Overview

The Microsoft SharePoint data store for Gemini Enterprise provides access to your Microsoft SharePoint Online data, allowing you to interact with your documents, lists, and sites.

Supported Microsoft SharePoint versions

The Microsoft SharePoint data store supports the latest cloud version of Microsoft SharePoint Online.

Supported actions

When the Microsoft SharePoint data store is enabled, end users can use natural language commands in Gemini Enterprise to perform the following actions.

Action Description
Create folder Creates a new folder in a specified path.
Add list Creates a new structured data list (e.g., tasks, contacts) on the SharePoint site.

Required permissions

To enable Gemini Enterprise to perform search and data ingestion using the Microsoft SharePoint data store, you need the following permissions:

Microsoft Graph API permissions

The table below outlines the permissions required for each connection mode.

Note: The following table outlines the permissions required for each connection mode. If you enable Actions for either the Federated search or Data ingestion connection mode, also select the permissions listed in the Actions row.

Connection mode Scope Purpose
Federated search N/A No Graph API permissions are required.
Data ingestion GroupMember.Read.All (Federated credentials & OAuth 2.0 refresh token) Allows the data store to read memberships and basic group properties for all groups without a signed-in user.
User.Read (Federated credentials & OAuth 2.0 refresh token) Allows the data store to read the profile of signed-in users. It also allows the data store to read basic company information of signed-in users.
User.Read.All (OAuth 2.0 refresh token only) Allows the data store to read user profiles.
Sites.FullControl.All (Option 1)
Sites.Selected (Option 2)		 (Federated credentials & OAuth 2.0 refresh token) Option 1 allows the data store to have full control of all site collections. Option 2 allows the data store to access a subset of site collections. The specific site collections and the permissions granted can be configured in SharePoint Online.
User.Read.All (Option 1)
User.ReadBasic.All (Option 2)		 (Federated credentials only) Option 1 allows the data store to read user profiles. Option 2 allows the data store to read a basic set of profile properties of other users in the organization.
Actions Sites.ReadWrite.All (Federated search & Data ingestion) Allows the data store to edit or delete documents and list items in all site collections on behalf of the signed-in user.
Files.ReadWrite Allows the data store to read, create, update and delete the signed-in user's files.
Files.ReadWrite.All Allows the data store to read, create, update and delete all files the signed-in user can access.
Sites.Manage.All Allows the data store to create or delete document libraries and lists in all site collections on behalf of the user.

Microsoft SharePoint API permissions

The table below outlines the permissions required for each connection mode.

Connection mode Scope Purpose
Federated search Sites.Search.All (Delegated) Allows the data store to run search queries and to read basic site info on behalf of the current signed-in user. Search results are based on the user's permissions instead of the app's permissions.
AllSites.Read (Option 1, Delegated) Allows the data store to read documents and list items in all site collections on behalf of the signed-in user.
Sites.Selected (Option 2, Delegated) Allows the data store to access a subset of site collections with a signed-in user. The specific site collections and the permissions granted can be configured in SharePoint Online.
Data ingestion (Federated credentials) Sites.FullControl.All (Option 1, Application) Allows the data store to have full control of all site collections.
Sites.Selected (Option 2, Application) Allows the data store to access a subset of site collections with a signed-in user. The specific site collections and the permissions granted can be configured in SharePoint Online.
Data ingestion (OAuth 2.0 refresh token) AllSites.FullControl (Option 1, Delegated) Allows the data store to have full control of all site collections on behalf of the signed-in user.
Sites.Selected (Option 2, Delegated) Allows the data store to access a subset of site collections with a signed-in user. The specific site collections and the permissions granted can be configured in SharePoint Online.
Actions AllSites.Write (Delegated) Allows the data store to create, read, update, and delete documents and list items in all site collections on behalf of the signed-in user.

For information on how to add the permissions for Microsoft SharePoint, see Configure Microsoft SharePoint and set the necessary permissions.

Limitations

This section outlines known issues and limitations that may affect your use of the Microsoft SharePoint data store.

  • When creating a new application or adding a data store to an existing one, we recommend adding only one data store with actions belonging to a single connector type, regardless of the connection mode. For example, don't associate two Microsoft SharePoint data stores with enabled actions to the same application.
  • Enforcing a VPC Service Controls perimeter on existing Microsoft SharePoint data stores is not supported. To enforce VPC Service Controls, you must delete and recreate the data stores. For more information on VPC Service Controls and how to use actions after enabling VPC Service Controls, see Secure your app with VPC Service Controls.
  • The Microsoft SharePoint data store is supported only in Global, US, and EU locations.

The following are the limitations for the Microsoft SharePoint federated data store:

  • Search limitations: Search results may vary and are not always comprehensive for all file types. Content in archived or encrypted folders may not be accessible for search. Federated search does not support searching within attachments.
  • Delegated access: Access to shared sites or libraries may require specific permissions not covered by standard user authorization.

What's next