> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onyx.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Client Secret Authentication

> Set up SharePoint connector using client secret authentication

## Client Secret Authentication

Client secret authentication uses traditional Azure App Registration credentials to connect to SharePoint.
This method is suitable for most basic SharePoint integrations.

**Note:** Permission sync is not available with client secret authentication.
Use [certificate-based authentication](/admins/connectors/official/sharepoint/certificate)
if you need permission sync functionality.

## Setting up

### Step 1: Create Azure App Registration

More detailed instructions can be found following the video below.

<Steps>
  <Step title="Open Azure Portal">
    Log in to [Azure Portal](https://portal.azure.com/#home) for your organization.
  </Step>

  <Step title="Open App registrations">
    Navigate to "App registrations" using the search bar.
  </Step>

  <Step title="Create registration">
    Click **New Registration**.
  </Step>

  <Step title="Name and register app">
    Name it something like "Onyx SharePoint Connector", leave everything else as default, and click **Register**.
  </Step>

  <Step title="Save IDs">
    Under "Essentials" in the overview tab, you will find the **Application (client) ID** and **Directory (tenant) ID**.
    Save those for later.
  </Step>
</Steps>

### Step 2: Create Client Secret

<Steps>
  <Step title="Open Certificates & secrets">
    Navigate to the "Certificates & secrets" tab in Azure Portal.
  </Step>

  <Step title="Create secret">
    Click **New client secret**.
  </Step>

  <Step title="Set expiration">
    Fill out the description, set the expiration to 24 months, and click **Add**.
  </Step>

  <Step title="Copy secret value">
    Copy the secret value in the **Value** column for later.
  </Step>
</Steps>

**Important:** Make sure to copy the secret value immediately as it won't be visible again.

### Step 3: Configure API Permissions

Two separate API permissions are required:

| Permission              | Provider        | Type        | Purpose                                       |
| ----------------------- | --------------- | ----------- | --------------------------------------------- |
| `Sites.Read.All`        | Microsoft Graph | Application | Read documents and site pages                 |
| `Sites.FullControl.All` | SharePoint      | Application | Read document role assignments during pruning |

<Note>
  Despite its name, `Sites.FullControl.All` is read-only in Onyx. No write operations are performed.
</Note>

<Steps>
  <Step title="Open API Permissions">
    Navigate to the "API Permissions" tab in the Azure Portal.
  </Step>

  <Step title="Add Microsoft Graph permission">
    Click **Add a permission** → **Microsoft Graph** → **Application permissions**.

    Navigate to the "Sites" permission group and select **Sites.Read.All**.

    * *Advanced:* If you want to limit the sites this app has access to, select **Sites.Selected**.
      However, if you do this, you will need to add the App you are currently registering to each site you want to index.

    <Accordion title="How to grant site-specific access">
      If you selected **Sites.Selected**, you need to grant your app **read** access to each site you want to index.

      The steps below use [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer),
      but you can also grant site permissions using:

      * [PnP PowerShell](https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html) (`Grant-PnPAzureADAppSitePermission` cmdlet)
      * [Resource Specific Consent guide](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online)

      To use Graph Explorer, complete these steps:

      <Steps>
        <Step title="Sign in">
          Sign in with a **Global Admin** or **SharePoint Admin** account.
        </Step>

        <Step title="Consent to permissions">
          Click your profile icon → **Consent to permissions** → enable **Sites.FullControl.All**.
          This grants Graph Explorer (not your Onyx app) permission to manage site access.
        </Step>

        <Step title="Get the site ID">
          Run a **GET** request, replacing `{tenant}` and `YourSiteName`:

          ```
          GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/YourSiteName?$select=id
          ```

          Copy the `id` from the response (format: `contoso.sharepoint.com,guid1,guid2`).
        </Step>

        <Step title="Grant Read permission">
          Change the method to **POST**:

          ```
          POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
          ```

          Request body:

          ```json theme={null}
          {
            "roles": ["read"],
            "grantedToIdentitiesV2": [{
              "application": {
                "id": "<Onyx App Client ID>",
                "displayName": "Onyx SharePoint Connector"
              }
            }]
          }
          ```
        </Step>

        <Step title="Verify">
          Change the method to **GET**:

          ```
          GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
          ```

          Confirm `"roles": ["read"]` appears for the Onyx app.
        </Step>
      </Steps>

      Repeat steps 3–5 for each site you want to index.
    </Accordion>

    Click **Add permissions**.
  </Step>

  <Step title="Add SharePoint permission">
    Click **Add a permission** again → **SharePoint** → **Application permissions**.

    Navigate to the "Sites" permission group and select **Sites.FullControl.All**.

    Click **Add permissions**.
  </Step>

  <Step title="Grant admin consent">
    Click **Grant admin consent for \<Organization name>** (located next to **Add a permission**)
    and click **Confirm**.
  </Step>
</Steps>

### Step 4: Configure in Onyx

<Steps>
  <Step title="Open SharePoint connector">
    Navigate to the Onyx Admin Panel and select the **SharePoint** Connector.
  </Step>

  <Step title="Create Client Secret credential">
    Click **Create New** credential and select the **Client Secret** tab.
  </Step>

  <Step title="Enter credential details">
    * **Application (client) ID** from Step 1
    * **Directory (tenant) ID** from Step 1
    * **Client Secret Value** from Step 2
  </Step>

  <Step title="Save credentials">
    Click **Create** to save your credentials.
  </Step>
</Steps>

For permission sync capabilities,
consider using [certificate-based authentication](/admins/connectors/official/sharepoint/certificate).