SharePoint connection Authorizations

This page explains how the SharePoint integration in innoGPT works from a technical standpoint, what data is actually synchronized, and what permission models are available to you for your IT and data protection governance.

💡 Who is this article for? IT admins, data protection officers, and workspace owners who want to set up the SharePoint connection properly or justify it to compliance/security teams.

Overview: Two separate levels

innoGPT’s SharePoint integration deliberately separates two levels that you can adapt independently to your governance requirements:

  1. Operational level – what is actually connected and synchronized

  2. Permission level – which permissions the app technically possesses

This separation is important because it allows you to use standard technical configurations while still strictly limiting, from an operational standpoint, what innoGPT actually sees.

1. Operational Level – What is connected and synchronized?

During setup, your admin selects exactly one folder within a SharePoint site and a document library in the configuration dialog. innoGPT stores only three IDs and synchronizes exclusively from this defined area.

What innoGPT stores

  • Site ID – the ID of the selected SharePoint site

  • Drive ID – the ID of the selected document library

  • Folder ID – the ID of the specific shared folder

Synchronization

  • Delta Sync: hourly delta sync exclusively from the configured folder

  • Scope: other SharePoint sites are never touched, as they are not specified in the configuration

  • Include subfolders: can be enabled or disabled per configuration

ℹ️ Note on Delta Sync With Delta Sync, only changes made since the last sync are transferred—not the entire folder every time. This keeps load and latency low.

On-demand upload via the Microsoft File Picker

In addition to automatic synchronization, users can actively transfer individual files with a single click—using the native Microsoft File Picker. No automatic sync takes place; instead, the user makes a deliberate selection for each file.

Typical use cases:

  • Dragging a document from another site into a chat once

  • Selecting a specific file for analysis without permanently syncing it

  • Ad-hoc collaboration with content outside the sync folder

2. Permission Level – What permissions does the innoGPT app have technically?

Default configuration: Sites.Read.All

The Azure App Registry for innoGPT is configured by default with the "Sites.Read.All" permission (read-only, tenant-wide). This configuration is required for Microsoft components—specifically the Graph File Picker and Folder Browser—to function out-of-the-box.

⚠️ Important: Despite having tenant-wide read permission, innoGPT synchronizes data exclusively from the folder defined in Level 1. The permission is the technical prerequisite; the sync scope is defined by your configuration.

Optional: Sites.Selected (Hardened Setup)

If, from a governance or data protection perspective, a strict server-side restriction to exactly one SharePoint site at the permission level is desired, this can be implemented using Microsoft’s Sites.Selected permission model.

Here’s how it works:

  • Your Entra admin explicitly grants access on a per-site basis

  • The innoGPT app is technically unable to read other sites—the restriction is already enforced at the Microsoft level

  • Setup: an additional configuration option that we set up together with your IT team

Comparison of the two permission models

Out-of-the-box

Additional configuration with Entra Admin

Microsoft Permission

Sites.Read.All

Sites.Selected

Technical read scope

Tenant-wide (read-only)

Only explicitly shared sites

Operational sync scope

Configured folder only

Configured folders only

Live Search

Works immediately

Only within shared sites

IT effort

Standard consent by admin

Additional setup step per site

Recommended for

Standard setups

High compliance requirements, regulated industries

Which model is right for you?

🟢 Choose Out-of-the-box if: You want a quick rollout, the operational sync scope is sufficient, and you trust the app’s documented behavior.

🔵 Choose Sites.Selected if: You need a hard technical guarantee at the Microsoft level—for example, for data protection approvals, ISO audits, or regulatory requirements.

In both cases, the operational sync scope is identical: only the configured folder is actually transferred.

Frequently Asked Questions

DinnoGPTs access other SharePoint sites when "Sites.Read.All" is enabled? No. Even though the permission could technically read tenant-wide, the sync is strictly limited to the stored site, drive, and folder IDs. Other sites are not queried.

Can users access all sites via the File Picker? In the standard setup (Sites.Read.All), yes—within the scope of their own SharePoint permissions. In the hardened setup (Sites.Selected), only on explicitly shared sites.

How often does the sync run? Hourly as a delta sync. Only changes made since the last run are transferred.

What happens to files that are deleted in SharePoint? The delta sync also removes them from innoGPT.

Can we connect multiple folders at the same time? Yes, through multiple configurations—each with its own site/drive/folder ID.

Next Steps

  • Start setup: Workspace → Settings → Integrations → SharePoint

  • Fill the library: Sidebar → Studio → Library to make synchronized content visible