Microsoft Graph is the unified gateway to all Microsoft 365 services. By authenticating a single MS Graph Connection, you eliminate the need for individual connections to SharePoint, OneDrive, and Excel, while gaining full support for Multi-Factor Authentication (2FA).
| Feature Details | |
| Availability | Required for all modern MS Connectors |
| Supports | SharePoint (Lists/Docs), OneDrive, OneDrive Business, Excel Online |
| Security | Supports 2FA and App-Only Roles |
Adding the Connection
- Navigate to Data Hub > Connections > Add Connection (top right corner).
- Select Microsoft Graph from the options.
- Select the newly added connection to view its properties (if not expanded).
- Copy the Callback URL; you’ll need it when registering the Entra ID app.
Before moving on to App Registration (below). Note the connection’s properties needed when returning to authenticate:
- Authenticate With dropdown options:
- App-Only: Accesses data without a signed-in user. (Application Permission set in Entra)
- User Account: Acts on behalf of a signed-in user. (Delegated Permission set in Entra)
- Client ID, Client Secret, and Tenant ID fields. You’ll generate these when registering your Entra ID app.
App Registration (Microsoft Entra Portal)
Before configuring the platform, you must register our service as an application in your Microsoft environment.
Create the Registration
- Log in to the Entra Portal.
- In Microsoft Entra ID Admin Center, navigate to App registrations > New registration.
- Name: Enter a descriptive name (e.g., “Appenate Connector”).
- Supported Account Types: Select Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant) for most use cases.
- Redirect URI: Select Web and paste the Callback URL.
Generate Credentials
- Client ID: Once registered, copy the Application (client) ID from the Overview page.
- Client Secret: Go to Certificates & secrets > New client secret.
- Important: Copy the Value immediately; it is hidden once you leave the page.
- Tenant ID: Copy the Directory (tenant) ID from the Overview page (required for “Organization Only” apps).
Configuring API Permissions
Navigate to API Permissions > Add a permission > Microsoft Graph. You must choose between User Account (Delegated) or App-Only (Application) permissions based on your needs.
Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn
Required Scopes Table
| Permission Name | Type | Description |
offline_access | Both | Maintains access without repeated logins. |
Sites.ReadWrite.All | Both | Full access to SharePoint lists/items. |
Files.ReadWrite | Both | Access to user files (OneDrive/Excel). |
User.Read | Delegated | Basic profile access for the user. |
Authorizing the Connection
Now, link your Entra app details to our platform.
- Navigate to Data Hub > Connections.
- Select Microsoft Graph.
- Authenticate With:
- User Account: Acts on behalf of a signed-in user.
- App-Only: Accesses data without a signed-in user.
(Requires a User Object ID on specific connectors).
- Enter your Client ID, Client Secret, and Tenant ID.
- Hit Save, then click the Authorize button that appears (depending on authentication mode).
Using the Connection in Connectors
Once authorized, you will select this MS Graph Connection in the “Using Connection” dropdown for your various connectors.
SharePoint / Excel Property Reference
| Property | Requirement | Note |
| Sub-Site Name | Required | Enter only the Site Name or Subsite Name. |
| List Name | Required | Search for your list or enter it manually via “Specify List.” |
| Refresh Frequency | Required | (Data Sources only) The interval for pulling data. |
| Filter with Graph | Optional | Define OData filter statements for efficiency. Customize Microsoft Graph Responses with Query Parameters |
| Columns from View | Optional | Specify the internal column names in a comma-separated list. How to find the internal name of list or library columns |
Restricting Access with Sites.Selected
Restricting access to specific SharePoint sites rather than granting access to all site collections is a common requirement for enterprise security. Using the Sites.Selected scope ensures that your App Registration only interacts with the data it strictly needs.
When you use the Sites.Selected permission, your app has zero access by default. You must manually “invite” the app to specific sites.
Azure Portal Configuration
- Navigate to App Registration > API Permissions.
- Add Microsoft Graph > Application Permissions.
- Search for and select
Sites.Selected. - Important: You must also add
Files.SelectedOperations.Selectedif you intend to upload or download documents. - Click Grant Admin Consent.
Granting Permission to Specific Sites
Since there is no toggle in the Azure UI to pick sites, you must use the Microsoft Graph API to assign roles.
Create permission – Microsoft Graph v1.0 | Microsoft Learn
Role Options:
read: Can view and download.write: Can create, edit, and delete.
Impact on Platform Configuration
Using restricted scopes changes how you configure connectors on our platform:
- Search is Disabled: The “Search” button for Site Names and Document Libraries will not work because the app cannot “see” the list of all sites.
- Manual Entry Required: You must provide the Full SharePoint Site URL (e.g.,
https://tenant.sharepoint.com/sites/mysitename) instead of just the sub-site name. - List Names: You must use the “Specify List” option to manually type the list name, as the dropdown will appear empty.
Summary of Scope Differences
| Feature | Sites.ReadWrite.All | Sites.Selected |
| Security | Broad (Access to all sites) | Tight (Access to specific sites) |
| UX in Platform | Search/Dropdowns work | Manual URL entry required |
Finding the User Object ID for App-Only Connections
When using App-Only Authentication, the platform needs to know whose “drive” or “context” to act within, as there is no interactive user signed in. This is why a User Object ID is required for connectors like Excel Online or OneDrive.
Locate the User Object ID in Microsoft Entra
- Log in to the Microsoft Entra admin center (formerly Azure AD).
- In the left-hand sidebar, navigate to Identity > Users > All users.
- Search for the specific user whose account will “own” or host the files.
- Click on the user’s Display Name to open their profile.
- Locate the Object ID field (it will be a GUID, like
1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6). - Copy this ID.
Apply the ID to your Connector
Once you have the ID, you must apply it to the specific connector you are configuring.
- Navigate to your Form Connector settings (Excel Online or OneDrive).
- Ensure the Using Connection dropdown is set to your MS Graph (App-Only) connection.
- Find the User ID field.
- Paste the Object ID you copied from the Entra portal.
- Save your changes.
Comparison: Why is this needed?
| Authentication Type | User Context | User ID Required? |
| User Account | Inherited from the person who clicked “Authorize.” | No |
| App-Only | None (the App acts as a service). | Yes (To define target storage) |