## SharePoint integration

Integrating Microsoft SharePoint with Frontegg allows your application to read and manage SharePoint sites, document libraries, lists, and files through the Microsoft Graph API — all via Frontegg's integration layer using Microsoft Entra ID OAuth 2.0.

Prerequisites
- A Microsoft account with access to the [Azure portal](https://portal.azure.com/)
- A Microsoft Entra ID (Azure AD) tenant where you can register applications
- A SharePoint Online or Microsoft 365 subscription with at least one SharePoint site


### Register an application in Azure

#### Step 1: Open App registrations

Sign in to the [Azure portal](https://portal.azure.com/) and open **App registrations** (you can search for it in the top search bar or open it directly from **Microsoft Entra ID → App registrations**). Click **New registration** at the top of the page.

![App registrations page in Azure portal](/assets/sharepoint-1.26865dec38c7eb812792589b90f6868b9eae5956ab3bcef9dbb9354c1ff345f3.1ce25488.png)

#### Step 2: Register a new application

Fill in the registration form:

1. Enter a name for your application (for example, `Frontegg SharePoint Integration`).
2. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant)** for multi-tenant apps, or **Accounts in this organizational directory only** for a single-tenant app.
3. Under **Redirect URI**, choose **Web** as the platform and enter:

```
https://YOUR_MCP_GATEWAY_URL/integration-callback
```
4. Click **Register**.


![New application registration form with name, multitenant account type, Web platform, and redirect URI filled in](/assets/sharepoint-2.1c63ff0b1a2e86f16e3198ecf8c933471679aafd6d97a8c50a7131b83cbd6e02.1ce25488.png)

#### Step 3: Copy the Application (client) ID and Directory (tenant) ID

After registration, you are taken to the application **Overview** page. Copy both the **Application (client) ID** and the **Directory (tenant) ID** — you will need them when configuring the Frontegg portal.

![Application overview page with Application (client) ID and Directory (tenant) ID highlighted](/assets/sharepoint-3.867dfb7ebf5f8fb7aa91d26aa04335ffa5d3d782f0e2bf4664493afcdab6ea2e.1ce25488.png)

### Create a client secret

#### Step 4: Open Certificates & secrets

In the left sidebar, under **Manage**, click **Certificates & secrets**. On the **Client secrets** tab, click **New client secret**.

![Certificates and secrets page with New client secret button highlighted](/assets/sharepoint-4.ab907878f9538e681103013ca3cab2323b1220531c0d36d8e009e2dd520277da.1ce25488.png)

#### Step 5: Add a description and expiry

In the **Add a client secret** panel, enter a description (for example, `Frontegg Integration`) and choose an expiry period. Click **Add**.

![Add a client secret panel with description field filled in and Add button highlighted](/assets/sharepoint-5.39abdd01b065432b8f48b7cf500cd2d59821d6dcbd5ef29ab181d2c6a24a9658.1ce25488.png)

#### Step 6: Copy the client secret value

The new secret appears in the list. Copy the **Value** immediately — it is only shown once. After you navigate away, you cannot retrieve it again.

Save your Client Secret now
The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing.

![Client secret list showing the new secret with value blurred and highlighted](/assets/sharepoint-6.0d9d2c923cad369150124152610bade845ac6c3cd635f8d6af1364fc16f0dd8b.1ce25488.png)

### Configure API permissions

#### Step 7: Open API permissions

In the left sidebar, click **API permissions**, then click **Add a permission**.

![API permissions page with Add a permission button highlighted](/assets/sharepoint-7.21ad2b871ef5ea4856ac2afac688a4173527453929f8adfa18867fe1bcfe0456.1ce25488.png)

#### Step 8: Select Microsoft Graph

In the **Request API permissions** panel, click **Microsoft Graph**. Frontegg accesses SharePoint through Microsoft Graph — do not use the legacy **SharePoint** API entry.

![Request API permissions panel with Microsoft Graph highlighted](/assets/sharepoint-8.c91de07e26e81580a8009d14b21edcdf9a21f72944d3a3c527cf466fd1085962.1ce25488.png)

#### Step 9: Select delegated permissions

Click **Delegated permissions**. Use the search box or expand the **Sites** and **Files** groups, then select the scopes your application requires. Select the following scopes:

| Scope | Description |
|  --- | --- |
| `offline_access` | Maintain access to data the user has granted (issues refresh tokens) |
| `Sites.Read.All` | Read items in all site collections |
| `Sites.ReadWrite.All` | Read and write items in all site collections |
| `Sites.Manage.All` | Create, edit, and delete items and lists in all site collections |
| `Sites.FullControl.All` | Full control of all site collections (admin consent required) |
| `Files.Read.All` | Read all files the signed-in user can access |
| `Files.ReadWrite.All` | Read, write, and delete all files the signed-in user can access |


Click **Add permissions**.

Minimum required scopes
For basic read access to SharePoint sites and files, you only need `Sites.Read.All`, `Files.Read.All`, and `offline_access`. Add the `ReadWrite` and `Manage` scopes only if your application needs to create or modify content. `Sites.FullControl.All` is required only for managing site permissions and requires an Entra ID admin to grant tenant-wide consent.

![Delegated permissions list with selected SharePoint scopes](/assets/sharepoint-9.45927db03f45f93b97a76cd05f3df5aa6e22e6ee4c1166fb69264f16d0220074.1ce25488.png)

#### Step 10: Verify configured permissions

After adding permissions, the **API permissions** page lists all configured permissions under **Microsoft Graph**. The `Sites.FullControl.All` permission shows **Admin consent required: Yes** — an Entra ID admin must click **Grant admin consent for {tenant}** before users can complete the OAuth flow with that scope.

![API permissions page showing all configured Microsoft Graph permissions](/assets/sharepoint-10.a697accbc15bbfd1829aa3e202093e3a0cac7960929a3355d0c74aa26d0de1e1.1ce25488.png)

### Configure the Frontegg portal

Once you have your **Client ID**, **Client Secret**, and **Directory (tenant) ID**, enter them in the Frontegg portal:

1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → SharePoint.
2. Enter the **Client ID** and **Client Secret** in the corresponding fields.
3. Optionally, enter the **Directory (tenant) ID**. Leave blank or set to `common` for multi-tenant applications; use a tenant GUID or domain for single-tenant applications.
4. Select the required **scopes**.
5. Click **Save**.


Keep your credentials secure
Never share or commit your Client Secret to version control.

### Additional resources

- [Microsoft Graph SharePoint API reference](https://learn.microsoft.com/graph/api/resources/sharepoint)
- [Microsoft Graph permissions reference](https://learn.microsoft.com/graph/permissions-reference)
- [Azure portal](https://portal.azure.com/)
- [Microsoft identity platform and OAuth 2.0](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow)
- [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)