Overview
This document covers the process of configuring AWS Knowledge Bases to collect and index information from a Microsoft SharePoint site. The setup process involves creating authentication credentials in Azure Entra, configuring an AWS Knowledge Base, and then connecting it to SurePath AI as a data source. Please note that none of the screens or setup steps are SurePath AI specific until the final section.
High level steps
The integration process requires admins to complete several key tasks. First, admins need to create a service account in Azure Entra that does not require SSO or two-factor authentication. Next, they will create an App Registration in Azure Entra that grants access to SharePoint sites across the organization. After configuring the credentials in AWS Secrets Manager, admins will set up the AWS Knowledge Base and sync the SharePoint data. Finally, admins will add data contexts in SurePath AI using the new connector.
Azure Entra setup
Prerequisites
Admins will need the following to complete the Azure configuration:
Azure Entra administrative rights
Admin rights to the SharePoint site that will be indexed
The SharePoint site URL
Output checklist
Admins should collect the following information during this process:
Application (client) ID
Directory (tenant) ID
SharePoint site URL
App Registration client secret
Service account username and password
Create a service account
SharePoint integration requires a service account for authentication. This account must be configured without SSO or two-factor authentication requirements, as it will be used by the automated AWS sync process.
Log in to the Microsoft Azure Portal:
Select Microsoft Entra ID
Navigate to Users > New user
Add the new service account with a descriptive name (e.g., "AWS SharePoint Sync Service")
Important: Disable two-factor authentication for this account, as it will be used for automated API access
Record the username and password for use in AWS Secrets Manager
Once the service account has been created, admins need to grant it access to the SharePoint site that will be indexed.
Navigate to the SharePoint admin center or the specific SharePoint site
Example:
https://{domain}-admin.sharepoint.com
Add the service account username to Site Members (not site owners)
Important for Microsoft Teams sites: Ensure the user is added to Site Members specifically, not to the Teams members list, as these are different permission scopes
Create an App Registration
Azure Entra App Registrations provide the OAuth credentials that AWS will use to authenticate with SharePoint. The App Registration requires specific API permissions to read SharePoint content.
Log in to the Microsoft Azure Portal:
Select Microsoft Entra ID
Select App registrations > New registration
Enter a descriptive name such as AWS SharePoint Connector
For Redirect URI (optional), select Web from the dropdown
Leave the URI field blank next to the Web dropdown
Select Register at the bottom of the page
After the App Registration is created, admins need to capture the authentication identifiers that will be used in AWS.
On the App Registration overview page, record the following values:
Application (client) ID
Directory (tenant) ID
Configure API permissions
The App Registration needs specific SharePoint API permissions to read site content. These permissions must be granted at the application level and require admin consent.
Select Manage > API permissions > Add a permission
Select the SharePoint tile
Select Application permissions (not delegated permissions)
Check the box for Sites.Read.All
Select Add permissions at the bottom
Application permissions require admin consent before they become active. Admins with the appropriate role must grant this consent.
Select Grant admin consent for {your organization}
Select Yes in the confirmation dialog
Verify that the Status column shows green checkmarks for all permissions
Create a client secret
The App Registration requires a client secret for authentication. This secret acts as a password for the application and must be stored securely.
Select Certificates & secrets > Client secrets (0) > New client secret
Enter a descriptive name for the secret (e.g., "AWS Knowledge Base Secret")
Select an expiration period (note that the secret will need to be rotated when it expires)
Select Add
Important: Immediately copy the secret Value and store it securely. This is the only time the secret value will be displayed. The secret ID is not the same as the secret value.
AWS setup
Prerequisites
Admins will need the following values to complete the AWS configuration:
Application (client) ID from Azure
Directory (tenant) ID from Azure
SharePoint site URL
Service account username and password
App Registration client secret
Admin rights to AWS with access to Secrets Manager and Bedrock
Output checklist
Admins should collect the following information during this process:
AWS Secrets Manager ARN for the SharePoint credentials
AWS Knowledge Base ID
Create an AWS secret
Admins need to store the SharePoint authentication credentials in AWS Secrets Manager before configuring the Knowledge Base. The Knowledge Base will reference this secret for authentication.
Log in to AWS and navigate to Secrets Manager > Store a new secret
Select Other type of secret
Enter the four (4) key-value pairs into the UI. The text and case must match exactly:
clientId (value is the Application (client) ID from the Azure App Registration)
clientSecret (value is the client secret created in the Azure App Registration)
username (value is the service account username)
password (value is the service account password)
Select Next
Enter a Secret name (spaces are not allowed)
Select Next and continue selecting Next and Store until the secret is saved
After creation, open the secret details and copy the full ARN (Amazon Resource Name) for use in the next section
Setup a new AWS Knowledge Base
Admins can now create the Knowledge Base that will connect to SharePoint and index the content.
Access AWS Bedrock > Builder Tools > Knowledge Bases > Create
Select Knowledge Base with vector store
Enter a Knowledge Base name or accept the default
For IAM permissions, select Create and use a new service role
Update the Service role name or accept the default
Scroll down and select SharePoint - Preview as the data source type
Select Next
Configure the data source
The data source configuration defines which SharePoint content will be indexed and how authentication will work.
Enter a data source Name or accept the default
In the Source section, configure the Site URLs:
URLs must be specific to the site level and cannot be more granular than that
Example:
https://yourcompany.sharepoint.com/sites/help_deskSelect Add new url only if additional SharePoint sites need to be indexed
Enter the Domain:
This is the SharePoint subdomain (the first part of the SharePoint URL), not a DNS domain
Example: If the URL is
https://lucidwayio.sharepoint.com/sites/help_desk, the domain islucidwayio(notlucidwayio.com)
In the Authentication section, leave the setting at OAuth 2.0 authentication
Enter the Tenant ID from Azure (the Directory tenant ID)
Enter the AWS Secrets Manager secret ARN that was created in the previous section
Paste the full ARN that was copied from Secrets Manager
Leave all other settings at their defaults
Select Next
Configure embeddings and vector store
The embeddings model converts the text content into vectors that enable semantic search capabilities.
For the Embeddings model, admins can choose between:
Cohere Embed English V3 - $0.0001 per 1000 tokens (recommended as the industry standard)
Amazon Titan Text Embeddings V2 - $0.00002 per 1000 tokens (lower cost option)
See https://aws.amazon.com/bedrock/pricing/ for current pricing
For Vector Store, select Quick create new vector store
Type: Amazon OpenSearch Serverless
Important: Set the OpenSearch capacity limits (OCU) to a value higher than 10. SurePath AI recommends values between 20 and 50 for optimal performance. While customers are only charged for the capacity they actually use, setting this limit too high could lead to significant charges if the Knowledge Base experiences high query volumes.
Select Next
Review all settings and select Create Knowledge Base
The Knowledge Base will be created and the initial sync will begin automatically. Depending on the amount of content in SharePoint, the sync process may take several minutes to several hours.
Important: The Knowledge Base will not sync automatically after the initial creation. Admins must either trigger manual syncs or configure an automated refresh schedule. See the automatic KB refreshes documentation for setup instructions:
SurePath AI setup
Create a new connector
Before creating the data source in SurePath AI, admins need to ensure an AWS connector is configured. If an AWS connector already exists for private models or S3 buckets, that same connector can be used for Knowledge Bases.
For instructions on creating an AWS connector, see:
Create the data source
Once the AWS connector is in place, admins can create a data source that references the Knowledge Base. For detailed instructions on creating and configuring data sources in SurePath AI, including how to control user access, see: