Join Amazon Q Enterprise to Microsoft SharePoint On-line utilizing least privilege entry controls

By
Technews360
-
0
15
Connect Amazon Q Business to Microsoft SharePoint Online using least privilege access controls


Amazon Q Enterprise is the generative synthetic intelligence (AI) assistant that empowers staff together with your firm’s data and information. Microsoft SharePoint On-line is utilized by many organizations as a safe place to retailer, set up, share, and entry their inside information. With generative AI, staff can get solutions to their questions, summarize content material, or generate insights from information saved in SharePoint On-line. Utilizing Amazon Q Enterprise Connectors, you’ll be able to join SharePoint On-line information to an Amazon Q Enterprise software and begin gaining insights out of your information rapidly.

This put up demonstrates the best way to use Amazon Q Enterprise with SharePoint On-line as the information supply to supply solutions, generate summaries, and current insights utilizing least privilege entry controls and finest practices really helpful by Microsoft SharePoint Dev Help Crew.

Resolution overview

On this put up, we stroll you thru the method of organising an Amazon Q Enterprise software that connects to your SharePoint On-line websites utilizing an out-of-the-box Amazon Q Enterprise Connector and configuring it utilizing the Websites.Chosen software permission scope. The Websites.Chosen permission is necessary as a result of many organizations implement insurance policies that forestall granting learn entry on all websites (Websites.Learn.All) or full management (Websites.FullControl.All) to any connector.

The answer method respects customers’ present identities, roles, and permissions by enabling id crawling and entry management lists (ACLs) on the Amazon Q Enterprise connector for SharePoint On-line utilizing safe credentials facilitated by way of AWS Secrets and techniques Supervisor. If a consumer doesn’t have permissions to entry sure information with out Amazon Q Enterprise, then they’ll’t entry it utilizing Amazon Q Enterprise both. Solely the information the consumer has entry to is used to help the consumer question.

Stipulations

The next are the stipulations essential to deploy the answer:

  • An AWS account with an AWS Id and Entry Administration (IAM) function and consumer with permissions to create and handle the mandatory assets and elements for the appliance. For those who don’t have an AWS account, see How do I create and activate a brand new Amazon Internet Providers account?
  • An Amazon Q Enterprise software. For those who haven’t set one up but, see Creating an Amazon Q Enterprise software atmosphere.
  • A Microsoft account and a SharePoint On-line subscription to create and publish the appliance utilizing the steps outlined on this put up. For those who don’t have this, examine together with your group admins to create sandboxes so that you can experiment in, or create a brand new account and trial subscription as wanted to finish the steps.
  • An software in Microsoft Entra ID with Websites.FullControl application-level permissions, together with its shopper ID and shopper secret. This software received’t be utilized by the Amazon Q Enterprise connector, however it’s wanted to grant Websites.Chosen permissions completely to the goal software.

Register a brand new app within the Microsoft Azure portal

Full the next steps to register a brand new app within the Microsoft Azure portal:

  1. Log in to the Azure Portal together with your Microsoft account.
  2. Select New registration.
    1. For Identify, present the identify on your software. For this put up, we use the identify TargetApp. The Amazon Q Enterprise software makes use of TargetApp to hook up with the SharePoint On-line web site to crawl and index the information.
    2. For Who can use this software or entry this API, select Accounts on this organizational listing solely ( solely – Single tenant).
    3. Select Register.
  3. Word down the appliance (shopper) ID and the listing (tenant) ID on the Overview You’ll want them later when requested for TargetApp-ClientId and TenantId.
  4. Select API permissions below Handle within the navigation pane.
  5. Select Add a permission to permit the appliance to learn information in your group’s listing concerning the signed-in consumer.
    1. Select Microsoft Graph.
    2. Select Delegated permissions.
    3. Select Consumer.Learn.All from the Consumer part.
    4. Select GroupMember.Learn.All from the GroupMember part.
    5. Select Websites.Chosen from the Websites part.
    6. Select Add permissions.
  6. On the choices menu (three dots), select Take away permission.
  7. Take away the unique Consumer.Learn – Delegated permission.
  8. Select Grant admin consent for Default Listing.

Registering an App and setting permissions

  1. Select Certificates & secrets and techniques within the navigation pane.
  2. Select New shopper secret.
    1. For Description, enter an outline.
    2. Select a worth for Expires. Word that in manufacturing, you’ll have to manually rotate your secret earlier than it expires.
    3. Select Add.
    4. Word down the worth on your new secret. You’ll want it later when requested on your shopper secret (TargetApp-ClientSecret).
  3. Optionally, select House owners so as to add any further homeowners for the appliance. House owners will have the ability to handle permissions of the Azure AD software (TargetApp).

Use the Graph API to grant permissions to the appliance on the SharePoint On-line web site

On this step, you outline which of your SharePoint On-line websites can be granted entry to TargetApp. Amazon Q Enterprise App makes use of TargetApp to hook up with the SharePoint On-line web site to crawl and index the information.

For this put up, we use Postman, a platform for utilizing APIs, to grant permissions. To grant permissions to a particular SharePoint On-line web site, you could have one other Azure AD software, which we consult with as AdminApp, with Websites.FullControl.All permissions.

For those who don’t have the prerequisite AdminApp, observe the earlier steps to register AdminApp and for Utility Permissions, grant Websites.FullControl.All permissions. As talked about within the stipulations, AdminApp can be used solely to grant SharePoint On-line websites entry permissions to TargetApp.

We use the ClientId and ClientSecret values of AdminApp from the Azure AD software to get an AccessToken worth.

  1. Create a POST request in Postman with the URL https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token.
  2. Within the physique of the request, select x-www-form-urlencoded and set the next key-value pairs:
    1. Set client_id to AdminApp-ClientId.
    2. Set client_secret to AdminApp-ClientSecret.
    3. Set grant_type to client_credentials.
    4. Set scope to https://graph.microsoft.com/.default.

Get access token

  1. Select Ship.
  2. From the returned response, copy the worth of access_token. You want it in a later step when requested for the bearer token.
  3. Use the worth of access_token from the earlier step to grant permissions to TargetApp.
    1. Get the SiteId of the SharePoint On-line web site by visiting your web site URL (for instance, https://.sharepoint.com/websites/{SiteName}) in a browser. You have to log in to the positioning by offering legitimate credentials to entry the positioning.
    2. Edit the URL within the browser handle bar to append /_api/web site/id on the finish of {SiteName} to get the SiteId. You want this SiteId within the subsequent step.

Getting site id

  1. Create one other POST request in Postman utilizing the URL https://graph.microsoft.com/v1.0/websites/{SiteId}/permissions. Exchange {SiteId} within the URL of the request with the SiteId from the earlier step.

You may repeat this step for every web site you need to embody within the Amazon Q Enterprise SharePoint On-line connector.

  1. Select Bearer Token for Kind on the Authorization
  2. Enter the worth of access_token from earlier for Token.

Grant permissions to target app

  1. For the payload, choose uncooked and enter the next JSON code (change the <> and <> values):
{
    "roles": [
        "fullcontrol"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "<>",
                "displayName": "<>"
            }
        }
    ]
}

Complete granting access

  1. Select Ship to finish the method of granting SharePoint On-line websites entry to the TargetApp Azure AD software.

Configure the Amazon Q Enterprise SharePoint On-line connector

Full the next steps to configure the Amazon Q Enterprise software’s SharePoint On-line connector:

  1. On the Amazon Q Enterprise console, select Add Knowledge supply.
  2. Seek for and select SharePoint.
  3. Give it a reputation and outline (optionally available).
  4. Select SharePoint On-line for Internet hosting technique below Supply settings.
  5. Present the total URL for the SharePoint web site that you just need to embody in crawling and indexing for Web site URLs particular to your SharePoint repository.
    1. If the total URL of the positioning is https://.sharepoint.com/websites/anycompany, use as the worth for Area.
  6. Select OAuth 2.0 authentication for Authentication technique.
  7. Present the worth of TenantId for TenantId.

The SharePoint connector wants credentials to hook up with the SharePoint On-line web site utilizing the Microsoft Graph API. To facilitate this, create a brand new Secrets and techniques Supervisor secret. These credentials won’t be utilized in any entry logs for the SharePoint On-line web site.

  1. Select Create and add a brand new secret.
  2. Enter a reputation for the key.
  3. Enter the consumer identify and password of a SiteCollection administrator on the websites included within the Amazon Q repository.
  4. Enter your shopper ID and shopper secret that you just acquired from registering TargetApp within the earlier steps.
  5. Select Save.

Create Secret

  1. Select Create a brand new service function to create an IAM function, and enter a reputation for the function.
  2. For Sync scope, select Choose entities and select All (or specify the mixture of things to sync).
  3. Select a sync possibility primarily based in your wants (on demand or at a frequency of your selection). For this put up, we select on-demand.
  4. Select Add information supply.
  5. After the information supply is created, select Sync now to start out the crawling and indexing.

Take a look at the answer

To check the answer, you’ll be able to add customers and teams, assign subscriptions, and take a look at consumer and group entry inside your Amazon Q enterprise software.

Clear up

For those who’re solely experimenting utilizing the steps on this put up, delete your software from the Azure Portal and delete the Amazon Q software from the Amazon Q console to keep away from incurring prices.

Conclusion

On this put up, we mentioned the best way to configure the Amazon Q Enterprise SharePoint On-line connector utilizing least privilege entry controls that work with site-level least privileges to crawl and index SharePoint On-line web site content material securely. We additionally demonstrated the best way to retain and apply ACLs whereas responding to consumer conversations.

Organizations can now use their present SharePoint On-line information to realize higher insights, generate summaries, and get solutions to pure language queries in a conversational means utilizing Amazon Q Enterprise. By connecting SharePoint On-line as a knowledge supply, staff can work together with the group’s data and information saved in SharePoint utilizing pure language, making it easy to search out related data, extract key factors, and derive worthwhile insights. This will considerably enhance productiveness, decision-making, and data sharing inside the group.

Check out the answer on this put up, and go away your suggestions and questions within the feedback part.

Concerning the Authors

Surendar GajavelliSurendar Gajavelli is a Sr. Options Architect primarily based out of Nashville, TN. He’s a passionate know-how fanatic who enjoys working with clients and serving to them construct progressive options.

Abhi PatlollaAbhi Patlolla is a Sr. Options Architect primarily based out of the NYC area, serving to clients of their cloud transformation, AI/ML, and information initiatives. He’s a strategic and technical chief, advising executives and engineers on cloud methods to foster innovation and optimistic influence.



Supply hyperlink

LEAVE A REPLY

Please enter your comment!
Please enter your name here