---

Remote item name: SharePoint2

It is often called “V2” is Microsoft's way of exposing SharePoint Online functionality through endpoints that align closely with Microsoft Graph. V2 allows you to make calls directly to SharePoint using Graph-like URLs. This approach uses SharePoint-scoped access tokens and avoids routing through the Graph proxy when possible, leading to potentially better performance and simpler security contexts in SharePoint-integrated apps.

More info: SharePoint REST operations via the Microsoft Graph REST API Link

❗Warning❗: This API only works if you configure Shared Link for SharePoint2 VFS settings.

---

⚠️ Proxy Configuration: If your server accesses the internet through a proxy, make sure to whitelist the following domains:
• login.microsoftonline.com
• <yourtenant>.sharepoint.com — for accessing SharePoint site collections

---

Azure: App Registration for SharePoint REST API Access
#

Open the Microsoft Azure Portal: Link

Application registration: Navigate to the App registrations and click on New registration. Select platform: Web and Configure the Redirect URL.



In the Redirect URI section, for Platform configuration, select Web. The Redirect URL must end with register_microsoft_graph_api/. Examples:

    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/

1. Application Permission
#

Application permissions are used when an application runs without a signed-in user, such as in server-to-server connections.

App Registration SharePoint Scopes:



a.) SharePoint.AllSites.FullControl: Grants an application full control over all site collections in SharePoint Online across the entire tenant. This is the highest level of SharePoint permission available for applications and enables full administrative access to both content and site settings.

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Application Permission. Search for AllSites and check the flag AllSites.FullControl.

---

b.) SharePoint.AllSites.Manage: Grants an app manage-level access to all site collections in SharePoint Online. This includes the ability to read and write content, as well as manage lists and libraries, but not full administrative control (e.g., cannot manage site permissions or site settings).

This permission allows the app to:
• Access all SharePoint sites in the tenant.
• Create, read, update, and delete
• Files and folders
• Lists and list items
• Libraries and site content structures

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Application Permission. Search for AllSites and check the flag AllSites.Manage.

---

c.) SharePoint.Sites.Selected: The Sites.Selected permission allows an app to access only the specific SharePoint sites you explicitly authorize. ⚠️ Important: The application must first be registered in Azure AD with the Sites.Selected application permission. More information is available at the following link: Managing SharePoint Site Access for Applications Using Sites.Selected Permission.

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Application Permission. Search for Sites and check the flag Sites.Selected.

---

1.1 SharePoint2 VFS item configuration: Application Permission - Certificate Based:
#

Certificates: See at App Registration -> Certificates & secrets





Select the Application Permission (cert based) radio button, then click Application Permission cert based button.



Enter the Client ID (See at App Registration -> Overview -> Application (client) ID).

Thumbprint: (See at App Registration -> Manage -> Certificates & secrets) Select Certificates.
Private Key: This is your application's unique digital credential, which pairs with the public certificate you uploaded in Azure Portal. It allows the system to securely access SharePoint without a password. We accept the PKCS#8 key text format (often starting with -----BEGIN PRIVATE KEY-----).

Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the username and password in the VFS item settings. After that, click the OK button and proceed with the SharePoint site-specific configuration. See under the 3.Sharepoint-specific settings

1.2 SharePoint VFS item configuration: Application Permission - Client Secret Based:
#

Client Secret:

Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the value immediately!







Select the Application Permission radio button, then click Application Permission button.

Enter the Client ID (See at App Registration -> Overview -> Application (client) ID),Client Secret (See at App Registration -> Manage -> Certificates & secrets). ⚠️ Make sure to copy the value field, not the ID.
Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the username and password in the VFS item settings. After that, click the OK button and proceed with the SharePoint site-specific configuration.

Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type, it can be an ID, common, or consumer.

Provide the SharePoint-specific settings. See under the 3.Sharepoint-specific settings

2. Delegated Permission:
#

Delegated permissions are used when an application makes API calls as the signed-in user. The app is delegated the user’s permissions and can only access resources that the user is authorized to access.

Redirect URL: The Redirect URL must end with register_microsoft_graph_api/. Examples:

    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/

App Registration SharePoint Scopes:

---

a.) SharePoint.AllSites.FullControl: Grants an application full control over all site collections in SharePoint Online across the entire tenant. This is the highest level of SharePoint permission available for applications and enables full administrative access to both content and site settings.

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for AllSites and check the flag AllSites.FullControl.

---

b.) SharePoint.AllSites.Manage: Grants an app manage-level access to all site collections in SharePoint Online. This includes the ability to read and write content, as well as manage lists and libraries, but not full administrative control (e.g., cannot manage site permissions or site settings).

This permission allows the app to:
• Access all SharePoint sites in the tenant.
• Create, read, update, and delete
• Files and folders
• Lists and list items
• Libraries and site content structures

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for AllSites and check the flag AllSites.Manage.

---

c.) SharePoint.Sites.Selected: The Sites.Selected permission allows an app to access only the specific SharePoint sites you explicitly authorize. ⚠️ Important: The application must first be registered in Azure AD with the Sites.Selected application permission. More information is available at the following link: Managing SharePoint Site Access for Applications Using Sites.Selected Permission.

Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for Sites and check the flag Sites.Selected.

---

⚠️ Warning Admin consent for the newly added permission.



Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the value immediately!

2.1 SharePoint2 remote item settings (Delegated Permission):
#

⚠️ Warning: To obtain the Refresh Token, the CrushFTP WebInterface’s host and port must match the Redirect URL specified in the Azure App Registration. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/

Click on Get Refresh Token.

Enter the Client ID (See at App Registration -> Overview -> Application (client) ID), Client Secret (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the value field, not the ID, and Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID).

Click the OK button and proceed with the authentication and authorization process.

⚠️ Warning: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above.
This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.

Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer.

Provide the SharePoint-specific settings. See under the Sharepoint-specific settings

---

3.Sharepoint-specific settings - Shared Link:
#

3.1 Shared Link of Document Library:
#

In your web browser, open your SharePoint site and navigate to the Document Library (See SharePoint: Documents and Libraries Description Link) Copy the complete URL from your browser's address bar.

It will look similar to this:

https://your.sharepoint.com/sites/your_site/Shared%20Documents/Forms/AllItems.aspx

Return to the VFS settings and paste the URL into the Shared Link input field.

3.2 Link to Specific Folder:
#

In your web browser, open your SharePoint site and navigate to the Document Library, and find the specific folder you want to link to. Right-click on the folder. Select Copy link from the context menu that appears.
It will look similar to this:

https://your.sharepoint.com/:f:/s/your_site/Evxo0AjlwiZAnajkk56_AC0BDxGQDy7bgNu8F7HHgVMKtQ?e=BgvJps

Return to the VFS settings and paste the URL into the Shared Link input field.

---

Back to SharePoint Integration

---