Sharepoint Access (per-Site basis)

1. Share a list of sites or document libraries

Files can be ingested in two ways. Please share a list of sites or libraries for ingestion in the following formats:

1. Ingesting an entire site: e.g. https://<tenant_name>.sharepoint.com/sites/<site_name>
2. Ingesting a document library / folder: 
   e.g. https://<tenant_name>.sharepoint.com/sites/<site_name>/<name_of_document_library>

Once sites and libraries have been selected, the following steps will allow Moveworks to be granted read access to the specific site(s) or Document Libraries that need to be ingested.

2. Provide Sharepoint per-Site Access

You will need Azure app (Microsoft App ID) to assign the access. If you are also deploying Moveworks to Microsoft Teams, the same app can be used.

📘

Note: In order to add this permission appropriately, you must be an administrator of both the Azure App and the SharePoint Site.

1. Follow the powershell commands below to set SiteOwnerManageLegacyServicePrincipalEnabled to true.

   Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
   Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
   Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
   Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
   

2. For each sub-site the bot should have access to, navigate to: https://**<tenant_name>**.sharepoint.com/sites/**<sub_site_name>**/_layouts/15/appinv.aspx.
3. Put in the App Id of your App created in Azure and then click the Lookup button, and the Title field should auto populate.
4. For App Domain, and RedirectURL, enter localhost as shown in the image below.

5. Enter the following XML as Permission Requests — this grants Read Only access to the specific sub site.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

6. After clicking Create, you will be prompted to authenticate and confirm the install. Select Trust.
7. You will need to do this for each sub site the bot should have access to and provide the list of sites you have authorized to your Moveworks Customer Success team.

📘

Validating Moveworks Access to the site

Note: At any point in the future, a SharePoint Site Admin can visit https://<tenant_name>.sharepoint.com/sites/<sub_site_name>/_layouts/15/appprincipals.aspx to validate if Moveworks has access to the site.

If the permissions were granted correctly, you should see the Azure app listed like this.

FAQ

Q: I am seeing the following error:

A: Recently, Microsoft implemented some enhanced security settings for better governance of the Sharepoint platform (details here). If you see the error above, run the powershell the commands below to resolve the issue, and properly grant permissions to Sharepoint:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

Once the commands above are run and the SiteOwnerManageLegacyServicePrincipalEnabled property is set to true, your Sharepoint admin can proceed forward with the steps outlined above.

3. Grant the Moveworks bot the scopes required to read permissions data

Respecting your SharePoint Online tenant’s access controls is part of the File Search feature. You must grant your Moveworks bot Azure application the following scopes for it to support this:

• https://graph.microsoft.com/Files.Read.All
• https://graph.microsoft.com/Sites.Read.All
• https://graph.microsoft.com/Group.Read.All
• https://graph.microsoft.com/User.Read.All

There are three different ways to do this depending on how your Moveworks bot is deployed:

• If you are using the Microsoft AppSource Moveworks Teams Bot - We have updated the app with the requested scopes necessary for us to read your permissions data. One of your Azure admins simply needs to consent to these additional requested scopes.
• If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you ALREADY have a Moveworks Azure application - You will have to grant these permissions via the Azure admin portal by modifying your existing app.
• If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you DO NOT ALREADY have a Moveworks Azure application - You will be creating a new app in the Azure admin portal with these permissions.

If you are using the Microsoft AppSource Moveworks Teams Bot

1. Navigate to the following URL, replacing <CUSTOMER_TENANT_ID> with the ID of the tenant to which you have installed the app, and click Accept:

   1. https://login.microsoftonline.com/<CUSTOMER_TENANT_ID>/adminconsent?client_id=b8ec4e1a-e05a-49d0-ba3a-05119b8b62c0&state=12345&redirect_uri=https://www.moveworks.com/msteamsd

      

If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you ALREADY have a Moveworks Azure application

1. Go to your Microsoft Azure portal, and select Enterprise applications.

   

2. Search for the application to which you’ll be granting the new permissions. Note down its Application ID (aka App Id).

   

3. Navigate to this URL, replacing the end of the URL with your App Id: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/CallAnAPI/appId/{Application ID}

4. This will bring you to the API Permissions page for that application. You may already see some permissions configured for this application, some of which may already be ones we need. In the image below, however, you’ll see this app only has User.Read, and that is not one of the four permissions we need, so we need to add all four.

   

5. Click Add Permission.

   

6. This will open a panel on the right side:

   

7. Click Microsoft Graph.

   

8. Click Application permissions.

   

9. A search bar will appear.

   

10. Search for the permissions you need to grant (noted above) and check the box for each.

    

11. Once they’ve all been checked, click Add permissions.

    

12. You’ll now see all the newly added permissions alongside any you previously had granted the app, however, the new ones will have a status of “Not granted for” your organization.

    

13. To complete the process, click Grant admin consent for your organization.

    

14. If this panel appears, click Yes, add other granted permissions to configured permissions, then Save and continue, then Grant admin consent, and finally Yes.

    

15. You will see green checkmarks on the newly added permissions if this was successful.

    

If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you DO NOT ALREADY have a Moveworks Azure application

1. Follow this guide, completing all the steps up through and including “Provide the Credentials to the Moveworks Customer Success team” (but skipping the “Verify Azure Manifest” step).
   1. As you do this, when you reach the step titled “Add API Permissions” also add and grant consent for the permissions noted above (Files.Read.All, Sites.Read.All, Group.Read.All, User.Read.All).
   2. You will not need to worry about connecting this to Teams, so please disregard references to doing so.