Skip to Content
DocumentationIntegrationsSharePoint / OneDrive

SharePoint / OneDrive

Erato provides experimental support for Microsoft SharePoint and OneDrive integration, allowing users to attach files from their Microsoft cloud storage directly to chats.

Overview

When enabled, users can:

  • Browse their OneDrive and SharePoint drives
  • Attach files from SharePoint/OneDrive to chats
  • Use SharePoint files with assistants
  • Reference SharePoint files in messages for AI processing

The integration uses the Microsoft Graph API to access files. Users must authenticate with an identity provider that provides a valid Microsoft access token with the appropriate permissions.

Prerequisites

Before enabling the SharePoint integration, ensure:

  1. OIDC Provider: Your SSO/OIDC provider (e.g., Microsoft Entra ID / Azure AD) is configured to issue access tokens with Microsoft Graph API permissions
  2. Token Forwarding: Your authentication proxy (e.g., oauth2-proxy) forwards the access token to the backend via the X-Forwarded-Access-Token header
  3. Graph API Permissions: The access token has at least Files.Read permission for the Microsoft Graph API

Configuration

To enable the SharePoint/OneDrive integration, add the following to your configuration:

erato.toml
[integrations.experimental_sharepoint]
enabled = true

Configuration Options

OptionTypeDefaultDescription
enabledbooleanfalseWhether the SharePoint integration is enabled
file_upload_enabledbooleantrueWhether file linking from SharePoint is enabled
auth_via_access_tokenbooleantrueUse the user’s forwarded access token for MS Graph API (currently required)
all_drives_sourcesstring[][]Optional subset of Graph discovery surfaces for /all-drives; empty means all

Full Example

erato.toml
[integrations.experimental_sharepoint]
enabled = true
file_upload_enabled = true
auth_via_access_token = true
all_drives_sources = ["me_drive", "me_drives", "shared_with_me", "shared_drive_details"]

Drive Discovery Sources

all_drives_sources controls which Microsoft Graph discovery surfaces Erato uses when listing accessible drives. Supported values are:

  • me_drive
  • me_drives
  • joined_teams
  • group_drives
  • site_search
  • site_drives
  • shared_with_me
  • shared_drive_details

If you do not set all_drives_sources, Erato queries the full set of sources to preserve the existing behavior. This can be useful for tenants where some discovery paths return very large numbers of drives or where only a subset of drive types should be exposed.

Authentication Flow

  1. User authenticates via your OIDC provider (e.g., Microsoft Entra ID)
  2. The OIDC provider issues an access token with MS Graph permissions
  3. oauth2-proxy (or similar) forwards the token via X-Forwarded-Access-Token header
  4. Erato backend uses this token to call the Microsoft Graph API on behalf of the user

Limitations

  • Experimental: This feature is currently experimental and may change in future releases
  • Token-based auth only: Currently requires the user’s access token to be forwarded; service account authentication is not yet supported
  • Read-only: Files are referenced by ID; Erato does not upload files to SharePoint
Last updated on
PrometheusInfrastructure Overview