View a markdown version of this page

Connect a SharePoint data source - Amazon Bedrock
Create the data sourceConnector parametersChange the authentication methodNext steps

Connect a SharePoint data source

After you set up authentication and store your credentials in an AWS Secrets Manager secret, create the SharePoint data source in your knowledge base. This page describes how to create the data source with the AWS Management Console or the API, followed by a reference for the connector parameters you can configure.

Note

Complete authentication setup first. See Set up Microsoft Entra ID App-Only authentication for SharePoint (recommended) or Set up OAuth 2.0 authentication for SharePoint. You need the secret ARN, your tenant ID, and (for Microsoft Entra ID App-Only authentication) the Amazon S3 location of your certificate.

Create the data source

Console
To connect SharePoint to your managed knowledge base

  1. Under Data source, provide a name for your data source.

  2. Select SharePoint from the data source dropdown.

  3. Under Source, enter your Site URLs. Each URL must start with https:// and point to a site, team site, or personal site (for example, https://contoso.sharepoint.com/sites/engineering). You can add up to 100 URLs.

  4. Under Authentication, select Microsoft Entra ID App-Only or OAuth 2.0 authentication.

  5. Select or create an AWS Secrets Manager secret to store your credentials.

  6. Enter your Tenant ID.

  7. If you selected Microsoft Entra ID App-Only authentication, provide the Certificate path — the Amazon S3 path to your .p12 certificate file.

  8. (Optional) To enable document-level access control, select Control document access with ACLs. This option is available only with Microsoft Entra ID App-Only authentication and cannot be changed after creation. For details, see Document-level access controls.

  9. (Optional) Expand Sync scope to configure which content to crawl (files, pages).

  10. (Optional) Expand Date based entity syncing to specify date filters.

  11. (Optional) Expand Item path pattern to add specific paths to filter the items to be crawled.

API

To create a SharePoint data source, send a CreateDataSource request with an Agents for Amazon Bedrock build-time endpoint. The following AWS Command Line Interface example creates a data source that uses Microsoft Entra ID App-Only authentication. To enable document-level access control, set aclEnabled to true. For a description of each field, see the connector parameters reference that follows.

aws bedrock-agent create-data-source \
 --name "SharePoint-connector" \
 --knowledge-base-id "your-knowledge-base-id" \
 --data-source-configuration file://sharepoint-managed-connector.json

The sharepoint-managed-connector.json file contains the following:

{
    "type": "MANAGED_KNOWLEDGE_BASE_CONNECTOR",
    "managedKnowledgeBaseConnectorConfiguration": {
        "connectorParameters": {
            "type": "SHAREPOINT",
            "version": "1",
            "aclEnabled": false,
            "connectionConfiguration": {
                "secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:bedrock-sharepoint-creds",
                "tenantId": "12345678-1234-1234-1234-123456789012",
                "authType": "ENTRA_ID_APP_ONLY",
                "certificateS3Path": {
                    "s3BucketName": "your-certificate-bucket",
                    "s3KeyName": "certs/certificate.p12"
                }
            },
            "dataEntityConfiguration": {
                "crawlFiles": true,
                "crawlPages": true,
                "siteUrls": [
                    "https://contoso.sharepoint.com/sites/engineering"
                ]
            }
        }
    }
}

For an OAUTH2_APP data source, set authType to OAUTH2_APP and omit certificateS3Path.

For managed knowledge bases, CreateDataSource is asynchronous: the data source status transitions from CREATING to AVAILABLE when the operation completes.

Connector parameters

The data source configuration uses the following connector parameters. To connect to SharePoint, specify SHAREPOINT as the connector type in connectorParameters. For the fields that wrap connectorParameters (such as deletionProtectionConfiguration and mediaExtractionConfiguration), see Connect a data source.

connectionConfiguration
Field Required Description
secretArn Yes The ARN of the AWS Secrets Manager secret containing your SharePoint credentials.
tenantId Yes The Microsoft Entra (Azure AD) tenant ID.
authType Yes The authentication type: ENTRA_ID_APP_ONLY (recommended) or OAUTH2_APP. See Authentication methods.
certificateS3Path Conditional Required for ENTRA_ID_APP_ONLY authentication, even when ACLs are disabled. Contains s3BucketName and s3KeyName for the certificate file in Amazon S3. Not used with OAUTH2_APP.
dataEntityConfiguration
Field Required Description
siteUrls Yes List of SharePoint site URLs to crawl. Each URL is a crawl entry point and must start with https:// and point to a site, team site, or personal site — the path must begin with /sites/, /teams/, or /personal/ followed by the site name (for example, https://contoso.sharepoint.com/sites/engineering). Standard *.sharepoint.com domains and custom (vanity) domains are both supported. Within each site, the connector crawls files and pages (see crawlFiles and crawlPages); to target specific items, use inclusionItemPaths.
crawlFiles No Whether to crawl files. Defaults to true.
crawlPages No Whether to crawl pages. Defaults to true.
filterConfiguration (optional)
Field Required Description
modifiedDateBefore No Only include content modified before this date (ISO 8601).
modifiedDateAfter No Only include content modified after this date (ISO 8601).
inclusionItemPaths No Specific item paths to include. When you provide inclusionItemPaths, the connector crawls those items and does not validate siteUrls.
aclEnabled (optional)
Field Required Description
aclEnabled No Set to true to enable document-level access control. Requires ENTRA_ID_APP_ONLY authentication. You cannot change this setting after you create the data source. For details, see Document-level access controls.

Change the authentication method

You can change a data source's authentication method (for example, from OAuth 2.0 to Microsoft Entra ID App-Only) by updating the data source with the new authType and credentials, using the UpdateDataSource operation or the AWS Management Console. The document-level access control setting is fixed when you create a data source, so to add or remove ACLs you must create a new data source.

Next steps

After you create the data source, sync it to ingest content into your knowledge base. For details, see Sync a data source. To filter query results by user permissions, see Document-level access controls.