----
More info about __Microsft Graph REST API__: [Link|https://learn.microsoft.com/en-us/graph/api/resources/onedrive?view=graph-rest-1.0]\\
\\
Remote item name: __SharePoint__\\
----
__⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow authentication and Microsoft Graph API access:\\	
• __login.microsoftonline.com__\\
• __graph.microsoft.com__\\
----
Open the __Microsoft Azure Portal__: [Microsoft Azure Portal Link|https://azure.microsoft.com/en-us/features/azure-portal]\\
\\
__Application registration:__ Navigate to App registrations in the Azure Portal. Click on __New registration__ to create a new application.\\
\\
[SharePoint Integration/new_registration.png]\\
\\
In the Redirect URI section, for Platform configuration, select __Web__. The Redirect URL must end with __register_microsoft_graph_api/__.\\
\\
{{{

    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/

}}}\\
\\
__Configure API permission__:\\
\\
 You must also grant permissions for Microsoft Graph. Go to the __API Permissions__ section, click Add a permission, and select __Microsoft Graph__. To learn more about Microsoft Graph permissions—including the difference between __Application__ and __Delegated__ permissions—refer to the official documentation: [Microsoft Graph Permissions Overview Link|https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http]\\
\\
!!!1 Application Permission:\\
\\
Application permissions are used when an application runs without a signed-in user, such as in server-to-server connections.\\
\\
----
!1.1 Microsoft Graph Scopes for SharePoint Integration:
----
__a.) Files.ReadWrite.All__: Grants the application read and write access to all files the signed-in user can access, across all user drives and document libraries (including SharePoint sites and OneDrive for Business).\\
This includes the ability to:\\
• List, read, update, create, and delete files and folders\\
• Upload/download documents\\
• Modify file metadata\\
\\
__Configure API Permission__: Navigate to API Permissions. Click on Add a permission button. Select __Microsoft Graph__. Then select __Application Permission__. Search for __Files__ and check the flag Files.ReadWrite.All permission.\\
\\
[SharePoint Integration/ms_graph_app_permission.png]\\
\\
----
__b.) Sites.FullControl.All__: Grants the application full control over all site collections in the tenant without user interaction. ( More info -> [Microsoft Graph permissions reference
 Link|https://learn.microsoft.com/en-us/graph/permissions-reference#sites-permissions])\\
\\
This permission allows the app to:\\
• Read and write all files in all SharePoint Online site collections\\
• Manage lists, document libraries, subsites, and site permissions\\
• Perform site-level actions across the entire tenant\\
\\
----
__c.) Sites.Selected__: Grants the application no access to SharePoint sites by default. However, you can explicitly grant access to specific sites by using the __Microsoft Graph API__. __⚠️ Important:__ The application must first be registered in Azure AD with the __Sites.Selected__ application permission. More information is available at the following link: [Managing SharePoint Site Access for Applications Using Sites.Selected Permission|CrushTaskExample19].\\
\\
__Configure API Permission__: Navigate to API Permissions. Click on Add a permission button. Select __Microsoft Graph__. Then select __Application Permission__. Search for __Sites__ and check the flag Sites.Selected permission.\\
\\
[CrushTaskExample19/site_selected_microsoft_graph.png]\\
----
\\
__⚠️ Important:__ Grant __Admin consent__ for the newly added permission.\\
\\
[SharePoint Integration/app_permission_admin_consent.png]\\
\\
__Client id__: See at App Registration -> Overview -> Application (client) ID\\  
\\
[SharePoint Integration/client_id.png]\\
\\
__Certificates__: See at App Registration -> __Certificates & secrets__\\
\\
[SharePoint Integration/azure_app_registrations_certificates.png]\\
\\
!1.2 SharePoint VFS item configuration: Application Permission - Certificate Based:\\
\\
[SharePoint Integration/app_permission_cert_based_vfs_item.png]\\
\\
Select the __Application Permission (cert based)__ radio button, then click __Application Permission cert based__ button.\\
\\
[SharePoint Integration/app_permission_cert_based_form.png]\\
\\
Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID).\\
\\
__Thumbprint__: (See at App Registration -> Manage -> Certificates & secrets) Select __Certificates__.\\
__Private Key__: This is your application's unique digital credential, which pairs with the public certificate you uploaded in Azure Portal. It allows the system to securely access SharePoint without a password. We accept the __PKCS#8__ key text format (often starting with -----BEGIN PRIVATE KEY-----).\\
\\
__Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the __username__ and __password__ in the [VFS] item settings. After that, click the __OK__ button and proceed with the SharePoint site-specific configuration. See under the [3.Sharepoint-specific settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SharePoint%20Microsoft%20Graph%20REST%20API#section-SharePoint+Microsoft+Graph+REST+API-3.SharepointSpecificSettings]\\ 
\\
!1.3 SharePoint VFS item configuration: Application Permission - Client Secret Based:\\
\\
__Client Secret__:\\
\\
Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the __value__ immediately!\\
\\
[SharePoint Integration/new_secret.png]\\
\\
[SharePoint Integration/secret_value.png]\\
\\
[SharePoint Integration/app_permission_vfs_item.png]\\
\\
Select the __Application Permission__ radio button, then click __Application Permission__ button.\\
[SharePoint Integration/app_permission_client_secret_form.png]
\\
Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID),__Client Secret__ (See at App Registration -> Manage -> Certificates & secrets). ⚠️ Make sure to copy the __value__ field, not the ID.\\
__Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the __username__ and __password__ in the [VFS] item settings. After that, click the __OK__ button and proceed with the SharePoint site-specific configuration.\\
\\
__Tennant:__ See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type, it can be an ID, common, or consumer.\\
\\
Provide the SharePoint-specific settings. See under the [3.Sharepoint-specific settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SharePoint%20Microsoft%20Graph%20REST%20API#section-SharePoint+Microsoft+Graph+REST+API-3.SharepointSpecificSettings]\\ 
\\
!!!2 Delegated Permission:\\
\\
Delegated permissions are used when an application makes API calls as the signed-in user. The app is delegated the user’s permissions and can only access resources that the user is authorized to access.\\
\\
__Redirect URL__: The Redirect URL must end with __register_microsoft_graph_api/__. Examples:\\
\\
{{{
    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/
}}}\\
\\
[SharePoint REST service API/app_registration_redirect_url.png]\\
\\
!2.1 Microsoft Graph Scopes for SharePoint Integration:#
----
__a.) Files.ReadWrite.All__: Grants the application read and write access to all files the signed-in user can access, across all user drives and document libraries (including SharePoint sites and OneDrive for Business).\\
This includes the ability to:\\
• List, read, update, create, and delete files and folders\\
• Upload/download documents\\
• Modify file metadata\\
\\
__Configure API Permission__: Navigate to API Permissions. Click on Add a permission button. Select __Microsoft Graph__. Then select __Delegated Permission__. Search for __Files__ and check the flag Files.ReadWrite.All permission.\\
----
\\
__b.) Sites.FullControl.All__: Grants the application full control over all site collections in the tenant without user interaction. ( More info: [Microsoft Graph permissions reference
Link|https://learn.microsoft.com/en-us/graph/permissions-reference#sites-permissions])\\
\\
This permission allows the app to:\\
• Read and write all files in all SharePoint Online site collections\\
• Manage lists, document libraries, subsites, and site permissions\\
• Perform site-level actions across the entire tenant\\
\\
__Configure API Permission__: Navigate to API Permissions. Click on Add a permission button. Select __Microsoft Graph__. Then select __Delegated Permission__. Search for __Sites__ and check the flag Sites.FullControl.All permission.\\
\\
----
__c.) Sites.Selected__: Grants the application no access to SharePoint sites by default. However, you can explicitly grant access to specific sites by using the Microsoft Graph API. More information is available at the following link: [Managing SharePoint Site Access for Applications Using Sites.Selected Permission|CrushTaskExample19].\\
\\
__Configure API Permission__: Navigate to API Permissions. Click on Add a permission button. Select __Microsoft Graph__. Then select __Delegated Permission__. Search for __Sites__ and check the flag Sites.Selected permission.\\
\\
\\
[SharePoint Integration/permission_microsoft_graph.png]\\
[SharePoint Integration/permission_final.png]\\
----
\\
⚠️ Warning __Admin consent__ for the newly added permission.\\
\\
[SharePoint Integration/app_permission_admin_consent.png]\\
\\
__Client id : __ You can find it at Azure portal -> App Registration -> Overview:\\  
\\
[SharePoint Integration/client_id.png]\\
\\
__Client Secret__:\\
\\
Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the __value__ immediately!\\
\\
[SharePoint Integration/new_secret.png]\\
\\
[SharePoint Integration/secret_value.png]\\
\\
!2.1 SharePoint remote item settings (Delegated Permission):\\
\\
__⚠️ Warning__: To obtain the __Refresh Token__, the CrushFTP WebInterface’s host and port must match the __Redirect URL__ specified in the __Azure App Registration__. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\
\\
Select the __Delegated Permission__ radio button, then click __Get Refresh Token__.\\
Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID), __Client Secret__ (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the __value__ field, not the ID, and __Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID).\\
\\
Click the __OK__ button and proceed with the authentication and authorization process.\\
\\
__⚠️ Warning__: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above.\\
\\
This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.\\
\\
[SharePoint Integration/remote_item_settings.png]\\
\\
__Tennant:__ See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type, it can be an ID, common, or consumer.\\
\\
Provide the SharePoint-specific settings. See under the [3.Sharepoint-specific settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SharePoint%20Microsoft%20Graph%20REST%20API#section-SharePoint+Microsoft+Graph+REST+API-3.SharepointSpecificSettings]\\ 
\\
!!!3.Sharepoint-specific settings:\\
\\
!!!3.1 Shared Link (Easy Configuration):\\

[attachments|sharepoint_shared_link_vfs_settings.png]\\
\\
!!!3.1.1 Shared Link of Document Library:\\
\\
In your web browser, open your SharePoint site and navigate to the __Document Library__ (See [SharePoint: Documents and Libraries Description Link|https://support.microsoft.com/en-us/office/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872]) Copy the complete URL from your browser's address bar.\\
[attachments|shared_link_document_library.png]\\
It will look similar to this:\\
{{{
https://your.sharepoint.com/sites/your_site/Shared%20Documents/Forms/AllItems.aspx
}}}\\
\\
Return to the VFS settings and paste the URL into the __Shared Link__ input field.\\
\\
!!!3.1.2 Link to Specific Folder:\\
[attachments|shared_link_specific_folder.png]
\\
In your web browser, open your SharePoint site and navigate to the __Document Library__, and find the specific folder you want to link to. Right-click on the folder. Select __Copy link__ from the context menu that appears.\\
It will look similar to this:\\
{{{
https://your.sharepoint.com/:f:/s/your_site/Evxo0AjlwiZAnajkk56_AC0BDxGQDy7bgNu8F7HHgVMKtQ?e=BgvJps}}}\\
Return to the VFS settings and paste the URL into the __Shared Link__ input field.\\ 
\\
!!!3.2 Site ID, Site Path, Document Library:\\
[SharePoint Integration/remote_item_sharepoint_specific_settings.png]\\
\\
__Site id__: The SharePoint domain name.\\
__Site Path__: The relative path of the SharePoint site without the domain. It should start and end with a slash (/).\\
Examples:\\
 /sites/SiteS1/\\
 /teams/SiteS1/SiteS2/\\
__Drive name__: Each SharePoint site has a Document Library where the site-related files are stored. See [SharePoint: Documents and Libraries Description Link|https://support.microsoft.com/en-us/office/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872] Provide the name of this document library.\\
__Folder__: Relative path of the document library of the SharePoint site.\\
\\
__Conflict Behaviour__ (Only for the SharePoint remote VFS item type — not available for SharePoint2)): \\
- __Rename__ the file/folder if already exits\\
- __Replace__ the file/folder if already exits\\
- __Fail__  if the file/folder already exists\\
\\
----
Back to [SharePoint Integration]\\
----