> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackone.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SharePoint Client OAuth (Single-Tenant)

> Connect SharePoint via a single-tenant Microsoft app with delegated permissions using the StackOne Hub.

Ensure that your Microsoft account has the "[Global Administrator](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide#permissions-based-on-admin-role-and-group-type-in-m365-admin-page)" and "[SharePoint Administrator](https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role)" roles assigned.

You can view and manage user role assignments in your [Microsoft Admin center](https://admin.microsoft.com/Adminportal/Home#/users).

<Info>
  This guide configures a single-tenant SharePoint app for use within your organization only. Users outside your organization cannot connect with this app. No Microsoft Partner Center account or publisher verification is required.
</Info>

If you've been directed to StackOne to integrate with SharePoint using a single-tenant app, the following steps will help you configure a successful integration.

## Create and Configure a New Application

<Steps>
  <Step title="Log in to Microsoft Azure">
    Log in to your [Microsoft Azure](https://portal.azure.com/) portal.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/SJYqWv54Bsiau7aR/images/azure-login.png?fit=max&auto=format&n=SJYqWv54Bsiau7aR&q=85&s=bf9b796e9eed7e6a798112c3108da698" alt="Azure Login Pn" width="494" height="578" data-path="images/azure-login.png" />
    </Frame>
  </Step>

  <Step title="Navigate to App Registrations">
    Go to your [Microsoft Entra admin center](https://entra.microsoft.com/).

    In the left navigation bar, click "Applications" > "App registrations".

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-app-registrations.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=a3c038dd5777dcb7747b6bf3082e4633" alt="Ms Entra App Registrations Pn" width="339" height="865" data-path="images/ms-entra-app-registrations.png" />
    </Frame>
  </Step>

  <Step title="Register a New Application">
    Under ***App Registrations***, click the "+ New registration" button.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-new-app-registration-btn.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=d0a95b7845ff6cc2c1602ff7dc6bad25" alt="Ms Entra New App Registration Btn Pn" width="296" height="196" data-path="images/ms-entra-new-app-registration-btn.png" />
    </Frame>
  </Step>

  <Step title="Configure Application Details">
    Under ***Register an application***, input the following details:

    * Name
    * Supported account types
      * Select "*Accounts in this organizational directory only (Single tenant)*"
    * Redirect URI
      * Select "*Web*"
      * Enter the URI: `https://api.stackone.com/connect/oauth2/sharepoint/callback`

    Once complete, click "Register" to create the new application.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/fmpl9C5NekbO5ijw/images/ms-entra-new-app-sharepoint-private-details.png?fit=max&auto=format&n=fmpl9C5NekbO5ijw&q=85&s=4005bf11aa4d94fcf928761e0a1794b7" alt="Ms Entra Register App Sharepoint Single Tenant" width="979" height="802" data-path="images/ms-entra-new-app-sharepoint-private-details.png" />
    </Frame>
  </Step>

  <Step title="Obtain the App Client ID and Tenant ID">
    After registration, you'll be taken to the application overview page.

    **Copy** <Icon icon="clipboard" color="#333333" /> the following values and store them safely to be used in a later step:

    * Application (client) ID
    * Directory (tenant) ID

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-app-client-id-sharepoint.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=ea4ec84b27bfe0198dcbd1edc3dabe01" alt="Ms Entra App Client Id Sharepoint" width="2736" height="934" data-path="images/ms-entra-app-client-id-sharepoint.png" />
    </Frame>
  </Step>

  <Step title="Obtain the Application Client Secret">
    Under *Client credentials* on the right, click "Add a certificate or secret".

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-app-click-client-secret-.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=48d47da2bc8928a738b886ac0ea20073" alt="Ms Entra App Click Client Secret Pn" width="1283" height="509" data-path="images/ms-entra-app-click-client-secret-.png" />
    </Frame>

    Under *Client secrets*, click the "+ New client secret" button.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-new-app-client-secret-sharepoint.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=78e84bb61182dbffd03f472283fdf913" alt="Ms Entra New App Client Secret Sharepoint Pn" width="888" height="552" data-path="images/ms-entra-new-app-client-secret-sharepoint.png" />
    </Frame>

    Under *Add a client secret*, enter a description and select your desired expiration date for this secret.

    <Info>
      Please keep in mind that a new secret will need to be generated when this one expires.
    </Info>

    Click the "Add" button to proceed.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-new-client-secret-details-sharepoint.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=37055da49b6f1db2f4d2a86b52ce1823" alt="Ms Entra New Client Secret Details Sharepoint Pn" width="1135" height="918" data-path="images/ms-entra-new-client-secret-details-sharepoint.png" />
    </Frame>

    The new client secret will be displayed. **Copy** <Icon icon="clipboard" color="#333333" /> the **Value** and store it safely to be used in a later step.

    <Warning>
      Make sure to copy this value now. It will not be displayed again.
    </Warning>

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-copy-client-secret-value.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=4376044c7d70a48ff5e5c7b2eb452934" alt="Ms Entra Copy Client Secret Value Pn" width="1200" height="271" data-path="images/ms-entra-copy-client-secret-value.png" />
    </Frame>

    Under *Configured permissions*, click the "Add a permission" button.

    Under *Request API permissions*, click "Microsoft Graph".

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-app-api-permissions-microsoft-gro.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=eb9e23ea1f01f8dcae6bb0941b459b66" alt="Ms Entra App Api Permissions Microsoft Gro Pn" width="734" height="475" data-path="images/ms-entra-app-api-permissions-microsoft-gro.png" />
    </Frame>

    The application requires the following **Delegated Permissions**:

    * **Files.Read** - Read user files
    * **Files.Read.All** - Read all files that user can access
    * **Files.ReadWrite** - Read and upload user files
    * **offline\_access** - Maintain access to data you have given it access to
    * **User.Read** - Sign in and read user profile
    * **User.ReadBasic.All** - Read all users' basic profiles

    After selecting all of the listed permissions above, click the "Add permissions" button.
  </Step>

  <Step title="Grant Admin Consent for Permissions">
    All of the added permissions will be listed under *Configured permissions*. Please ensure that all of the permissions above are listed.

    Click the "Grant admin consent" button to approve all of the listed permissions.

    Click the "Yes" button to confirm Admin approval.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/EZ7nWzE-JJzhmP-C/images/ms-entra-confirm-admin-consent-.png?fit=max&auto=format&n=EZ7nWzE-JJzhmP-C&q=85&s=734f429501f74c5ca5e6acd10d332721" alt="Ms Entra Confirm Admin Consent Pn" width="966" height="176" data-path="images/ms-entra-confirm-admin-consent-.png" />
    </Frame>
  </Step>
</Steps>

## User consent settings and non-admin connections

Tenant-wide [user consent settings](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent) in Microsoft Entra ID (Identity > Applications > Enterprise apps > Consent and permissions > User consent settings) affect when non-admin users can connect to this single-tenant app without prior admin action.

### When "Let Microsoft manage your consent settings (Recommended)" is selected

This setting applies Microsoft’s managed consent policy. For a **single-tenant, unverified** app (like the one in this guide), non-admin users are often not allowed to grant consent on first use. In practice:

* **Option A:** An org admin connects via OAuth first and completes the consent screen. After that, non-admin users can connect without seeing the consent prompt.
* **Option B:** A non-admin user tries to connect first and is blocked (e.g. "Need admin approval"). An admin then goes to the app’s **Configured permissions** in the [Microsoft Entra admin center](https://entra.microsoft.com/) (Enterprise applications > your app > Permissions) and clicks **Grant admin consent**. After that, the non-admin user can connect successfully on a second attempt.

Granting admin consent only takes effect for the **Enterprise Application** (service principal) that is created when the app is first used in your tenant. If no user had connected yet, that object may not exist, which is why granting consent *before* any user attempt sometimes doesn’t help until after the first (failed) non-admin attempt.

### Allowing non-admins to connect on first attempt

To allow non-admin users to connect on their first attempt without an admin connecting first, change the tenant setting to **"Allow user consent for apps from verified publishers, for selected permissions"**.

That policy explicitly allows user consent for [apps registered in your organization](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent) (single-tenant apps) as well as verified publishers, but only for permissions your org classifies as **low impact**. To avoid prompts for the permissions this app uses (e.g. Files.Read, User.Read, offline\_access), an admin may need to [classify those permissions as low impact](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-permission-classifications) under Consent and permissions > Permission classifications. After that, non-admin users can typically complete the consent flow on first connection.

<Note>
  Changing to "Allow user consent for apps from verified publishers, for selected permissions" is a tenant-wide setting and may allow user consent for other apps registered in your tenant. Evaluate this against your organization’s security policy.
</Note>

### Get your SharePoint Base URL

Your SharePoint base URL follows this format:

```
https://{your-domain}.sharepoint.com
```

You can find this URL by:

1. Opening your Microsoft SharePoint site
2. Copying the base URL from your browser's address bar

<br />

Congratulations, you're all set!

## Available data

This integration has the following [Documents Resources](https://docs.stackone.com/reference/getting-started-with-your-api) available from the provider:

* Drives
* Files
* Folders