Amazon Q Business is a generative artificial intelligence (AI) assistant that provides company knowledge and data to employees. Many organizations use Microsoft SharePoint Online as a place to securely store, organize, share, and access their company data. With generative AI, employees can get answers to their questions, summarize content, and generate insights from data stored in SharePoint Online. Amazon Q Business Connectors allow you to connect your SharePoint Online data to your Amazon Q Business application and instantly get insights from your data.
In this post, we explain how to use Amazon Q Business with SharePoint Online as a data source to provide answers, generate summaries, and present insights using least privilege access control and best practices recommended by the Microsoft SharePoint development support team.
Solution overview
In this post, we will set up an Amazon Q Business application that connects to a SharePoint Online site using the out-of-the-box Amazon Q Business Connector. Sites.Selected
Application permission scope. Sites.Selected
Permissions are important because many organizations implement policies that don’t allow read access to all sites (Sites.Read.All
) or Full Control (Sites.FullControl.All
) to any connector.
This solution approach respects users’ existing identities, roles, and permissions by enabling identity crawling and access control lists (ACLs) in the Amazon Q Business connector for SharePoint Online using secure credentials provided by AWS Secrets Manager. If a user does not have permission to access certain data without Amazon Q Business, they cannot access that data using Amazon Q Business. Only data that a user has access to is used to support user queries.
Prerequisites
The following prerequisites are required to deploy the solution:
- An AWS account with an AWS Identity and Access Management (IAM) role and user with permissions to create and manage the resources and components required by your application. If you don’t have an AWS account, see How do I create and activate a new Amazon Web Services account?
- An Amazon Q Business application. If you haven’t already set one up, see Creating an Amazon Q Business Application Environment.
- To create and publish an application using the steps outlined in this post, you will need a Microsoft account and a SharePoint Online subscription, if you do not have these, contact your organization’s administrator to create a sandbox for your experimentation, or create a new account and trial subscription as necessary to complete the steps.
- Microsoft Entra ID Application
Sites.FullControl
Application level permissions, client ID, and client secret. This application is not used by the Amazon Q Business connector, butSites.Selected
Grant permissions only to the targeted application.
Register a new app in the Microsoft Azure portal
To register a new app in the Microsoft Azure portal, follow these steps:
- Log in to the Azure portal with your Microsoft account.
- choose sign up.
- for nameIn the Application Name field, enter the name of your application.
TargetApp
Amazon Q Business ApplicationsTargetApp
Connects to a SharePoint Online site to crawl and index the data. - for Who can use this application or access this API?choose Only accounts in this organizational directory (<テナント名> only – single tenant).
- choose register.
- for nameIn the Application Name field, enter the name of your application.
- Note down the Application (client) ID and the Directory (tenant) ID. overview You will need it later if you need it
TargetApp-ClientId
andTenantId
. - choose API Permissions under management In the navigation pane.
- choose Adding permissions Allows the application to read data in your organization’s directory about the signed-in user.
- choose Microsoft Graph.
- choose Delegated authority.
- choose
User.Read.All
from user section. - choose
GroupMember.Read.All
from Group Members section. - choose
Sites.Selected
from site section. - choose Adding permissions.
- In the options menu (three dots), Remove Permissions.
- Delete the original
User.Read – Delegated
permission. - choose Grant admin consent for Default Directory.
- choose Certificates and Secrets In the navigation pane.
- choose New client secret.
- for explanationand enter a description.
- Please select a value ExpiredPlease note that in a production environment, you should manually rotate secrets before they expire.
- choose addition.
- Make a note of the new secret value, you will need it later when asked for the client secret (
TargetApp-ClientSecret
).
- Select options Owner Add owners for the application. Owners can manage permissions for the Azure AD application (
TargetApp
).
Use the Graph API to grant permissions to your application on a SharePoint Online site.
In this step, you define which SharePoint Online sites you want to grant access to. TargetApp
Amazon Q Business App TargetApp
Connects to a SharePoint Online site to crawl and index the data.
In this post, we will grant permissions using Postman, a platform for working with APIs. To grant permissions to a specific SharePoint Online site, we need a separate Azure AD application. AdminApp
and Sites.FullControl.All
authority.
If the prerequisites are not met AdminApp
To register, please follow the previous steps AdminApp
and Application PermissionsGrant Sites.FullControl.All
Permissions. As stated in the prerequisites, AdminApp
It is only used to grant access to the SharePoint Online site. TargetApp
.
we ClientId
and ClientSecret
The value of the AdminApp
From Azure AD applications AccessToken
value.
- Make a POST request using the URL in Postman
https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
. - In the request body,
x-www-form-urlencoded
Set the following key-value pairs:- set
client_id
ToAdminApp-ClientId
. - set
client_secret
ToAdminApp-ClientSecret
. - set
grant_type
Toclient_credentials
. - set
scope
Tohttps://graph.microsoft.com/.default
.
- set
- choose send.
- From the response returned,
access_token
You’ll need it when you’re asked for a bearer token in a later step. - Use the value of
access_token
Grant the permissions from the previous stepTargetApp
.- obtain
SiteId
Access the URL of your SharePoint Online site (e.g.https://<yourcompany>.sharepoint.com/sites/{SiteName}
) in your browser. To access the site, you must log in to the site by entering valid credentials. - Edit and add the URL in your browser’s address bar
/_api/site/id
At the end of{SiteName}
You need this to get the SiteIdSiteId
In the next step.
- obtain
- Make another POST request in Postman with the URL https://graph.microsoft.com/v1.0/sites/{SiteId}/permissions. Replace {SiteId} in the request URL with the SiteId from the previous step.
You can repeat this step for each site you want to include in the Amazon Q Business SharePoint Online connector.
- choose Bearer Token for type To Approval
- please fill in the value
access_token
from before token.
- For payload, Living Enter the following JSON code: <<ターゲットアプリクライアントID>> and <<ターゲットアプリ名>> value):
- choose send To complete the process of granting access to a SharePoint Online site
TargetApp
An Azure AD application.
Configure the Amazon Q Business SharePoint Online Connector
To configure the SharePoint Online connector for the Amazon Q Business application, follow these steps:
- In the Amazon Q Business console, Add a Data Source.
- Search and select Sharepoint.
- Enter a name and description (optional).
- choose SharePoint Online for Hosting Methods under Source Settings.
- Specifies the full URL of the SharePoint site that you want to include in crawling and indexing. A unique site URL for the SharePoint repository.
- The full URL of the site
https://<yourcompany>.sharepoint.com/sites/anycompany
Use<yourcompany>
As a value of domain.
- The full URL of the site
- choose OAuth 2.0 authentication for Authentication Method.
- Delivering value
TenantId
for Tenant ID.
The SharePoint connector requires credentials to connect to the SharePoint Online site using the Microsoft Graph API. This is achieved by creating a new Secrets Manager secret. These credentials are not used in the access logs for the SharePoint Online site.
- choose Create and add a new secret.
- Enter a name for your secret.
- Enter your username and password
SiteCollection
The administrator of a site that is part of an Amazon Q repository. - Enter the Client ID and Client Secret you obtained during registration.
TargetApp
In the previous step. - choose keep.
- choose Create a new service role Create an IAM role and enter a name for the role.
- for Sync Rangechoose Select Entity Select all (or any combination of items you want to sync).
- Select the sync option based on your needs (on-demand or at a frequency of your choice). For this post, we will select on-demand.
- choose Add a Data Source.
- Once the data source is created, Sync now Start crawling and indexing.
Test the solution
To test the solution, you can add users and groups, assign subscriptions, and test user and group access within your Amazon Q business application.
cleaning
If you are just experimenting with the steps in this post, be sure to delete the application from the Azure portal and delete the Amazon Q application from the Amazon Q console to avoid incurring costs.
Conclusion
In this post, we discussed how to configure the Amazon Q Business SharePoint Online connector with least privilege access control that works with site-level least privilege to safely crawl and index your SharePoint Online site content, and how to preserve and enforce ACLs while responding to user conversations.
With Amazon Q Business, organizations can use their existing SharePoint Online data to gain better insights, generate summaries, and get answers to natural language queries in a conversational format. By connecting SharePoint Online as a data source, employees can use natural language to interact with organizational knowledge and data stored in SharePoint, making it easier to find relevant information, extract key takeaways, and derive valuable insights. This can significantly improve productivity, decision-making, and knowledge sharing within an organization.
Try out the solutions in this post and leave your feedback or questions in the comments section.
About the Author
Surendar Gajaveli He is a Senior Solutions Architect based in Nashville, Tennessee. He is a passionate technology enthusiast who enjoys working with clients to build innovative solutions.
Abi Patrolla is a Senior Solutions Architect based in the New York City area helping clients with their cloud transformation, AI/ML and data initiatives. As a strategic and technical leader, he advises executives and engineers on cloud strategies that drive innovation and positive impact.