Close Menu
Subscribe to Newsletter
Free Money
HOT TOPICS
Artificial Intelligence (AI) News

Connecting Amazon Q Business to Microsoft SharePoint Online using least privilege access control

neznew.comBy 008 Mins Read

Amazon Q Business is a generative artificial intelligence (AI) assistant that provides company knowledge and data to employees. Many organizations use Microsoft SharePoint Online as a place to securely store, organize, share, and access their company data. With generative AI, employees can get answers to their questions, summarize content, and generate insights from data stored in SharePoint Online. Amazon Q Business Connectors allow you to connect your SharePoint Online data to your Amazon Q Business application and instantly get insights from your data.

In this post, we explain how to use Amazon Q Business with SharePoint Online as a data source to provide answers, generate summaries, and present insights using least privilege access control and best practices recommended by the Microsoft SharePoint development support team.

Solution overview

In this post, we will set up an Amazon Q Business application that connects to a SharePoint Online site using the out-of-the-box Amazon Q Business Connector. Sites.Selected Application permission scope. Sites.Selected Permissions are important because many organizations implement policies that don’t allow read access to all sites (Sites.Read.All) or Full Control (Sites.FullControl.All) to any connector.

This solution approach respects users’ existing identities, roles, and permissions by enabling identity crawling and access control lists (ACLs) in the Amazon Q Business connector for SharePoint Online using secure credentials provided by AWS Secrets Manager. If a user does not have permission to access certain data without Amazon Q Business, they cannot access that data using Amazon Q Business. Only data that a user has access to is used to support user queries.

Prerequisites

The following prerequisites are required to deploy the solution:

  • An AWS account with an AWS Identity and Access Management (IAM) role and user with permissions to create and manage the resources and components required by your application. If you don’t have an AWS account, see How do I create and activate a new Amazon Web Services account?
  • An Amazon Q Business application. If you haven’t already set one up, see Creating an Amazon Q Business Application Environment.
  • To create and publish an application using the steps outlined in this post, you will need a Microsoft account and a SharePoint Online subscription, if you do not have these, contact your organization’s administrator to create a sandbox for your experimentation, or create a new account and trial subscription as necessary to complete the steps.
  • Microsoft Entra ID Application Sites.FullControl Application level permissions, client ID, and client secret. This application is not used by the Amazon Q Business connector, but Sites.Selected Grant permissions only to the targeted application.

Register a new app in the Microsoft Azure portal

To register a new app in the Microsoft Azure portal, follow these steps:

  1. Log in to the Azure portal with your Microsoft account.
  2. choose sign up.
    1. for nameIn the Application Name field, enter the name of your application. TargetAppAmazon Q Business Applications TargetApp Connects to a SharePoint Online site to crawl and index the data.
    2. for Who can use this application or access this API?choose Only accounts in this organizational directory (<テナント名> only – single tenant).
    3. choose register.
  3. Note down the Application (client) ID and the Directory (tenant) ID. overview You will need it later if you need it TargetApp-ClientId and TenantId.
  4. choose API Permissions under management In the navigation pane.
  5. choose Adding permissions Allows the application to read data in your organization’s directory about the signed-in user.
    1. choose Microsoft Graph.
    2. choose Delegated authority.
    3. choose User.Read.All from user section.
    4. choose GroupMember.Read.All from Group Members section.
    5. choose Sites.Selected from site section.
    6. choose Adding permissions.
  6. In the options menu (three dots), Remove Permissions.
  7. Delete the original User.Read – Delegated permission.
  8. choose Grant admin consent for Default Directory.

Registering the app and setting permissions

  1. choose Certificates and Secrets In the navigation pane.
  2. choose New client secret.
    1. for explanationand enter a description.
    2. Please select a value ExpiredPlease note that in a production environment, you should manually rotate secrets before they expire.
    3. choose addition.
    4. Make a note of the new secret value, you will need it later when asked for the client secret (TargetApp-ClientSecret).
  3. Select options Owner Add owners for the application. Owners can manage permissions for the Azure AD application (TargetApp).

Use the Graph API to grant permissions to your application on a SharePoint Online site.

In this step, you define which SharePoint Online sites you want to grant access to. TargetAppAmazon Q Business App TargetApp Connects to a SharePoint Online site to crawl and index the data.

In this post, we will grant permissions using Postman, a platform for working with APIs. To grant permissions to a specific SharePoint Online site, we need a separate Azure AD application. AdminAppand Sites.FullControl.All authority.

If the prerequisites are not met AdminAppTo register, please follow the previous steps AdminApp and Application PermissionsGrant Sites.FullControl.All Permissions. As stated in the prerequisites, AdminApp It is only used to grant access to the SharePoint Online site. TargetApp.

we ClientId and ClientSecret The value of the AdminApp From Azure AD applications AccessToken value.

  1. Make a POST request using the URL in Postman https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token.
  2. In the request body, x-www-form-urlencoded Set the following key-value pairs:
    1. set client_id To AdminApp-ClientId.
    2. set client_secret To AdminApp-ClientSecret.
    3. set grant_type To client_credentials.
    4. set scope To https://graph.microsoft.com/.default.

Obtaining an Access Token

  1. choose send.
  2. From the response returned, access_tokenYou’ll need it when you’re asked for a bearer token in a later step.
  3. Use the value of access_token Grant the permissions from the previous step TargetApp.
    1. obtain SiteId Access the URL of your SharePoint Online site (e.g. https://<yourcompany>.sharepoint.com/sites/{SiteName}) in your browser. To access the site, you must log in to the site by entering valid credentials.
    2. Edit and add the URL in your browser’s address bar /_api/site/id At the end of {SiteName} You need this to get the SiteId SiteId In the next step.

Obtaining the site ID

  1. Make another POST request in Postman with the URL https://graph.microsoft.com/v1.0/sites/{SiteId}/permissions. Replace {SiteId} in the request URL with the SiteId from the previous step.

You can repeat this step for each site you want to include in the Amazon Q Business SharePoint Online connector.

  1. choose Bearer Token for type To Approval
  2. please fill in the value access_token from before token.

Granting permissions to the target app

  1. For payload, Living Enter the following JSON code: <<ターゲットアプリクライアントID>> and <<ターゲットアプリ名>> value):
{
    "roles": (
        "fullcontrol"
    ),
    "grantedToIdentities": (
        {
            "application": {
                "id": "<<TargetApp-clientId>>",
                "displayName": "<<TargeApp-Name>>"
            }
        }
    )
}

Complete the access authorization

  1. choose send To complete the process of granting access to a SharePoint Online site TargetApp An Azure AD application.

Configure the Amazon Q Business SharePoint Online Connector

To configure the SharePoint Online connector for the Amazon Q Business application, follow these steps:

  1. In the Amazon Q Business console, Add a Data Source.
  2. Search and select Sharepoint.
  3. Enter a name and description (optional).
  4. choose SharePoint Online for Hosting Methods under Source Settings.
  5. Specifies the full URL of the SharePoint site that you want to include in crawling and indexing. A unique site URL for the SharePoint repository.
    1. The full URL of the site https://<yourcompany>.sharepoint.com/sites/anycompanyUse <yourcompany> As a value of domain.
  6. choose OAuth 2.0 authentication for Authentication Method.
  7. Delivering value TenantId for Tenant ID.

The SharePoint connector requires credentials to connect to the SharePoint Online site using the Microsoft Graph API. This is achieved by creating a new Secrets Manager secret. These credentials are not used in the access logs for the SharePoint Online site.

  1. choose Create and add a new secret.
  2. Enter a name for your secret.
  3. Enter your username and password SiteCollection The administrator of a site that is part of an Amazon Q repository.
  4. Enter the Client ID and Client Secret you obtained during registration. TargetApp In the previous step.
  5. choose keep.

Create a secret

  1. choose Create a new service role Create an IAM role and enter a name for the role.
  2. for Sync Rangechoose Select Entity Select all (or any combination of items you want to sync).
  3. Select the sync option based on your needs (on-demand or at a frequency of your choice). For this post, we will select on-demand.
  4. choose Add a Data Source.
  5. Once the data source is created, Sync now Start crawling and indexing.

Test the solution

To test the solution, you can add users and groups, assign subscriptions, and test user and group access within your Amazon Q business application.

cleaning

If you are just experimenting with the steps in this post, be sure to delete the application from the Azure portal and delete the Amazon Q application from the Amazon Q console to avoid incurring costs.

Conclusion

In this post, we discussed how to configure the Amazon Q Business SharePoint Online connector with least privilege access control that works with site-level least privilege to safely crawl and index your SharePoint Online site content, and how to preserve and enforce ACLs while responding to user conversations.

With Amazon Q Business, organizations can use their existing SharePoint Online data to gain better insights, generate summaries, and get answers to natural language queries in a conversational format. By connecting SharePoint Online as a data source, employees can use natural language to interact with organizational knowledge and data stored in SharePoint, making it easier to find relevant information, extract key takeaways, and derive valuable insights. This can significantly improve productivity, decision-making, and knowledge sharing within an organization.

Try out the solutions in this post and leave your feedback or questions in the comments section.

About the Author

Surendar GajaveliSurendar Gajaveli He is a Senior Solutions Architect based in Nashville, Tennessee. He is a passionate technology enthusiast who enjoys working with clients to build innovative solutions.

Abi PatrollaAbi Patrolla is a Senior Solutions Architect based in the New York City area helping clients with their cloud transformation, AI/ML and data initiatives. As a strategic and technical leader, he advises executives and engineers on cloud strategies that drive innovation and positive impact.

Share.

Related Posts

Add A Comment
Leave A Reply

Cookies
We serve cookies. If you think that's ok, just click "Accept all". You can also choose what kind of cookies you want by clicking "Settings".
Settings Accept all
Cookies
Choose what kind of cookies to accept. Your choice will be saved for one year.
Save Accept all
error: Content is protected !!