Troubleshoot a SharePoint data source
Use this page to diagnose common issues with SharePoint authentication, data source creation, and syncing. For issues specific to document-level access control, see the troubleshooting table in Document-level access controls.
Data source creation and connection errors
| Symptom | Likely cause | Fix |
|---|---|---|
The data source fails immediately with an error that connectionConfiguration.certificateS3Path must not be null. |
The authType is ENTRA_ID_APP_ONLY but no certificate path was provided. This auth type always requires a certificate, even when ACLs are disabled. |
Add certificateS3Path to connectionConfiguration, pointing to your .p12 certificate in Amazon S3. See Set up Microsoft Entra ID App-Only authentication for SharePoint. |
| Invalid tenant ID. | The tenant ID is malformed or does not match your Microsoft Entra tenant. | Copy the Directory (tenant) ID from the application Overview page in the Microsoft Entra admin center. |
| Invalid client ID, or the application cannot be found. | The clientId in the secret is incorrect, or the app registration does not exist. |
Copy the Application (client) ID from the application Overview page and update the secret. |
| Unable to connect to SharePoint. | One or more credentials are incorrect, or the application is missing required permissions or admin consent. | Verify the secret values, confirm the application permissions, and grant admin consent. See Set up Microsoft Entra ID App-Only authentication for SharePoint. |
| The knowledge base service role cannot read the certificate. | The service role is missing s3:GetObject on the certificate object, or the object is encrypted with a customer managed key the role cannot use. |
Grant s3:GetObject on the certificate, and if the object uses a customer managed KMS key, grant kms:Decrypt on that key. See Step 8: Grant the service role access to the certificate. |
Certificate errors (Microsoft Entra ID App-Only)
| Symptom | Likely cause | Fix |
|---|---|---|
| Certificate password or token-minting errors during sync. | The .p12 password does not match the certificatePassword in the secret. |
Set certificatePassword to the password used to create the .p12 file, or recreate the bundle with a known password. |
| Authentication worked before and now all syncs fail. | The certificate expired, or admin consent was revoked. | Generate a new certificate, upload the public certificate to the Entra app registration, replace the .p12 in Amazon S3, and re-grant admin consent. |
| Sync fails with an error that the certificate could not be loaded as X.509 or PKCS#12 (for example, "Invalid certificate format — failed to load as X.509 or PKCS12"). | Amazon Bedrock could not read the certificate in Amazon S3 with the credentials provided. Common reasons include a missing or blank certificatePassword in the secret, a certificateS3Path that points to the wrong object (for example, a .cer/PEM file or a leftover object), or a certificate that no longer matches the secret. This is more likely after reconfiguring a data source or switching authentication methods. |
Confirm the secret referenced by the data source includes a certificatePassword that matches your .p12 bundle, and that certificateS3Path points to that .p12. If you reconfigured the data source, verify the certificate and secret still correspond, then sync again. |
Rotate the certificate
Rotate the certificate before it expires. An expired certificate causes all syncs to fail. To rotate without interrupting access, upload the new certificate as a separate object and switch the data source to it, so the existing certificate keeps working until you cut over.
-
Generate a new certificate and PKCS#12 (
.p12) bundle, as described in Set up Microsoft Entra ID App-Only authentication for SharePoint. -
In your Entra app registration, under Certificates & secrets, upload the new public certificate. Leave the existing certificate in place — an app registration can hold multiple certificates.
-
Upload the new
.p12bundle to Amazon S3 under a new object key (do not overwrite the existing certificate object). Confirm your knowledge base service role can read the new object. -
Update the data source so that
certificateS3Pathpoints to the new object, and update thecertificatePasswordin your AWS Secrets Manager secret to match the new bundle. Use the UpdateDataSource operation or the AWS Management Console. -
Start a sync and confirm it completes successfully with the new certificate.
-
After the sync succeeds, remove the old certificate from the Entra app registration and delete the old
.p12object from Amazon S3.
OAuth 2.0 authentication errors
| Symptom | Likely cause | Fix |
|---|---|---|
| Sync fails with a message that the REST API token request failed with status 400. | The account requires MFA or Conditional Access, which the resource-owner password credentials flow cannot satisfy; or the secret is missing the userName or password field. |
Confirm the secret includes clientId, clientSecret, userName, and password. If the account enforces MFA or Conditional Access, switch to Set up Microsoft Entra ID App-Only authentication for SharePoint. |
| Sync fails after the account password changed. | The stored password is no longer valid. | Update the password field in the secret. |
Sync errors
| Symptom | Likely cause | Fix |
|---|---|---|
| The sync completes but no documents are indexed. | The application cannot access the configured sites. With Sites.Selected, per-site permissions might not be granted. |
Verify the application permissions and admin consent. If you use Sites.Selected, confirm a per-site grant for each site. See Step 5 (Sites.Selected only): Grant per-site access. |
A newly added site is not crawled (Sites.Selected). |
Per-site grants are not retroactive, so the new site has no grant. | Grant the connector application access to the new site, then sync again. |
| Specific paths return no results. | The path was entered as a browser URL, or the item was moved or renamed in SharePoint. | Use the SharePoint path (not the browser URL), and verify the item still exists at that path. |
Document-level access control issues
ACL misconfigurations do not produce explicit errors during retrieval. Instead, queries return fewer or zero results. For ACL-specific symptoms, verification steps, and fixes, see Document-level access controls.
