Documentation
DocumentationDeveloperAcademyCommunitySupportLogin
Start typing to search…

SharePoint Online and OneDrive Setup for Enterprise Search


ℹ️

This page is for the Sharepoint OneDrive NG (Next Gen) connector for SharePoint Online and OneDrive.

Currently, the new enterprise search configuration experience is only available for SharePoint Online. For SharePoint Server(On-Prem), please reach out to your customer success team.

System Overview

Microsoft 365’s SharePoint Online is your organization’s hub for sites, pages, and document libraries. From an enterprise-search perspective, it’s a primary repository of institutional knowledge and files that can be indexed to make content easily discoverable across the organization with permissions intact.

OneDrive for Business is each user’s personal file store connected to their organization account, where they can store, access, and sync their individual work files across multiple devices. It is private by default, and files are only accessible to others if the user explicitly chooses to share them.

Moveworks supports both - indexing content from SharePoint sites ensuring users can search pages and documents which they are authorized to view as well as live search over SharePoint Online sites that the user has access to serve content beyond ingestion limits.

OneDrive is currently only supported via live search (with user consent); Moveworks does not index OneDrive data.


Authentication

Authentication is accomplished by creating and registering an Azure App Registration for each of the following approaches.

  • Indexing (SharePoint Online only)
    • Uses app-only access with certificate-based OAuth (JWT bearer) through an Azure App Registration.
    • You upload the cert’s public half to the app, compute the x5t (SHA-256) thumbprint, and provide the private key (PEM) to Moveworks.
    • Recommended permission model: Sites.Read.All
      • Enables full discovery, All Sites/All except selected options in Content Selection, and near-real-time incremental ingestion (webhook-driven).
    • Lesser-privilege alternative: Sites.Selected. Choose only if your security policy strictly requires it.
      • Extra admin steps required: you must grant site-specific access to the app for every site to be indexed and ensure the app can resolve site group visibility for all groups within each permissioned site (so ACLs can be read).
      • Content Selection UI impact: All Sites and All except selected are not available; you can only choose Only selected sites.
      • Ingestion frequency impact: Webhooks are not available; ingestions will run on a daily schedule (not the typical ~15-minute incremental SLA).
  • Live Search (SharePoint Online & OneDrive)
    • Uses delegated OAuth with a separate Azure App Registration and client secret.
    • End users sign in and consent the first time; Moveworks then searches only the files they can access in SharePoint and OneDrive.
    • No enterprise-wide indexing of OneDrive content occurs.

A single unified connector in Moveworks collects both sets of credentials—one block for Indexing (certificate/JWT) and another for Live Search (delegated).

Permissions Enforcement

Moveworks honors native Microsoft 365 ACLs at all times.

  • Indexing: Item- and site-level permissions (including group membership) are captured and enforced at query time—users only see results they’re allowed to view.
  • Live Search: Results are retrieved on behalf of the signed-in user using their delegated token, so source-system permissions are inherently enforced.

API Usage

  • Moveworks uses the standard Graph API v1.0 and SharePoint REST API to fetch data from SharePoint Online and OneDrive. We use application permissions with admin-granted access for indexing content and delegated permissions for live search.

Content Types

Indexing (SharePoint Online)

  • Pages (modern site pages, classic wiki pages and classic publishing pages).
  • Documents stored in SharePoint document libraries (including common attachments).
  • Supported file formats: doc, docx, pdf, ppt, pptx, txt, html, aspx(pages)

Live Search (SharePoint Online & OneDrive)

  • On-demand results from the signed-in user’s accessible SharePoint sites/libraries and their OneDrive files/folders. It includes Pages, Documents, Lists etc.
  • Not indexed into the enterprise corpus; fetched at query time after user consent.

Coverage & Freshness

Moveworks delivers comprehensive coverage—content, metadata, identity, and permissions—and uses incremental updates for indexed content.

  • With Sites.Read.All and Files.Read.All, webhooks allow near-real-time incremental updates.
  • With Sites.Selected, updates are performed on a daily schedule due to the webhook limitations.

Access Requirements

Pre-requisites

Before you get started, make sure you have everything you need:

  • Admin roles
    • Global Admin permissions to create App registrations, upload certificates, and grant admin consent.
    • SharePoint Admin permissions to identify your tenant domain(s) and (if using Sites.Selected) grant per-site permissions.
  • Environment details
    • Your SharePoint tenant domain(s), e.g., contoso (and contoso-eu, contoso-apc if applicable).
    • Cloud environment: Commercial or GOV L4.
  • Tools (recommended)
    • PowerShell (Windows) with certificate cmdlets, or OpenSSL (macOS/Linux/Windows).
      • Openssl is installed by default on OS X terminals
    • PnP PowerShell if you’ll grant Sites.Selected per-site access via cmdlets.

Understanding Permissions Scopes required for Enterprise Search


Instructions for SharePoint Indexing -App-only with certificate/JWT

1. Register a new App

  1. Sign in to the Azure portal.

  2. Select Microsoft Entra ID > Manage > App registrations > New registration.

  3. On the Register an application page, register an app with the following details

    FieldValue
    NameMoveworks
    Supported account typesAccounts in this organizational directory only (Single tenant)
    Redirect URILeave this field empty

  4. From the overview page, note down the following values:

    1. Directory (tenant) ID
    2. Application (client) ID

2. Add Application API permissions & grant Admin consent

  1. Open the App Registration you created above and click on Manage > API Permissions.

  2. Click Add a permission.

  3. This will open a panel on the right side:


  4. Select Microsoft Graph.

  5. Choose Application permissions :


  6. A search bar will appear:


  7. Search for the permissions you need to grant(noted above) and check the box for each:


  8. Once they’ve all been checked, click Add permissions

  9. Repeat the steps again by clicking on Add a permission button and selecting SharePoint.


  10. Similar to the previous steps, select Application permissions.



  12. You’ll now see all the newly added permissions will have a status of “Not granted for” your organization.

  13. To complete the process, click Grant admin consent for your organization

  14. If this panel appears, click Yes, add other granted permissions to configured permissions then Save and continue, then Grant admin consent, and then Yes.

  15. You will see green checkmarks on the newly added permissions if this was successful.




3. Generate a self-signed certificate and private key

You need:

  • Public certificate (.cer) — upload to the app.
  • Private key (privateKey.pem) — uploaded later in Moveworks.

Windows (PowerShell)

  1. Create a 2048-bit RSA, SHA-256 self-signed cert (exportable) with 2-year validity (replace the CertStoreLocation with your desired location) 
    $cert = New-SelfSignedCertificate `
  -Subject "CN=Moveworks" `
  -CertStoreLocation "C:\path\to\your\folder" `
  -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 `
  -KeyExportPolicy Exportable -KeySpec Signature `
  -NotAfter (Get-Date).AddYears(2)

  2. Export the .pfx (choose a password) and .cer 
    $pwd = Read-Host -AsSecureString "Enter PFX password"
Export-PfxCertificate -Cert "C:\path\to\your\file\$($cert.Thumbprint)" `
  -FilePath ".\Moveworks.pfx" -Password $pwd
Export-Certificate -Cert "C:\path\to\your\file\$($cert.Thumbprint)" `
  -FilePath ".\certificate.cer"

  3. Export the private key (PEM) from Moveworks.pfx 
    openssl pkcs12 -in "C:\path\to\your\file\Moveworks.pfx" -nocerts -nodes -out "C:\path\to\output\file\privateKey.pem"

macOS/Linux (OpenSSL)

  1. Generate Private key + self-signed cert with 2 years validity 
    openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout privateKey.pem -out certificate.cer \
  -days 730 -subj "/CN=Moveworks"

Verify that both certificate.cer and privateKey.pem are generated successfully in the desired location. Open each file, and ensure the files conform to the following formats:

  • The certificate file must start with BEGIN CERTIFICATE and end with END CERTIFICATE
  • The private key should begin with BEGIN PRIVATE KEY and end with END PRIVATE KEY.
    • It must not include RSA in the headers, nor be encrypted.

Store the private key in a safe storage since this will be used later to create the connector in Moveworks


4. Bind the cert to the app

  • Navigate to the App you created above -> Certifications & secrets -> Certificates -> Upload certificate -> upload the certificate.cer file.

5. Compute x5t (SHA-256)

Windows (PowerShell)

$certPath = "path\to\your\certificate.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath)

$sha256 = [System.Security.Cryptography.HashAlgorithm]::Create("SHA256")
$hash = $sha256.ComputeHash($cert.RawData)

$x5t = [Convert]::ToBase64String($hash) -replace '\+','-' -replace '/','_' -replace '='

Write-Output $x5t

macOS/Linux (OpenSSL)

openssl x509 -in certificate.cer -outform der \
  | openssl dgst -sha256 -binary \
  | openssl base64 -A \
  | tr '+/' '-_' | tr -d '='
  1. Note down the x5t token value from the terminal output




Setup in Moveworks

Connector Creation

  1. Log in to your org's MyMoveworks portal
  2. Navigate to Moveworks Setup > Connectors > Built-in Connectors
  3. Click Create New
  4. Search and Select Sharepoint OneDrive NG (Next Gen)
  5. Click on Next: Add Creds
  6. Input the following details
    1. Connector Name : Name this connector for your future reference. Once set, this name cannot be changed.
    2. Tenant (directory) ID:
    3. Tenant Domains: Enter all the SharePoint tenant domains to ingest data from across the organization, if you have multiple geo-locations configured. Eg: Enter org1 for domain_url org1.sharepoint.com and org2 for domain_url org2.sharepoint.com
    4. Region (optional): Select an option that will be used to establish the base URL. If no selection is made, the default option will be commercial. If GOV L4 is selected .us token url will be created
    5. Application (client) ID:
    6. X.509 Certificate SHA-1/SHA-256 Thumbprint (x5t)
    7. Private Key: Upload the private key as a pem file.
    8. Application (client) ID:
    9. Application Client Secret:
    10. Click Save. This connector will now be used to configure content ingestion from Sharepoint Online and enable live search from OneDrive. Refer to the steps mentioned below.

Configuring SharePoint Online and OneDrive for Enterprise Search

Initialising setup

  1. Log in to your org's MyMoveworks portal
  2. Navigate to Moveworks Setup > Answers > Ingestion > Enterprise Search
  3. Click on Create New or Get Started
  4. Select SharePoint Online & OneDrive from the dropdown list and click on Get Started
  5. You will be redirected to the SharePoint Online & OneDrive ingestion overview page. In the overview page, you will find few info blocks and few configuration blocks.
    1. System Overview: This presents an overview of SharePoint Online & OneDrive support from Moveworks
    2. Ingestion Summary: This provides information on the count of records that has been ingested and serving. The values will appear after the first successful ingestion run.
    3. Connector Selection: In this configuration block, you are required to select the required connector to enable Moveworks to connect and fetch data or enable live search.
    4. Content Selection: In this configuration block, you are required to define the content that should be ingested within Moveworks

Connector selection and validation

  1. Once you click on Select Connector, a connector setup screen will appear as follows

  2. Select the connector (from the dropdown) that you have created in the Connector Creation step.

    📘

    Please note: Only the Sharepoint OneDrive NG (Next Gen) connectors will appear in this list.

  3. Once the connector is selected, you need to click on Start Validation to validate the connector credentials and required scope.

    📘

    Connector Validation

    This is a mandatory step in order to save the configuration and move to the next step.

    Moveworks validates the selected connector to check:

    • Auth: Moveworks validates if the connector has right credentials to authenticate
    • Content: Moveworks validates if connector has right scopes to fetch content
    • Permissions: Moveworks validates if connector has right scopes to fetch user permissions
    • Users: Moveworks validates if connector has right scopes to fetch user data
    • Groups: Moveworks validates if connector has right scopes to fetch user groups data

  4. If the connector is validated successfully, you will see a green info banner as follows.

    1. If there are any credentials or scope issues, you will receive an error message as follows. Click on View Details to identify the issue. Refer to this step-by-troubleshoot guide (link to be added) to rectify any validation errors.

  5. Once the connector is validated successfully, you will be able to Save the configuration.

  6. Input the unique configuration name and Save.

    ℹ️

    At this stage, only the configuration entry is created. Ingestion doesn't start immediately after this step. You need to configure the Content Selection step to complete the journey. Refer to the next section for details.

  7. Once the configuration is saved, you can view the unique configuration name at the top of the screen. You can also click the pencil 🖊️ icon to edit the configuration name.

  8. Additionally, you will start seeing an entry of your configuration in the Enterprise Search home page. You can click on yur configuration to go to edit/ complete the configuration.

Content Selection

Once the connector selection step is complete and the configuration is saved, you will now be required to define the scope of content that will be ingested in Moveworks.

  1. Once you click on Select Content, a content selection screen will appear as follows.

  2. In this screen, you are required to define the Spaces from which Moveworks will ingest content and apply filters (optionally) to filter down the content further.

  3. Space Selection: This is a mandatory configuration. This configuration defines which spaces Moveworks will crawl and ingest content from. As an admin, you get three options

    1. Only selected spaces (Recommended): Moveworks will only ingest content from specified spaces.

      ℹ️

      When to choose this option? Choose this option if you want content to be served only from a subset of spaces that are accessible to the service account. For example - Let's assume, Service Account has access to 15 spaces, but you want content to be served only from 5 spaces, then you choose this method.

      Important Note: The Service Account must have access to the specified spaces in order for Moveworks to crawl all spaces successfully.

      How to configure? Enter comma separated Space Key(s).

    2. All except selected: Moveworks will ingest content all except specified spaces.

      ℹ️

      When to choose this option?

      Choose this option if you want content to be served from all except few spaces. For example - Let's assume, Service Account has access to 60 spaces, but you want content to be served from 58 spaces, then you choose this method and specific the 2 spaces from which Moveworks should not ingest.

      Important Note: The Service Account must have access to the specified spaces in order for Moveworks to crawl all spaces successfully.

      How to configure? Select this option and enter comma separated Space Key(s).

    3. All spaces: Moveworks will ingest content all applicable spaces

      ℹ️

      When to choose this option?

      Choose this option if you want content to be served from spaces that service account has access to. For example - Let's assume, Service Account has access to 20 spaces, and you want content to be served from all 20 spaces, then you choose this method.

      Important Note: The Service Account must have access to the specified spaces in order for Moveworks to crawl all spaces successfully.

      How to configure? Select this option. You are not required to specify the Space Keys in this scenario.

  4. Additional Filters: Use these filters to narrow the content ingestion scope further. Only records matching ALL of the the specified criteria will be included.

    ℹ️

    This is an optional configuration. Moveworks recommend using these filters only if your dataset is very large (i.e. >1million records) so that only relevant content is ingested and served to your employees.

    Currently following filters are supported:

    1. Modified date: Use this filter to include only those content records whose Modified date is after a specified date.
    2. Created date: Use this filter to include only those content records whose Created date is after a specified date.

Save and Start Ingestion

Once Space selection is configured, you have two options:

  • Save: Clicking this will just save the configuration and not initiate the first ingestion crawl. Use this option, if you would want to complete your configuration in multiple sessions/ sittings.

    • Once you click on Save, you will be redirected to the Confluence overview screen

    • You will notice a banner that prompts you to Start Ingestion

    • Once you are satisfied with your configuration, you can click on Start Ingestion

    • A confirmation popup will come that provides a summary of the configuration

    • Click on Confirm

    • After you click on Confirm, ingestion will start shortly.

    • For the first crawl to complete, this generally takes anywhere from few hours to 48 hours depending upon the size of the data.

  • Save and Start Ingestion: Click this option if you have completed and validated your content selection configuration and you are ready to initiate the first ingestion crawl.

    • A confirmation popup will come that provides a summary of the configuration

    • Click on Confirm

    • After you click on Confirm, ingestion will start shortly.

    📘

    Important Note for Admins:

    • It generally takes anywhere from few hours to 48 hours for the first crawl to complete depending upon the size of the data.
    • You can review the status of ingestion via Data Ingestion Viewer and view ingested record in the Ingested File and Ingested Knowledge screens.

Troubleshooting Connector Validation Failures

Updated about 6 hours ago