Integration of Kendra and SharePoint using Azure AD App-Only Authentication
This page has been translated by machine translation. View original
Preface
In this article, we will explore how to synchronize SharePoint documents with Amazon Kendra using SharePoint Connector V2.0 with Azure AD App-Only authentication.
This method uses certificate-based authentication for applications rather than user credentials, so you don't need to add users to groups you want to share with.
However, certificates have a 365-day validity period, so they need to be replaced periodically.
Requirements for Integration
To integrate using Azure AD App-Only authentication, you'll need the following information:
- Client ID of the application registered in Azure AD
- Self-signed X.509 certificate
- Private Key corresponding to the certificate
- SharePoint Tenant ID
Steps
1. Generate a Self-Signed Certificate
Generate a self-signed certificate using OpenSSL.
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -days 365 -nodes
private.key: Private key file (to be stored in AWS Secrets Manager)certificate.crt: Certificate file (to be uploaded to Azure AD), also upload to S3
2. Register Application in Azure AD
- Login to Azure Portal
- Navigate to Azure Active Directory → App registrations
- Register a new application using "New registration"
- Upload the certificate (.crt) via "Certificates & secrets" → "Certificates" tab
- Add SharePoint permissions in "API permissions"
- Grant admin consent
3. Configure API Permissions
The required API permissions to access SharePoint differ depending on whether you use ACL (Access Control List).
Without using ACL
| API | Permission | Description |
|---|---|---|
| SharePoint | Sites.Read.All (Application) | Required for access to items and lists in all site collections |
When using ACL
| API | Permission | Description |
|---|---|---|
| SharePoint | Sites.FullControl.All (Application) | Required to retrieve document ACLs |
If you want to crawl only specific sites, you can set Sites.Selected (Application) permission and
explicitly set access permissions for each site using Microsoft Graph API.
4. Upload certificate.crt to S3
Register certificate.crt to any bucket on S3.
5. Add DataSource to Kendra
Add a data source in the Kendra console and select SharePoint connector (V2.0).
Configure the following items. Only essential parts are excerpted below. Configure IAM and ACL settings according to your environment. This example uses the recommend setup.
| Item | Value |
|---|---|
| Hosting Method | SharePoint Online |
| Site URLs | Enter in https://yourdomain.sharepoint.com/sites/mysite format |
| Domain | SharePoint domain name (e.g., yourdomain) |
| Authentication | Azure AD App-Only authentication |
Enter the Tenant ID and create a secret in AWS Secrets Manager for Azure AD App-Only authentication.
| Key | Value |
|---|---|
| clientId | azure-ad-client-id |
| privateKey | -----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY----- |
6. Document Synchronization
When document synchronization succeeds, you will see a screen like this:
Summary
By using Azure AD App-Only authentication with Kendra's SharePoint Connector V2.0,
you can synchronize SharePoint documents without using user credentials.
Certificate-based authentication has the advantage of not requiring password management for service accounts,
but remember to manage certificate expiration properly.
If you encounter issues with the setup, check the API permissions in Azure AD, admin consent,
and the format of the secret in Secrets Manager.
