Configure Microsoft SharePoint Online for external content indexing

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 6 min. de leitura

    • Register an OAuth 2.0 application in the Microsoft Entra admin center to allow the Microsoft SharePoint Online external content connector to access your Microsoft SharePoint Online source system.

    Antes de Iniciar

    You need the following credentials and permissions for your organization in the Microsoft Entra admin center:
    • Login credentials
    • Permission to register an application
    • Permission to add API permissions to an application
    • Permission to grant admin consent for an application's API permissions
    • Permission to upload certificates for an application

    You must have created a public/private key pair for the Microsoft SharePoint Online external content connector and extracted the public key certificate in DER-encoded binary X.509 format. For details on creating the public/private key pair and extracting the public key certificate, see Create a public/private key pair for the Microsoft SharePoint Online external content connector.

    Role required: none

    Por Que e Quando Desempenhar Esta Tarefa

    The Microsoft SharePoint Online external content connector retrieves content from your Microsoft SharePoint Online source system using Microsoft Graph and the Microsoft SharePoint REST APIs.

    To enable the connector to access your Microsoft SharePoint Online source system via these APIs, you must configure an OAuth 2.0 application in the Microsoft Entra admin center. Your ServiceNow AI Platformconnector admin can use settings copied from this Microsoft Entra application to configure the Microsoft SharePoint Online external content connector for proper connection to your Microsoft SharePoint Online source system.

    Procedimento

    1. Register a new application in the Microsoft Entra admin center.
      1. Log in to the Microsoft Entra admin center at https://entra.microsoft.com/.
        Nota:
        If your Microsoft SharePoint Online tenant is in the Microsoft 365 GCC or GCC High cloud or the Microsoft 365 DoD cloud, log in at https://entra.microsoft.us/ instead.
      2. Select Applications > App registrations.
      3. On the App registrations page, select New registration.
        App registrations page in Microsoft Entra admin center with New registration link.
      4. On the Register an application form, fill in the following fields:
        Field Instructions
        Name Enter a unique name for your OAuth 2.0 application. For example, you might enter Microsoft SharePoint Online external content connector.
        Supported account types Select Accounts in this organizational directory only (<instance-name> only - Single tenant), where <instance-name> is the name of your Microsoft Entra instance.
        Redirect URI (optional) Leave this field empty.
        Register an application dialog box in Microsoft Entra admin center.
      5. Select Register.
        The new application's Overview page appears.
    2. Record the values of the Application (client) ID and Directory (tenant) ID properties in a secure location.
      Application's overview page in Microsoft Entra admin center showing application/client and directory/tenant ID values.
      Importante:
      Your ServiceNow AI Platformconnector admin needs the application's tenant and client IDs to configure a Microsoft SharePoint Online external content connector.
    3. Add the API permissions required by the Microsoft SharePoint Online external content connector.
      1. In the application menu, select Manage > API permissions.
        Application's API permissions list in Microsoft Entra admin center with Add a permission link.
      2. Select Add a permission, then select Microsoft Graph, then select Application permissions.
        Request API permissions dialog box in Microsoft Entra admin center showing Microsoft Graph tile
      3. For each of the following permissions, enter the permission name into the Select permissions search field, then locate and select the option for the permission.
      4. Select Add permissions.
        The new Microsoft Graph permissions appear in the application's Configured permissions list.
      5. Select Add a permission, then select SharePoint, then select Application permissions.
        Request API permissions dialog box in Microsoft Entra admin center showing SharePoint tile.
      6. In the Select permissions search field, enter either Sites.FullControl.All or Sites.Selected, then locate and select the option for the specified permission.
        Importante:

        Select the Sites.FullControl.All permission if your organization allows it. This option requires no additional configuration beyond the steps provided in this procedure.

        If your organization does not permit you to grant Sites.FullControl.All permission to a registered application, you can select the Sites.Selected permission instead. When you use this permission, a source system administrator must grant FullControl permissions to your registered Microsoft Entra OAuth 2.0 app for each site or site collection that you want the Microsoft SharePoint Online external content connector to be able to crawl. To learn how to grant the app FullControl permissions for individual sites and site collections, see Configure site collection access for the Microsoft SharePoint Online external content connectorConfigure site and site collection access for the Microsoft SharePoint Online external content connector.

      7. Select Add permissions.
        The new SharePoint permission appears in the application's Configured permissions list.
      Application's API permissions list in Microsoft Entra admin center showing Microsoft Graph API permissions and Sites.FullControl.All SharePoint API permission added.
      Dica:
      The SharePoint section of your application's API permissions list will show the entry for the SharePoint API permission that you selected in step 3.f. The images in this procedure show the Sites.FullControl.All permission, but your application may show the Sites.Selected permission instead.
    4. Grant admin consent for the added API permissions.
      1. Select Grant admin consent for <instance-name>, where <instance-name> is the name of your Microsoft Entra instance.
      2. In the Grant admin consent confirmation dialog box, select Yes.
        Application's API permissions list in Microsoft Entra admin center showing admin consent granted for added Microsoft Graph API permissions and Sites.FullControl.All SharePoint API permission.
      The status for the added API permissions changes to Granted for <instance-name>, where <instance-name> is the name of your Microsoft Entra instance.
    5. Upload your DER-encoded binary X.509 format public key certificate for the Microsoft SharePoint Online external content connector.
      1. In the Microsoft Entra application menu, select Manage > Certificates & secrets.
      2. Select Certificates, then select Upload certificate.
        Application's Certificates & secrets page in Microsoft Entra admin center showing Upload certificate link.
      3. Select Select a file and locate your DER-encoded binary X.509 format public key certificate file, then enter a description for it.
        Upload certificate dialog box in Microsoft Entra admin center.
      4. Select Add.
        The DER-encoded binary X.509 format public key certificate appears in the Certificates list.
        Nota:
        You can drag the column separators in the Certificates list to view the entire thumbprint SHA1 hash value.
      5. Copy the certificate's Thumbprint SHA1 hash, shown in hexadecimal format.
        Application's Certificates & secrets page in Microsoft Entra admin center showing thumbprint SHA1 hash value for uploaded certificate.
      6. Convert the certificate's SHA1 thumbprint hash from hexadecimal format to a byte array, then convert the byte array to base64 encoding and record the base64-encoded hash in a secure location.

        As an example, if your certificate's SHA1 thumbprint hash is 2778E8235B1A502728D2143AC8817DDBFBFC34AD in hexadecimal format, its base64-encoded version is J3joI1saUCco0hQ6yIF92/v8NK0=.

        You can perform the required conversions in PowerShell (starting in version 7), replacing 2778E8235B1A502728D2143AC8817DDBFBFC34AD with your own certificate's SHA1 thumbprint hash in hexadecimal format:
        $hexHash = "2778E8235B1A502728D2143AC8817DDBFBFC34AD"
$binaryHash = [System.Convert]::FromHexString($hexHash)
$base64Hash = [System.Convert]::ToBase64String($binaryHash)
Write-Output $base64Hash
        You can also use the xxd and base64 utilities in Linux or UNIX to perform the required conversions, replacing 2778E8235B1A502728D2143AC8817DDBFBFC34AD with your own certificate's SHA1 thumbprint hash in hexadecimal format:
        echo '2778E8235B1A502728D2143AC8817DDBFBFC34AD' | xxd -r -p | base64
        Importante:
        Your ServiceNow AI Platformconnector admin needs the DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in base64-encoded format to configure the Microsoft SharePoint Online external content connector.
      7. Copy the certificate's Thumbprint SHA1 hash, shown in hexadecimal format, and record it in a secure location.
        Application's Certificates & secrets page in Microsoft Entra admin center showing thumbprint SHA1 hash value for uploaded certificate.
        Importante:
        Your ServiceNow AI Platformconnector admin needs the DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in base64-encoded format to configure the Microsoft SharePoint Online external content connector.
      8. Retain copies of the generated public/private key files and the key password in a secure location.
        Nota:
        You can't download the public key certificate or its password from the Microsoft Entra admin center.

    O que Fazer Depois

    If you granted Sites.Selected permission instead of Sites.FullControl.All permission in step 3.f, configure SharePoint API permissions for the site collections you want the Microsoft SharePoint Online connector to be able to crawl. For details on this procedure, see Configure site collection access for the Microsoft SharePoint Online external content connector Configure site and site collection access for the Microsoft SharePoint Online external content connector.

    Provide the following items to your ServiceNow AI Platformconnector admin:
    • The OAuth 2.0 application's tenant ID and client ID that you recorded in step 2.
    • The DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in base64-encoded format that you recorded in step 5.f.
    • The DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in hexadecimal format that you recorded in step 5.g.

    Your ServiceNow AI Platformconnector admin needs these items to configure a Microsoft SharePoint Online external content connector to retrieve searchable content and security principals from your Microsoft SharePoint Online instance.

    For details on creating and configuring a Microsoft SharePoint Online external content connector, see Create a Microsoft SharePoint Online external content connector.