SharePoint Connector
The SharePoint connector syncs documents from a Microsoft SharePoint Online site's default document library into a Knowledge base, so an AI Employee (AIE) can search and cite that content in its answers. It reaches SharePoint through the Microsoft Graph API and supports two authentication modes: an app (client-credentials) mode using an Azure AD app registration, and a delegated (user-consent) OAuth2 mode where you sign in with your Microsoft account. The connection form defaults to App mode.
You set up a SharePoint connection from the Data sources tab of the Integrations page. Creating a connection is admin-only — builders never see credentials; they reference the resulting Knowledge base when configuring a workflow.
What it ingests
The connector lists the SharePoint site's default document library, walking every subfolder recursively, and ingests each file it finds. Folders are traversed; the files inside them are downloaded and sent through the shared ingestion pipeline (extract → chunk → embed → store) described in Data Connectors.
For each file the connector captures its Graph driveItem ID, name, folder path, MIME type, size, and the source eTag (used for incremental sync). Only file types the pipeline can extract are processed — see Limits. Files in subfolders the authenticating identity can't access are skipped rather than failing the whole sync: a 403 on a child folder is logged and skipped, while a 403 at the site root surfaces a clear "does not have access" error.
How to connect
Open the Data sources tab, select the SharePoint tile, and choose an authentication mode. Both modes ask for a connection name and an optional description.
App mode (Azure AD client credentials)
App mode authenticates as an Azure AD app registration using the client-credentials flow — no interactive sign-in. The setup form collects:
| Field | What it is |
|---|---|
| Connection name | A display name for this connection. |
| Description | Optional note. |
| Site URL | The SharePoint site to ingest, e.g. https://contoso.sharepoint.com/sites/engineering. Must contain .sharepoint.com and a /sites/ path. |
| Tenant ID | The Azure AD Directory (tenant) ID. |
| Client ID | The Azure AD Application (client) ID. |
| Client secret | The app registration's client secret value (stored encrypted). |
To produce those credentials, the in-product setup guide walks you through Azure:
- In the Azure portal, go to Microsoft Entra ID → App registrations → New registration. Name it (for example, "Ema SharePoint Connector") and choose single-tenant.
- On the app Overview page, copy the Directory (tenant) ID and Application (client) ID.
- Under API permissions, add Microsoft Graph → Application permissions for
Sites.Read.AllandFiles.Read.All, then Grant admin consent (requires admin rights). - Under Certificates & secrets, create a new client secret and copy its Value immediately — it is shown only once.
Paste the four values into the form and select Create connection. The connector resolves the site and its default drive to validate the credentials before the connection is stored.
Delegated mode (sign in with Microsoft)
Delegated mode uses the OAuth2 authorization-code flow: you sign in with your Microsoft account and consent to read access — no service principal or admin consent step is required up front. This mode is available only when SharePoint OAuth2 is configured on your Ema platform; the form disables it and shows a notice when it isn't.
To connect:
- Select Sign in with Microsoft mode, enter a connection name and the Site URL to sync from.
- Select Connect with Microsoft. Ema redirects you to
login.microsoftonline.comwith a signed state parameter for CSRF protection. - Approve the requested scopes:
Files.Read.All,Sites.Read.All, andoffline_access. - Microsoft redirects back to Ema's callback, which exchanges the one-time code for an access and refresh token, runs a live test against the site, and stores the tokens encrypted.
- The Data sources tab shows a success banner and the new connection appears in the list.
Token refresh. In delegated mode Ema stamps the token's real expiry at connect time and refreshes it automatically with the stored refresh token before each sync, so connections stay live without manual re-authentication.
Sync configuration
Scope and schedule are set on the Knowledge base built from the connection, not on the connection itself. One connection can feed several Knowledge bases, each scoped to different folders.
Folder scope
By default the connector lists the entire default document library. To narrow it, set one or more folder URLs in the Knowledge base's Folder scope card. Paste the SharePoint URL of a folder as it appears in your browser's address bar — Ema normalizes it to a relative drive path, handling URL-encoding and SharePoint view URLs (the .../Forms/AllItems.aspx form, including a RootFolder query parameter) automatically. Only files whose path falls under one of the supplied folders are ingested.
Schedule
In the Knowledge base's Sync configuration, set:
- Sync enabled — turn syncing on or off.
- Schedule — Interval (sync automatically) or Manual (only on demand). For interval, set the interval in minutes.
- Sync now — trigger a one-off sync at any time.
Syncs are incremental: the connector compares each file's eTag against the stored content hash and skips unchanged files, so re-syncs only process what changed. The page shows the last and next sync times.
Limits and behavior
- Scope is one site's default document library. The connector ingests the site you point it at, not the whole tenant or other libraries on the site.
- Supported file types only. Extractable types are PDF; Word, Excel, and PowerPoint (
.docx,.xlsx,.pptx); plain text, Markdown, CSV, HTML, and JSON; and images (.png,.jpg,.webp,.gif) read via a vision model. Other types are counted as unsupported and skipped. - Read-only. Both modes request read scopes only — the connector never writes back to SharePoint.
- Partial access is tolerated. Subfolders the identity can't read are skipped with a warning; the sync continues for everything else.
- Rate limits from Graph (HTTP 429/503) are retried with
Retry-Afterback-off, capped at five minutes per wait, up to three attempts.
What's next
- Data Connectors — the connection model, the ingestion pipeline, and how connectors compare to Tools.
- Google Drive Connector, Confluence Connector, Box Connector — the other source connectors.