This guide explains how to set up SharePoint integration with VT Writer, allowing users to leverage SharePoint documents as context for generative AI content creation.

Overview

SharePoint integration allows VT Writer users to access documents stored in SharePoint when using the "Use Files" feature with the AI assistant (Visi). This enables Retrieval Augmented Generation (RAG), where chunks of relevant content from selected documents are used as context when generating responses to prompts.

Prerequisites

Before configuring SharePoint integration, ensure:

1. VT Writer 5.1.3 or above is installed
2. Generative AI features are enabled in System Admin settings
3. LLM integration is configured and working
4. VTRAG (aka "Use Files" feature) is enabled in System Admin settings; see How to Deploy VisibleThread RAG (VTRAG)
5. You have administrator access to Microsoft Entra (formerly Azure AD)

See: Frequently Asked Questions: VT Writer, VTRAG, and LLM Integration

Supported SharePoint Environments

VT Writer supports the following SharePoint environments:

For VisibleThread-hosted deployments:

• SharePoint Online (standard Microsoft cloud)

For customer-hosted deployments (on-premises or private cloud):

• SharePoint Online (standard Microsoft cloud)
• SharePoint in GCC (Government Community Cloud)
• SharePoint in GCC-High

Note: VT Writer does not support SharePoint Server editions.

Document Storage and Security

VT Writer does not store complete SharePoint documents. Instead, it:

• Stores only text chunks from documents that users select in the "Use Files" feature
• Saves these chunks in a vector database (PostgreSQL with pgvector)
• Automatically deletes chunks based on a configurable schedule (default is 90 days)
• Uses Microsoft's delegated access model, meaning users can only access documents they already have permission to view in SharePoint

Configuration Process

Setting up SharePoint integration involves two main steps:

1. Creating an App Registration in Microsoft Entra
2. Configuring the SharePoint connection in VT Writer

Step 1: Create an App Registration in Microsoft Entra

NOTE: the VT Writer SharePoint configuration below will need to use its own Enterprise Application; if you have configured Single Sign-On in Entra previously,  you will have an existing Enterprise Application that will NOT work correctly for this purpose. Following the steps below will create a new Enterprise Application (via the App Registration in step 1.2) which will be suitable for connecting SharePoint.

1.1 Navigate to Microsoft Entra Admin Center

• Go to Microsoft Entra ID
• Click on Applications → App registrations

1.2 Create a New Application 

• Click "New registration" 
• Enter an Application Name (e.g., VT-Writer-SharePoint)
• Select "Accounts in this organizational directory only (Single tenant)"
• Under Redirect URI:
  • Type: Web
  • Value:
    • For VisibleThread-hosted: https://writer.visiblethread.com/docrepo/callback
    • For customer-hosted: https://[your-vt-writer-domain]/docrepo/callback
• Click Register

1.3 Configure API Permissions

Navigate to API permissions in the left menu and add the following:

Microsoft Graph (Delegated)

offline_access
openid
profile
User.Read

SharePoint (Delegated)

AllSites.Read
Sites.Search.All

To add SharePoint permissions:

1. Click "Add a permission"
2. Select SharePoint (not Microsoft Graph)
3. Select Delegated permissions
4. Search for and select AllSites.Read and Sites.Search.All
5. Click "Add permissions"
6. Click "Grant admin consent for [Your Organization]"

1.4 Create a Client Secret

• Navigate to Certificates & secrets in the left menu
• Click "New client secret"
• Provide a Description (e.g., vt-writer-secret)
• Choose an Expiration period (e.g., 24 months)
• Click Add
• Copy the generated Client Secret Value immediately and store it securely (it will not be shown again)

1.5 Collect Required Information

Go back to App registrations, select your application, and note down:

• Application (client) ID
• Directory (tenant) ID
• Client Secret (from step 1.4)
• SharePoint URL (e.g., https://yourcompany.sharepoint.com)

Step 2: Configure VT Writer SharePoint Connection

2.1 Access System Admin Settings

• Log in to VT Writer with administrator credentials
• Go to System Admin page

2.2 Configure SharePoint Connection

• Scroll down to the Generative AI section
• Toggle "Enable SharePoint Connection" to On
• Fill in the following fields with information from the App Registration:
  • Site URL: Your SharePoint URL
  • Tenant ID: Directory (tenant) ID
  • Client ID: Application (client) ID
  • Client Secret: The client secret value you saved

2.3 Test Connection

• Click "Test Connection" to verify your configuration
• If successful, click "Save Changes"

Using SharePoint Documents in VT Writer

Once configured, users can access SharePoint documents when using Visi (the AI assistant):

1. In the content editor, click on the Visi icon to open the AI assistant
2. Click on "Use Files"
3. Select "SharePoint" from the source options
4. Browse available sites and folders
5. Select documents to include in the collection
6. Create a prompt that references information in those documents
7. Visi will use the selected documents as context when generating a response

Troubleshooting

Connection Test Fails

• Verify the redirect URI in your Entra App Registration matches your VT Writer domain exactly
• Check that all required permissions are properly configured and admin consent has been granted
• Ensure the client secret hasn't expired

Users Can't See Expected SharePoint Documents

• Check that users have appropriate permissions in SharePoint for the documents they're trying to access
• Ensure the SharePoint connection is enabled in VT Writer
• Verify admin consent was granted for the Sites.Search.All permission

"Use Files" Option Not Available

• Verify that both "Enable Use Files" and "Enable SharePoint Connection" are turned on in System Admin
• Check that VTRAG is properly configured if you're using this component

Understanding Permissions and Security

VT Writer uses delegated permissions exclusively. This is an important security distinction.

What Are Delegated Permissions?

With delegated permissions, the application acts on behalf of the signed-in user. The effective permissions are the intersection of what the app is allowed to do and what the user is allowed to do. The app can never exceed the user's own permissions.

Microsoft's official documentation states:

"For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."

— Microsoft Learn: Authentication and Authorization Basics

What This Means for VT Writer

AllSites.Read
Sites.Search.All

These permissions do not grant users access to any SharePoint content they couldn't already see. SharePoint's native permission model remains the governing factor.

Why Does Sites.Search.All Require Admin Consent?

Admin consent is a trust checkpoint — it allows an administrator to approve an application before any users can use it. It does not grant additional backend access:

"Even after a global admin consents to the permission in Entra ID, this only means 'This app is allowed to ask for this scope when a user logs in.' It does not grant the app or the user any additional backend access beyond what the user already has."

— Microsoft Q&A: Delegated API Permissions

Summary

• All permissions are Delegated, not Application
• Users can only access documents they already have permission to view in SharePoint
• Admin consent is a trust gate for the app, not a privilege escalation
• VT Writer cannot see, retrieve, or index anything the user couldn't already access themselves

For additional assistance, contact VisibleThread Support at support@visiblethread.com.