Amazon Q Enterprise is the generative synthetic intelligence (AI) assistant that empowers staff together with your firm’s data and information. Microsoft SharePoint On-line is utilized by many organizations as a safe place to retailer, set up, share, and entry their inside information. With generative AI, staff can get solutions to their questions, summarize content material, or generate insights from information saved in SharePoint On-line. Utilizing Amazon Q Enterprise Connectors, you’ll be able to join SharePoint On-line information to an Amazon Q Enterprise software and begin gaining insights out of your information rapidly.
This put up demonstrates the best way to use Amazon Q Enterprise with SharePoint On-line as the information supply to supply solutions, generate summaries, and current insights utilizing least privilege entry controls and finest practices really helpful by Microsoft SharePoint Dev Help Crew.
Resolution overview
On this put up, we stroll you thru the method of organising an Amazon Q Enterprise software that connects to your SharePoint On-line websites utilizing an out-of-the-box Amazon Q Enterprise Connector and configuring it utilizing the Websites.Chosen
software permission scope. The Websites.Chosen
permission is necessary as a result of many organizations implement insurance policies that forestall granting learn entry on all websites (Websites.Learn.All
) or full management (Websites.FullControl.All
) to any connector.
The answer method respects customers’ present identities, roles, and permissions by enabling id crawling and entry management lists (ACLs) on the Amazon Q Enterprise connector for SharePoint On-line utilizing safe credentials facilitated by way of AWS Secrets and techniques Supervisor. If a consumer doesn’t have permissions to entry sure information with out Amazon Q Enterprise, then they’ll’t entry it utilizing Amazon Q Enterprise both. Solely the information the consumer has entry to is used to help the consumer question.
Stipulations
The next are the stipulations essential to deploy the answer:
- An AWS account with an AWS Id and Entry Administration (IAM) function and consumer with permissions to create and handle the mandatory assets and elements for the appliance. For those who don’t have an AWS account, see How do I create and activate a brand new Amazon Internet Providers account?
- An Amazon Q Enterprise software. For those who haven’t set one up but, see Creating an Amazon Q Enterprise software atmosphere.
- A Microsoft account and a SharePoint On-line subscription to create and publish the appliance utilizing the steps outlined on this put up. For those who don’t have this, examine together with your group admins to create sandboxes so that you can experiment in, or create a brand new account and trial subscription as wanted to finish the steps.
- An software in Microsoft Entra ID with
Websites.FullControl
application-level permissions, together with its shopper ID and shopper secret. This software received’t be utilized by the Amazon Q Enterprise connector, however it’s wanted to grantWebsites.Chosen
permissions completely to the goal software.
Register a brand new app within the Microsoft Azure portal
Full the next steps to register a brand new app within the Microsoft Azure portal:
- Log in to the Azure Portal together with your Microsoft account.
- Select New registration.
- For Identify, present the identify on your software. For this put up, we use the identify
TargetApp
. The Amazon Q Enterprise software makes use ofTargetApp
to hook up with the SharePoint On-line web site to crawl and index the information. - For Who can use this software or entry this API, select Accounts on this organizational listing solely (
solely – Single tenant) . - Select Register.
- For Identify, present the identify on your software. For this put up, we use the identify
- Word down the appliance (shopper) ID and the listing (tenant) ID on the Overview You’ll want them later when requested for
TargetApp-ClientId
andTenantId
. - Select API permissions below Handle within the navigation pane.
- Select Add a permission to permit the appliance to learn information in your group’s listing concerning the signed-in consumer.
- Select Microsoft Graph.
- Select Delegated permissions.
- Select
Consumer.Learn.All
from the Consumer part. - Select
GroupMember.Learn.All
from the GroupMember part. - Select
Websites.Chosen
from the Websites part. - Select Add permissions.
- On the choices menu (three dots), select Take away permission.
- Take away the unique
Consumer.Learn – Delegated
permission. - Select Grant admin consent for Default Listing.
- Select Certificates & secrets and techniques within the navigation pane.
- Select New shopper secret.
- For Description, enter an outline.
- Select a worth for Expires. Word that in manufacturing, you’ll have to manually rotate your secret earlier than it expires.
- Select Add.
- Word down the worth on your new secret. You’ll want it later when requested on your shopper secret (
TargetApp-ClientSecret
).
- Optionally, select House owners so as to add any further homeowners for the appliance. House owners will have the ability to handle permissions of the Azure AD software (
TargetApp
).
Use the Graph API to grant permissions to the appliance on the SharePoint On-line web site
On this step, you outline which of your SharePoint On-line websites can be granted entry to TargetApp
. Amazon Q Enterprise App makes use of TargetApp
to hook up with the SharePoint On-line web site to crawl and index the information.
For this put up, we use Postman, a platform for utilizing APIs, to grant permissions. To grant permissions to a particular SharePoint On-line web site, you could have one other Azure AD software, which we consult with as AdminApp
, with Websites.FullControl.All
permissions.
For those who don’t have the prerequisite AdminApp
, observe the earlier steps to register AdminApp
and for Utility Permissions, grant Websites.FullControl.All
permissions. As talked about within the stipulations, AdminApp
can be used solely to grant SharePoint On-line websites entry permissions to TargetApp
.
We use the ClientId
and ClientSecret
values of AdminApp
from the Azure AD software to get an AccessToken
worth.
- Create a POST request in Postman with the URL
https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
. - Within the physique of the request, select
x-www-form-urlencoded
and set the next key-value pairs:- Set
client_id
toAdminApp-ClientId
. - Set
client_secret
toAdminApp-ClientSecret
. - Set
grant_type
toclient_credentials
. - Set
scope
tohttps://graph.microsoft.com/.default
.
- Set
- Select Ship.
- From the returned response, copy the worth of
access_token
. You want it in a later step when requested for the bearer token. - Use the worth of
access_token
from the earlier step to grant permissions toTargetApp
.- Get the
SiteId
of the SharePoint On-line web site by visiting your web site URL (for instance,https://
) in a browser. You have to log in to the positioning by offering legitimate credentials to entry the positioning..sharepoint.com/websites/{SiteName} - Edit the URL within the browser handle bar to append
/_api/web site/id
on the finish of{SiteName}
to get the SiteId. You want thisSiteId
within the subsequent step.
- Get the
- Create one other POST request in Postman utilizing the URL https://graph.microsoft.com/v1.0/websites/{SiteId}/permissions. Exchange {SiteId} within the URL of the request with the SiteId from the earlier step.
You may repeat this step for every web site you need to embody within the Amazon Q Enterprise SharePoint On-line connector.
- Select Bearer Token for Kind on the Authorization
- Enter the worth of
access_token
from earlier for Token.
- For the payload, choose uncooked and enter the next JSON code (change the <
> and <> values):
- Select Ship to finish the method of granting SharePoint On-line websites entry to the
TargetApp
Azure AD software.
Configure the Amazon Q Enterprise SharePoint On-line connector
Full the next steps to configure the Amazon Q Enterprise software’s SharePoint On-line connector:
- On the Amazon Q Enterprise console, select Add Knowledge supply.
- Seek for and select SharePoint.
- Give it a reputation and outline (optionally available).
- Select SharePoint On-line for Internet hosting technique below Supply settings.
- Present the total URL for the SharePoint web site that you just need to embody in crawling and indexing for Web site URLs particular to your SharePoint repository.
- If the total URL of the positioning is
https://
, use.sharepoint.com/websites/anycompany
as the worth for Area.
- If the total URL of the positioning is
- Select OAuth 2.0 authentication for Authentication technique.
- Present the worth of
TenantId
for TenantId.
The SharePoint connector wants credentials to hook up with the SharePoint On-line web site utilizing the Microsoft Graph API. To facilitate this, create a brand new Secrets and techniques Supervisor secret. These credentials won’t be utilized in any entry logs for the SharePoint On-line web site.
- Select Create and add a brand new secret.
- Enter a reputation for the key.
- Enter the consumer identify and password of a
SiteCollection
administrator on the websites included within the Amazon Q repository. - Enter your shopper ID and shopper secret that you just acquired from registering
TargetApp
within the earlier steps. - Select Save.
- Select Create a brand new service function to create an IAM function, and enter a reputation for the function.
- For Sync scope, select Choose entities and select All (or specify the mixture of things to sync).
- Select a sync possibility primarily based in your wants (on demand or at a frequency of your selection). For this put up, we select on-demand.
- Select Add information supply.
- After the information supply is created, select Sync now to start out the crawling and indexing.
Take a look at the answer
To check the answer, you’ll be able to add customers and teams, assign subscriptions, and take a look at consumer and group entry inside your Amazon Q enterprise software.
Clear up
For those who’re solely experimenting utilizing the steps on this put up, delete your software from the Azure Portal and delete the Amazon Q software from the Amazon Q console to keep away from incurring prices.
Conclusion
On this put up, we mentioned the best way to configure the Amazon Q Enterprise SharePoint On-line connector utilizing least privilege entry controls that work with site-level least privileges to crawl and index SharePoint On-line web site content material securely. We additionally demonstrated the best way to retain and apply ACLs whereas responding to consumer conversations.
Organizations can now use their present SharePoint On-line information to realize higher insights, generate summaries, and get solutions to pure language queries in a conversational means utilizing Amazon Q Enterprise. By connecting SharePoint On-line as a knowledge supply, staff can work together with the group’s data and information saved in SharePoint utilizing pure language, making it easy to search out related data, extract key factors, and derive worthwhile insights. This will considerably enhance productiveness, decision-making, and data sharing inside the group.
Check out the answer on this put up, and go away your suggestions and questions within the feedback part.
Concerning the Authors
Surendar Gajavelli is a Sr. Options Architect primarily based out of Nashville, TN. He’s a passionate know-how fanatic who enjoys working with clients and serving to them construct progressive options.
Abhi Patlolla is a Sr. Options Architect primarily based out of the NYC area, serving to clients of their cloud transformation, AI/ML, and information initiatives. He’s a strategic and technical chief, advising executives and engineers on cloud methods to foster innovation and optimistic influence.