SharePoint Authentication & API Permissions

This section provides the necessary guidance for migrating SharePoint authentication from deprecated Azure Communication Services (ACS) to Entra ID (Azure AD) App Registrations. Using modern App Registrations ensures a secure, supported method for Workplace AI to crawl and index your SharePoint content.

Why these guides are necessary

The transition to App Registrations requires a specific security architecture to balance accessibility with the principle of least privilege. These guides help you navigate the requirement to move away from ACS before the 2nd April 2026.

We have structured this guidance into specialised runbooks and a quick-reference matrix:

• API Permissions Quick Reference: Start here. This matrix helps you identify the correct configuration scenario (e.g., "Full Control" vs. "Read Only") and shows exactly which API permissions are required for each.

• Migrating ACS to Azure AD with Sites.FullControl.All: Follow this if you want the connector to have full read, write, delete access to all of your site collections.

• Migrating ACS to Azure AD with Sites.Read.All: Follow this if you want the connector to have read access to all of your site collections.

• Sites.Selected Common Setup: Follow this if you only want the connector to have access to specific sites. It's a mandatory first step for all "Selected Sites" configurations.

  • FullControl Gant Path: Follow this if you want the connector to have full read, write, delete access to specific sites.

  • Read Grant Path: Follow this if you want the connector to have full read only access to specific sites.