Ejento AI
GuidesQuickstartRecipesREST APIsRelease NotesFAQs
GuidesQuickstartRecipesREST APIsRelease NotesFAQs
Ejento AI
  1. Setup After Deployment
  • How to Setup Ejento on Azure
  • Prerequisites
  • Deployment on Azure
  • Setup After Deployment
    • Custom Domain Set Up
    • Microsoft SSO Authentication
    • Okta SSO Authentication
    • SharePoint Connection Set Up
    • Developer API Set Up
  • MCP Tools Setup
    • Slack
    • Jira
  • Overview
    • Azure Resources
  1. Setup After Deployment

SharePoint Connection Set Up

Welcome to the SharePoint Connection Setup guide for Ejento AI. This guide will help you register and configure your Microsoft Entra ID application, set up the required Microsoft Graph permissions, and implement the SharePoint connection scripts needed for your Ejento AI deployment.
To connect Ejento AI with SharePoint, you first need to configure an app registration in Microsoft Entra ID. This setup will generate the required credentials (Client ID, Tenant ID, and Client Secret) that enable secure authentication between Ejento and SharePoint.
💡 Note: The following steps are to be completed after deployment is initiated — please finish the deployment process before proceeding.

What’s Inside this guide#

Manual App Registration
Automated Script Registration (For Developers)

Manual App Registration#

Follow the steps below to register your app, assign the necessary Microsoft Graph permissions, and create a client secret for integration.

1. In Microsoft Entra ID go to app registrations: Create a new app registration.#

image.png

2. Click on new registration:#

image.png

3. Enter the name “sharepointapp”. Add support for Multitenant (as shown in image below) and add the redirect URI under “Web” section.#

Reach out the Ejento team for your URI
image.png

4. Go to API Permissions:#

image.png

5. Click on “Add Permissions” and then on the right pane, click on “Microsoft Graph”#

image.png

6. Select Delegated Permissions:#

image.png

7. Under delegated permissions, search for the following four permissions and select these.#

image.png

8. Go to “Certificates & Secrets” and click on Add client secret#

image.png

9. Enter the name “New client secret” and set expiry for 730 days and add#

image.png

10. Make sure to copy the value field as this is only shown once. In case you missed it, you can delete the client secret and perform step 9 again.#

image.png

The Following values are required;#

1.
Application (client ID): would be available in the overview tab shown below
2.
Directory (tenant ID): Also available in the overview tab shown below
3.
Client secret key: Value copied from step 10
image.png

Automated Script Registration (For Developers)#

These scripts are intended for developer and admin use during setup or environment provisioning.
They automate the registration process to ensure consistency across environments.
This script automates the creation of the SharePoint Connection Azure AD app registration using only the Azure CLI. It handles login, app creation, service principal creation, permission setup, and client secret generation automatically.

Common Requirements#

Dependencies#

Azure CLI installed and added to PATH
Windows installer: https://aka.ms/installazurecli
Verify installation:
az --version
Sign in to the correct Azure tenant:
az login --use-device-code
Verify current tenant:
az account show -o table
Tenant setting:
Ensure that App registrations are allowed in your tenant:
Go to: Entra ID → User settings → “Users can register applications” → Set to Yes

Role Requirements (Minimum)#

ActionRequired Role
Create app registrations, service principals, and client secretsApplication Administrator, Cloud Application Administrator, or Global Administrator
Grant tenant-wide admin consentGlobal Administrator or Privileged Role Administrator
Note:
The SharePoint script attempts to grant admin consent automatically.
If your account lacks the required role, a warning is logged.
You can manually approve it later:
Entra ID → Enterprise Applications → [App Name] → Permissions → Grant admin consent

How to Run the Scripts#

1.
Open any text editor and paste the script below.
2.
Save the file with a meaningful name: sharepoint_app.ps1
3.
Open PowerShell in the same directory as the script.
4.
Run the script:
.\sharepoint_app.ps1
The script will:
Log you into Azure (if not already logged in)
Create the application and service principal
Generate and display the client secret
Save details (Tenant ID, Client ID, Secret, etc.) into a JSON file in the same directory

Important Notes:#

The redirect URI will be updated later and provided by the Ejento team.
Admin consent must be granted if not already done.
SSO.png

SharePoint Registration Script: sharepoint_app.ps1#

# Register-SharePoint-Connection.ps1
$ErrorActionPreference = "Stop"

# --- Check Azure CLI ---------------------------------------------------------
if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
  Write-Error "Azure CLI not found. Install from https://aka.ms/installazurecli"
  exit 1
}

# --- Login if needed ---------------------------------------------------------
try {
  $account = az account show --only-show-errors | ConvertFrom-Json
} catch {
  az login --use-device-code | Out-Null
  $account = az account show --only-show-errors | ConvertFrom-Json
}
$tenantId = $account.tenantId

# --- Configuration -----------------------------------------------------------
$displayName = "sharepointapp-$((Get-Random -Minimum 1000 -Maximum 9999))"
$redirectUri = "http://localhost:8000/oauth2/callback"
$graphAppId  = "00000003-0000-0000-c000-000000000000"

# Microsoft Graph Delegated Scope IDs
$scopes = @{
  "Files.ReadWrite.All" = "863451e7-0667-486c-a5d6-d135439485f0"
  "Sites.ReadWrite.All" = "89fe6a52-be36-487e-b7d8-d061c450a026"
  "offline_access"      = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
  "User.Read"           = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
}

# --- Build requiredResourceAccess JSON ---------------------------------------
$tmpReq = New-TemporaryFile
$reqObj = @{
  requiredResourceAccess = @(
    @{
      resourceAppId = $graphAppId
      resourceAccess = @(
        foreach ($id in $scopes.Values) {
          @{ id = $id; type = "Scope" }
        }
      )
    }
  )
}
$reqObj | ConvertTo-Json -Depth 5 | Set-Content -Path $tmpReq -Encoding UTF8

# --- Create Application (NO implicit grant) ----------------------------------
Write-Host "`nCreating SharePoint Connection App Registration..." -ForegroundColor Cyan
$appRaw = az ad app create `
  --display-name $displayName `
  --sign-in-audience AzureADMultipleOrgs `
  --web-redirect-uris $redirectUri `
  --enable-id-token-issuance false `
  --enable-access-token-issuance false `
  --required-resource-accesses "@$tmpReq" `
  --only-show-errors

$app = $appRaw | ConvertFrom-Json
$appId = $app.appId
$appObjectId = $app.id

# --- Create Service Principal ------------------------------------------------
Write-Host "Creating Service Principal..." -ForegroundColor Cyan
$spRaw = az ad sp create --id $appId --only-show-errors
$sp = $spRaw | ConvertFrom-Json

# --- Create 2-year client secret --------------------------------------------
Write-Host "Creating 2-year client secret..." -ForegroundColor Cyan
$credRaw = az ad app credential reset `
  --id $appId `
  --display-name "sharepoint-secret" `
  --years 2 `
  --only-show-errors
$cred = $credRaw | ConvertFrom-Json
$clientSecret = $cred.password

# --- Output summary ----------------------------------------------------------
$result = [pscustomobject]@{
  ApplicationName          = $displayName
  TenantId                 = $tenantId
  ClientId                 = $appId
  ClientObjectId           = $appObjectId
  ServicePrincipalObjectId = $sp.id
  RedirectUri              = $redirectUri
  DelegatedPermissions     = $scopes.Keys -join ", "
  ImplicitGrantEnabled     = $false
  ClientSecret             = $clientSecret
  SecretExpiresOn          = $cred.endDate
}

Write-Host "`n=== SharePoint Connection App Created ===" -ForegroundColor Green
$result | Format-List

# --- Save JSON ---------------------------------------------------------------
$outFile = "sharepoint-connection-output.json"
$result | ConvertTo-Json -Depth 5 | Set-Content -Path $outFile -Encoding UTF8
Write-Host "`nSaved output to $outFile" -ForegroundColor Yellow
Write-Host "IMPORTANT: Store the ClientSecret securely. It cannot be retrieved later." -ForegroundColor Red

Script Output#

The script produces a summary JSON file sharepoint-connection-output.json in the current directory containing:
Application Name
Tenant ID
Client ID
Service Principal Object ID
Redirect URI
Client Secret
Secret Expiry Date
You can safely share these credentials with the Ejento team for integration.

Security Considerations#

Store client secrets securely. Once generated, the ClientSecret cannot be retrieved later.
Limit access to the JSON output files to only authorized personnel.
Ensure that proper admin consent is granted for required permissions.
Previous
Okta SSO Authentication
Next
Developer API Set Up