currently available but depends on Azure Access Control service, which Microsoft will retire on April 2, 2026. Future availability depends on Microsoft providing alternative authentication methods.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/sharepoint.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.