The Microsoft SharePoint connector focuses on published SharePoint documents and their authors. We use the document's content and metadata (what it is about) to enhance the employees' expertise profiles.

Data Retention and Privacy

By default, Starmind does not store the textual content of SharePoint documents. Only the document’s authors (email), extracted topics, and metadata (e.g., URL) are retained.

However, we recommend activating encrypted content storage if you want to enhance the quality of topic detection and personalization. Storing full document text (in encrypted form) allows our AI systems to build richer context for customer-specific terminology. This leads to significantly improved topic mapping and Knowledge Graph performance.

Access Control via Technical User Account

Starmind requires a dedicated technical user account to retrieve data from your SharePoint environment. Our connector utilises Microsoft Graph delegated permissions, allowing it to access only SharePoint Sites and Documents (including Drives and DriveItems) that the technical user can access. The connection accesses the resource on behalf of the user.

This ensures you remain in control: you can revoke access immediately by adjusting the technical user’s permissions or removing the account.

Required Permissions and Consent

To function correctly, the connector requires read access to Microsoft SharePoint Sites and Files. During the setup, you will log in with your Microsoft Tenant using the technical user account and explicitly grant consent to the required permissions.

Below is the list of required delegated Microsoft Graph permissions and what they allow:

Sites.Read.All: Read all Sites the technical user is a member of. The technical user won't have access to Sites where they are not a member.
Files.Read.All: Read all Files that the technical user can access. Files are limited to SharePoint Sites, which the technical user is a member of.
User.ReadBasic.All: Allows the app to read a basic set of profile properties of other users in your organization. Includes display name, first and last name and email address.
offline_access: Maintain access to the data you have given it access to. Allows the app to see and update the data you gave it access to, even when you are not currently using it. This does not give the app any additional permissions.

More information about Microsoft Graph permissions can be found here: https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-beta

Integrating with Microsoft SharePoint

Set up the technical user for Starmind’s SharePoint Connector

To ensure a secure and controlled connection between Starmind and Microsoft SharePoint, we recommend creating a dedicated technical user account in your Microsoft 365 environment. This account is used exclusively for the Starmind connector and should follow best practices for service accounts.

Recommended Approach

Create a dedicated user account
1. Set up a new Microsoft Entra ID (formerly Azure AD) account, such as [email protected].
Grant the necessary Sites to the user
1. Add this technical user to only the SharePoint sites that Starmind should be able to access. This minimizes exposure and ensures compliance with internal data policies.
Apply security best practices
1. Enable Multi-Factor Authentication (MFA) if your organization requires it for all accounts.
2. Use Conditional Access Policies to restrict when and where this account can be used.
3. Consider disabling email and interactive login to limit its usage to API-based access only.
Document & monitor usage
1. Maintain internal documentation about the account’s purpose and permissions.
2. Set up monitoring and alerts in Microsoft Entra ID to track unexpected activity.
3. Assign responsibility for reviewing access periodically to ensure compliance.

By following this approach, you keep control over the connector’s access while maintaining security and flexibility.

Connect Starmind to SharePoint

Log in to Starmind with your admin account
From the left-hand navigation panel, select Admin area and then Integrations and Connectors
From the Available tab, search for "MS Graph"
Click on Connect to initiate the connection flow
A new browser tab will open with the Microsoft admin consent URL, where you are asked to log in with your Microsoft 365 admin account. Use the credentials of a dedicated technical user to log into your Microsoft 365 environment. This will request the admin to grant the required Graph API permissions.
Accept the terms of the integration and grant the requested permissions.
You will be redirected back to the admin area in Starmind. Once connected, the system automatically begins processing the data.

FAQ

Why do you require a technical user instead of an app registration?

Great question. Initially, we used application permissions and app registration with Azure Entra. However, Microsoft's Graph API doesn't support the discovery of all the SharePoint Sites to which the application has access. This renders the approach unsuitable because it would require an admin to painstakingly manage all Sites manually.