Setup · SharePoint + OneDrive
Wire SharePoint and OneDrive to your Fidelic agent
How the agent reads SharePoint sites and OneDrive folders for knowledge search, contract review, and grounding answers in your team's documents.
Prerequisites
- · SharePoint Online or OneDrive for Business enabled in the tenant
- · Sites.Selected Microsoft Graph permission grantable by a Global Administrator (least-privilege model — the agent reads only the sites the admin explicitly grants)
- · List of SharePoint sites or OneDrive folders the agent should reach (knowledge bases, contract folders, policy libraries)
Permissions requested
- · Sites.Selected — read SharePoint sites the admin explicitly authorizes (preferred over Sites.Read.All)
- · Files.Read.Selected — read OneDrive folders the admin explicitly authorizes
- · User.Read — read user profile for personalized search ranking
Step-by-step
1. Choose the sites and folders the agent reads
Decide which SharePoint sites and OneDrive folders the agent needs. Common picks: a Knowledge SharePoint site for the knowledge agent; a Contracts library for contract review; a Sales SharePoint for deal collateral. Make a list with the site URLs and folder paths.
2. Grant Sites.Selected
In Microsoft Entra admin center, open the Fidelic app registration, add the Sites.Selected and Files.Read.Selected Microsoft Graph permissions, and grant tenant-wide consent. Sites.Selected is the least-privilege choice — it does not give the agent any sites by default.
3. Authorize each site individually
From the SharePoint admin center or via PnP PowerShell, run Grant-PnPAzureADAppSitePermission for each site you want the agent to read. The cmdlet binds the Fidelic app to that specific site at the Read role. Repeat per site — the per-site grant is the security boundary.
4. Index and verify
From the Fidelic console, run an initial index of the authorized sites. The agent reads page titles, headers, and body text to build a search index inside its sandboxed Anthropic project. The index updates incrementally as content changes.
How to verify it worked
@-mention the agent in a Teams channel and ask a question whose answer lives in one of the authorized SharePoint sites. The agent replies with a direct quote and a link back to the source page. The Microsoft 365 audit log shows the read under SharePointFileOperation → the Fidelic app principal.
Gotchas
Sites.Read.All vs Sites.Selected. The earlier, broader Sites.Read.All scope reads every site in the tenant — don't grant it. Sites.Selected is the auditable, per-site path; the extra setup is worth the security posture.
Sensitivity labels. Files protected with Microsoft Information Protection labels that block external apps cannot be read. The agent skips them and surfaces the skip in its source attribution — the team sees both what it found and what was protected.
Personal OneDrive. The agent does not read users' personal OneDrive folders by default — only the OneDrive for Business folders the admin explicitly shares. Document a clear policy with the team before adding personal folders.
For the IT admin
Audit trail. Each file read is logged in the Microsoft 365 unified audit log under FileAccessed events keyed to the Fidelic app principal. The Source page link the agent posts back in Teams resolves through the audit log so the team can confirm what was read.
Revocation. Revoke per-site by running Revoke-PnPAzureADAppSitePermission. Revoke tenant-wide by removing the Sites.Selected scope from the Fidelic Entra app registration. The agent's index inside the Anthropic project ages out within hours after access is revoked.
Where to next
- → Back to Microsoft Teams — the full cluster
- → See the Roster — agents you can hire
- → All integrations