# SharePoint Integration (/docs/configuration/sharepoint)

LibreChat provides enterprise-grade integration with SharePoint Online and OneDrive for Business, enabling users to seamlessly browse, select, and attach files from their Microsoft 365 environment directly within conversations.

## Overview

The SharePoint integration allows users to:
- Browse SharePoint document libraries and OneDrive files
- Select multiple files at once (up to 10 by default)
- View real-time download progress
- Attach files from SharePoint to conversations
- Maintain enterprise security with proper access controls

<Callout type="info" title="Enterprise Feature">
This feature requires Microsoft 365/SharePoint Online and is designed for enterprise deployments using Azure Entra ID (formerly Azure AD) authentication.
</Callout>

## Prerequisites

Before configuring SharePoint integration, ensure you have:

1. **Azure Entra ID Authentication** configured and working
2. **Token Reuse** enabled (`OPENID_REUSE_TOKENS=true`)
3. **Admin access** to your Azure tenant for app permissions
4. **HTTPS** enabled (required for production environments)

<Callout type="error" title="Critical Requirement">
SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as it relies on the on-behalf-of token flow to access Microsoft Graph APIs.
</Callout>

## Azure App Registration Setup

### Step 1: Configure API Permissions

1. Navigate to your app registration in the [Azure Portal](https://portal.azure.com)
2. Go to **API permissions** in the left menu
3. Click **Add a permission**

### Step 2: Add SharePoint Permissions

For the file picker interface:

1. Select **SharePoint** from the API list
2. Choose **Delegated permissions**
3. Search for and select:
   - `AllSites.Read` - Read items in all site collections
4. Click **Add permissions**

### Step 3: Add Microsoft Graph Permissions

For file downloads:

1. Click **Add a permission** again
2. Select **Microsoft Graph**
3. Choose **Delegated permissions**
4. Search for and select:
   - `Files.Read.All` - Read all files that user can access
5. Click **Add permissions**

### Step 4: Grant Admin Consent

1. After adding both permissions, you'll see them listed
2. Click **Grant admin consent for [Your Organization]**
3. Confirm the consent in the popup

Your permissions should look like this:

| API / Permissions name | Type | Description | Status |
|------------------------|------|-------------|---------|
| Microsoft Graph - Files.Read.All | Delegated | Read all files that user can access | ✅ Granted |
| SharePoint - AllSites.Read | Delegated | Read items in all site collections | ✅ Granted |

## Environment Configuration

Add the following environment variables to your `.env` file:

```bash filename=".env"
# Enable SharePoint file picker
ENABLE_SHAREPOINT_FILEPICKER=true

# Your SharePoint tenant base URL
# Format: https://[your-tenant-name].sharepoint.com
SHAREPOINT_BASE_URL=https://contoso.sharepoint.com

# SharePoint scope for the file picker
# Replace 'contoso' with your actual tenant name
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://contoso.sharepoint.com/AllSites.Read

# Microsoft Graph scope for file downloads
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
```

<Callout type="warning" title="Tenant Name">
Ensure you replace `contoso` in the examples above with your actual SharePoint tenant name. This must match your SharePoint URL exactly.
</Callout>

## How It Works

### Authentication Flow

1. User authenticates via Azure Entra ID
2. When accessing SharePoint picker, LibreChat exchanges the user's token for SharePoint access
3. Tokens are cached for optimal performance (typically 50 minutes)
4. Separate scopes ensure principle of least privilege

### File Selection Process

1. User clicks "From SharePoint" in the attachment menu
2. SharePoint Online file picker opens in an embedded iframe
3. User browses and selects files using familiar SharePoint interface
4. Selected files are queued for download

### Download Process

1. Files are downloaded in batches (up to 3 concurrent downloads)
2. Progress indicator shows current file and percentage complete
3. Downloaded files are attached to the conversation
4. Failed downloads are retried automatically

## User Experience

### Accessing SharePoint Files

When properly configured, users will see a new option in the file attachment menu:

1. Click the attachment icon in the message input
2. Select "From SharePoint" from the menu
3. The SharePoint file picker will open
4. Browse and select files as needed
5. Click "Select" to begin downloading

### Features Available

- **Multiple file selection**: Select up to 10 files at once
- **Familiar interface**: Uses native SharePoint file picker
- **Progress tracking**: See real-time download progress
- **Error handling**: Clear messages for any issues
- **Localization**: Supports multiple languages

## Security Considerations

### Access Control

- Only files the user has permission to access in SharePoint are available
- Respects all SharePoint permissions and policies
- No elevated access or bypassing of security controls

### Token Security

- Uses secure on-behalf-of flow for token exchange
- Tokens are short-lived and automatically refreshed
- No long-term storage of SharePoint credentials

### Scope Isolation

- SharePoint scope limited to read operations only
- Graph API scope restricted to file read access
- Cannot modify or delete files through LibreChat

## Troubleshooting

### Common Issues

#### "From SharePoint" option not appearing

**Cause**: Feature not properly enabled or authentication issues

**Solutions**:
1. Verify `ENABLE_SHAREPOINT_FILEPICKER=true` in `.env`
2. Confirm `OPENID_REUSE_TOKENS=true` is set
3. Check that user is authenticated via Azure Entra ID
4. Restart LibreChat after configuration changes

#### File picker fails to open

**Cause**: Missing or incorrect permissions

**Solutions**:
1. Verify SharePoint permissions are granted in Azure
2. Ensure admin consent was provided
3. Check that `SHAREPOINT_BASE_URL` matches your tenant exactly
4. Confirm HTTPS is enabled in production

#### Downloads fail or timeout

**Cause**: Graph API permissions or network issues

**Solutions**:
1. Verify `Files.Read.All` permission is granted
2. Check network connectivity to SharePoint
3. Ensure tokens haven't expired (re-authenticate if needed)
4. Check browser console for specific error messages

### Debug Mode

For troubleshooting, enable debug logging:

```bash filename=".env"
DEBUG_LOGGING=true
DEBUG_CONSOLE=true
```

This will provide detailed logs about:
- Token exchange processes
- API calls to SharePoint and Graph
- Download progress and errors
- Authentication flows

## Performance Optimization

### Token Caching

- Tokens are cached to reduce authentication overhead
- Cache duration matches token lifetime (typically 50 minutes)
- Automatic refresh before expiration

### Concurrent Downloads

- Up to 3 files download simultaneously
- Prevents overwhelming the browser or server
- Optimizes for both speed and stability

### File Size Considerations

- Large files may take time to download
- Progress indicator helps manage user expectations
- Consider your file upload limits in LibreChat configuration

## Best Practices

### For Administrators

1. **Regular Permission Audits**: Review app permissions periodically
2. **Monitor Usage**: Track SharePoint integration usage in logs
3. **Update Documentation**: Keep internal docs updated with your tenant specifics
4. **Test Thoroughly**: Verify functionality after any Azure AD changes

### For End Users

1. **File Organization**: Well-organized SharePoint libraries improve user experience
2. **File Sizes**: Be mindful of large files that may slow conversations
3. **Permissions**: Ensure you have access to files before sharing
4. **Patient Downloads**: Allow time for multiple or large files

## Advanced Configuration

### Custom Scopes

For organizations with specific requirements, you can customize scopes:

```bash filename=".env"
# Example: Limiting to specific site collections
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://contoso.sharepoint.com/sites/Engineering/AllSites.Read

# Example: Using more restrictive Graph permissions
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read
```

### Integration with Information Barriers

If your organization uses Information Barriers:
- SharePoint integration respects all barrier policies
- Users only see content they're allowed to access
- No additional configuration required

## Related Documentation

- [Azure Entra Authentication](/docs/configuration/authentication/OAuth2-OIDC/azure)
- [OpenID Token Reuse](/docs/configuration/authentication/OAuth2-OIDC/token-reuse)
- [Microsoft Graph API Integration](/docs/configuration/authentication/OAuth2-OIDC/azure#advanced-microsoft-graph-api-integration)
- [File Upload Configuration](/docs/configuration/librechat_yaml/object_structure/file_config)