​

Introduction

• Authentication: is done by creating and registering an App for each deployment - https://docs.microsoft.com/en-us/graph/auth-v2-service.
• API Usage:
  • Glean will use the Graph API to ingest all data and permissions, using the current Microsoft Graph API SDK v5.30.0.
  • Glean will ingest all data using the standard Graph API and SharePoint REST API.
  • Glean uses application permissions with admin-granted access.
• Permissions Enforcement: Glean respects all user access permissions, ensuring users only see search results for documents they have access to. When a user clicks on a search result, they are taken to the Office 365 web application, which enforces the permission
• Data Storage: All data is stored in the customer’s project within the customer’s cloud account, ensuring no data leaves the customer’s environment

• Folders
• Documents (All document types, e.g. word, excel, PowerPoint)
• OneNote (limited support, indexing Notebooks + Sections)

• Site Pages (web part or wiki page libraries)
• Site Drives (document libraries)
• Basic List and Calendar List items (optional configuration not by default)

​

SharePoint Permissions

• User.Read.All
• Group.Read.All
• GroupMember.Read.All

• Directory.Read.All
• Files.Read.All
• Files.ReadWrite.All (for webhooks setup)
• Reports.Read.All (for ranking signals)
• Sites.FullControl.All (previously Sites.Read.All)
• SharePoint REST API requires full control to properly crawl all Site Collections, SharePoint site content, and permissions

​

SharePoint REST & Graph API Full Control Discussion

​

Sites.FullControl.All Discussion

• Glean had previously used Sites.Read.All, of which is no longer sufficient. See [External] Sharepoint Connector Update for details.

​

Sites Selected Discussion

​

Files.ReadWrite.All for Webhooks Discussion

​

Versions Supported

​

Objects Supported

• Folders: Glean captures and indexes folders within OneDrive & SharePoint.
• Documents: This includes various types of documents stored in OneDrive & SharePoint.
• Native File Types: Office including Word, Excel, PowerPoint, etc
  ​Content from Personal and Shared Drives: Glean supports content from both personal drives and shared drives within OneDrive.

​

Authentication Mechanism

​

Connector credentials requirements

• Glean requires authentication by setting up a registered app in Azure to SharePoint in order to fetch relevant information.
• Glean understands all user access permissions and strictly enforces them at the time of the query, ensuring that users cannot see results to which they do not have access.
• It’s important to note that all data is stored in the customer’s project in the customer’s cloud account and no data leaves the customer’s environment
• Glean only requires READ-level permissions. Application vendors may not provide granularity in their permission schemes for read-only access as observed by Microsoft with webhooks and scanning for permissions

​

SharePoint Sites Selected Setup and Permissions

​

SharePoint Permissions per Site Setup

​

Required permissions for setup

• The user setting up this data source must be the Global Admin.

​

Register a new app

1. Sign in to the Azure portal. Select Azure Active Directory, then App registrations > New registration.
2. On the Register an application page, register an app with the following:

1. Click Register

​

Configure permissions

1. On the left side navigation on the overview page, click on Manage > API Permissions.
2. Click Add a permission and select Microsoft Graph. Choose Application permissions and add the following:
   • User.Read.All
   • GroupMember.Read.All
   • Sites.Selected
   • Reports.Read.All
   • Member.Read.Hidden

​

Grant admin consent

1. Please sign into Azure as a Global, Application or Cloud Application Administrator.
2. Use the search box to navigate to Enterprise applications. Select the Glean app just created from the list of applications.
3. Click on Permissions under Security. Review the permissions shown, and then click Grant admin consent.

​

Generate Certificate and PrivateKey

1. Run the following command line by line
   Copy

   openssl genrsa -out privatekey.key 2048openssl req -new -key privatekey.key -out request.csropenssl x509 -req -days 365 -in request.csr -signkey privatekey.key -out certificate.crt
   

2. Verify that both certificate.crt and privatekey.key exist.
   1. certificate.crt should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
   2. privatekey.key should begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----
3. Upload the certificate.crt in Glean:
   1. Client Certificate
4. Upload the privateKey.key in Glean:
   1. Private Key

​

Upload Certificate

1. Navigate back to Home > App registrations and click on the app created earlier. Then click on Manage > Certificates & secrets in the left sidebar.
2. Click the Certificates Section and Upload the certificate.
3. Upload the certificate.crt file that just generated

​

Fill out keys

1. Scroll to the top of the left sidebar and click Overview.
2. Copy the following content from the center Essentials panel and enter it in Glean:
   • Application (client) ID
   • Directory (tenant) ID
3. Enter your Sharepoint domain in Glean. Your Sharepoint domain should end with “sharepoint.com”
4. (Strongly Recommended) To increase the full crawl indexing speeds, Glean recommends between 1 and 10 additional applications with the same permission settings as the initial app created. Repeat the setup steps from “Register a new app” until this step, saving the client ID and uploading the certificate to Azure in the process. Paste the client ID into the Glean web app.
5. Click Save. If the credentials save, you’re all set!

​

Add Sites.Selected Permission

1. Navigate back to Home > App registrations and click on the app created earlier. Then click on Manage > API permissions in the left sidebar.
2. Click Add a permission and select SharePoint. Choose Application permissions and add Sites.Selected

​

Grant Graph API permissions to an individual site

1. Grant consent for PnP management in the Azure tenant for the specific site collection via site collection URL: Choose either of the two options to see which one works:
   Copy

   Connect-PnPOnline -Url $SITE_COLLECTION_URL -Interactive -ClientId <clientId>
   

   (See section Interactive Connection Troubleshoot if not working)[Recommended]
   Copy

   Connect-PnPOnline -Url $SITE_COLLECTION_URL -DeviceLogin -ClientId <clientId> -Tenant <tenantId>
   

   (See section DeviceLogin Troubleshoot if not working)
2. With the application client ID and site collection url, grant Full Control for the site collection:
   Copy

   Grant-PnpAzureADAppSitePermission -AppId $CLIENT_ID -Site $SITE_COLLECTION_URL -Permissions FullControll
   

​

Provide the list of all sites to be crawled

1. Navigate to the Manage Data > Inclusion Rules tab. Provide the list of urls (can be just the subsites of the site collections with permissions) for the explicit sites to be crawled. If a site collection and all associated subsites should be crawled, provide all the urls explicitly in the inclusions list.

​

Interactive Connection Troubleshoot

1. On the azure portal, find the app just created. In the menu, look for Manage and click on Authentication
2. Under Platform configurations on the page, click on Add a platform
3. In the panel that shows up on the right, click on Mobile and desktop applications
4. Leave the three boxes shown in the panel on the right unchecked and in the Custom redirect URIs field, enter: http://localhost. Note that this should really be http and not https
5. Click on Configure at the bottom
6. Retry the command
   Copy

   Connect-PnPOnline -Url $SITE_COLLECTION_URL -Interactive -ClientId <clientId>
   

​

Delegated vs. Application Permissions

• Item insights (for activity) would only be assigned to the individual user. Glean could miss activity for other users using Glean, but not associated with the service account (Item insights in Microsoft Graph - Microsoft Graph ).
• Microsoft imposes a tenant-wide rate limit. If individual users authorize, Glean would potentially crawl the same content with multiple user tokens. In turn would cause the same content crawled with multiple user tokens. Due to the restrictive Graph API rate limits, Glean’s crawl speed will be significantly slower.
• Glean cannot list all the site collections with delegated permissions (List sites—Microsoft Graph v1.0). Admins will still need to configure inclusive SharePoint sites.

​

Connection instructions

​

Required permissions for setup

​

Register a new app

1. Sign into the Azure portal. Select Azure Active Directory, then App registrations > New registration
2. On the Register an application page, register an app with see table below
3. Click Register

​

Configure permissions

1. On the left side navigation on the overview page, click on Manage > API Permissions
2. Click Add a Permission and select Microsoft Graph. Choose Application permissions and add the following:
   • User.Read.All
   • GroupMember.Read.All
   • Files.Read.All
   • Files.ReadWrite.All (for webhooks)
   • Reports.Read.All
   • Sites.Read.All
   • Members.Read.Hidden
   • Directory.ReadWrite.All (Note: for grant REST API permissions and will remove in the end of install)
3. Click Add a Permission and select Microsoft Graph. Choose Application permissions and add the following:
   1. Sites.FullControl.All

​

Grant admin consent

1. Please sign in to Azure as a Global, Application or Cloud Application Administrator.
2. Use the search box to navigate to Enterprise applications. Select the Gleanweapp just created from the list of applications.
3. Click on Permissions under Security. Review the permissions shown, and then click Grant admin consent.

​

Fill out keys

1. Scroll to the top of the left sidebar and click Overview.
2. Copy the following content from the center Essentials panel and enter it in Glean:
   • Application (client) ID
   • Directory (tenant) ID
3. Enter the SharePoint domain in Glean. The SharePoint domain should end with “sharepoint.com”
4. (Strongly Recommended) To increase the full crawl indexing speeds, Glean recommends between 1 and 10 additional applications with the same permission settings as the initial app created. Repeat the setup steps from “Register a new app” until this step, saving the client ID and client secret in the process. Paste the client ID and client secret into the Glean web app.
   ​
5. Click Save. If the credentials save, you’re all set!

​

Remove Directory.ReadWrite.All permissions

1. Go back to the app registrations page on azure. On the left side navigation on the overview page, click on Manage > API Permissions.
2. In the Configured permissions area, select Directory.ReadWrite.All, and click Remove permissions
3. In the Other permissions granted, section, click Revoke Admin Consent to make sure the permission is fully removed

​

Interactive Connection Troubleshoot

1. On the azure portal, find the app just created. In the menu, look for Manage and click on Authentication
2. Under Platform configurations on the page, click on Add a platform
3. In the panel that shows up on the right, click on Mobile and desktop applications
4. Leave the three boxes shown in the panel on the right unchecked and in the Custom redirect URIs field, enter: http://localhost. Note that this should really be http and not https
5. Click on Configure at the bottom
6. Retry the command

Connect-PnPOnline-Url"https://<domain>.sharepoint.com"-Interactive-ClientId<clientId>

​

DeviceLogin Troubleshooting

​

Authentication and Endpoint scope requirements

​

Authentication Endpoints

​

Identity Endpoints

​

Content Endpoints

​

Drives and Document Libraries on SharePoint Sites

​

Activity Endpoints

​

Reports

​

Webhooks

​

Items crawled

​

Content

• The document is less than 16MB
• The document has indexable content, such as Documents, PowerPoints, spreadsheets, PDFs, and text files, which can be downloaded.
  • By default, OCR is not enabled
  • Drawings, images, videos, compressed folders, and code (including JSON) are not downloaded by default and will only have metadata indexed
• OneNote has limited support
  • OneNote is structured as a “Notebook,” composed of “Sections,” which are in turn composed of “Pages” that have content
  • Glean indexed “Notebook” as a folder and “Section” as standalone content
  • While Glean attempts to parse the downloaded “Section” content, which includes Pages, there are bugs in the content parsing library that prevent all page content from surfacing in the index
• By default, the connector crawls ALL personal folders for employees in the company. It is possible to limit these crawls to a specific list of groups in the SSO Directory (Azure AD, etc…).

​

Identity

• Glean crawls all Azure users and groups in the tenant using the Graph API.
• With the SharePoint REST API, Glean also crawls all default site groups (e.g., visitors, members, and owners). These are common groups configured either across a full site collection or within subsites.

​

SharePoint Lists

• Glean only crawls Site Page (webPageLibrary) List types by default, which does not include a page representing the List library (e.g. url with “…AllItems.aspx”).
  • Web parts will be downloaded from each web page. Only “rich text” web parts will have content parsed and indexed.
  • Limitation: Pages can be in “draft mode.” This occurs when any user checks out a page to edit. Because the API does not distinguish between content available on a published page vs. a draft page, Glean will only show the title of “checked out” or “draft mode” pages by default.
    • If o365sharepoint.crawl.useTitleForDrafts = false, the draft page will not show up at all in search.
• Glean does not support additional list types, e.g. “xmlPowerForm”

​

Rate Limits

• Rate limits depend on enterprise size. For the largest enterprises, Glean typically can make around 16 document retrievals per second (100 tokens per second, 1 token for content download, and 5 tokens for permission API calls). Glean optimizes API calls by understanding when content inherits permissions from parents. This helps Glean upwards of 8M documents per day for large enterprises, for a full crawl.
• Rate limits are per application and also enforced tenant-wide. From custom testing, Glean has found success with increasing crawler applications to up to 5 additional applications.

​

Update frequency

• User Insights provides information when docs are modified or viewed, including if permissions change. The crawl every 10 minutes will reprocess these permissions.
• Glean also subscribes to webhooks on drives to understand which drives need to be crawled incrementally more to ingest up-to-date content.

​

Crawling Strategy/Performance

​

How the Crawl Works

​

Crawl Behavior

• Most content, including OneDrive user drives or SharePoint document libraries, will be indexed via a OneDrive incremental crawl. This follows Microsoft’s recommended best practices for working with Microsoft Graph APIs.
  • Microsoft reports a webhook via a subscription on “drives” (Onedrive user drives or SharePoint document libraries). Subscriptions include a change to any item within the drive, including a permission change to a single item.
  • Glean schedules an incremental crawl over all drives with a webhook seen recently, or if the drive has not been crawled for a period of time (by default at least weekly).
  • The change endpoint provides a list of all changed content (both content and permission changes), along with their full folder hierarchy.
  • Glean queues two sets of crawls after discovering changes: a crawl for any changed content and propagation over the full drive for permission changes. The permission propagation must occur over the full drive, as permission changes are not known beforehand in the change query. If folders change permissions, the children must also have the propagated change.
• SharePoint list crawls are done via a “SitePage” crawl, which is independent of the OneDrive incremental crawls
• Finally, some document libraries or user OneDrive content will be present in user insights. Glean has a fast path to ingest any newly created content detected in user insights into the index.

​

Known Limitations in Crawl

• SharePoint Pages can be in “draft mode.” This occurs when any user checks out a page to edit. Because the API does not distinguish between content available on a published page vs. a draft page, Glean will only show the title of “checked out” or “draft mode” pages by default.
• For OneNote, while Glean attempts to parse the downloaded “Section” content, which includes Pages, there are bugs in the content parsing library that prevent all page content from surfacing in the index
• When adding more than 3 additional apps to the SharePoint Online connector, an administrator may encounter the error “Failed to save changes
• Glean can not crawl SharePoint site URLs with special designations and should be removed before inputting into inclusions or exclusions:
  • “:f” means Folder sharing
  • “:w” means Word document sharing
  • “:x” means Excel document sharing
  • “:p” means PowerPoint document sharing
  • “:b” means PDF document sharing

​

Unsupported Features

• Page-level OneNote support.
• Additional SharePoint List type support (xmlForm, powerApps).
• SharePoint basic list search results as an aggregate of all list items.
• Supporting Purview + Sensitive Labels.
• Event receivers and SPFx client-side activity exports
• Teams transcripts
• Custom facets as customizable search metadata for SharePoint Lists
• additional list types, e.g. “xmlPowerForm”

​

Content Configuration

​

Inclusions (Green-Listing) Options

​

Inclusion SharePoint sites by site URL

• Inclusion a list of site URLs
  • Note: Only the specified sites will be included. Sub-sites of the specified included site are not included (i.e., inheritance) and must be individually specified to be included.
• Including a file containing a single line of comma-separated URLs (if there are many sites)

​

Inclusions OneDrive User Drives

​

Exclusions (Red-listing) Options

• Exclude a SharePoint site removes all site pages and files and folders in the site drives from Glean.
• Exclude OneDrive user drives by email removes all files and folders in the user’s personal drive (this also applies to OneDrive for Business drives). It does not affect documents created by the user in other drives or SharePoint.

​

Exclude SharePoint sites via SharePoint settings

​

Exclude SharePoint sites by site URL

• Excluding a list of site URLs
• Excluding a file containing a single line of comma-separated URLs (if there are many sites)

​

Exclude OneDrive user drives

​

Auditing Permissions

​

Steps to Monitor Glean Purview

​

Search for Application-Specific Activity in Purview:

• Open the Microsoft Purview Compliance Portal.
• Navigate to Audit > Audit search.
• In the Users filter, enter the Application ID or the name of the Glean application (as it appears in Azure AD).
• Focus on the following activities:
  • File accessed: Logs when files or pages are read.
  • List accessed: Logs list-level operations, such as reading items.
  • Permissions viewed or changed: Identifies whether Glean is accessing or modifying permissions

​

Monitor Specific Endpoints:

• Get site list items (/web/lists('<list_id>')/item)
• Get site item permissions (/web/lists('<list_id>')/items('<item_id>')/roleassignments)
• Get page content (/web/GetFileById('<id>')/GetLimitedWebPartManager)
• Cross-reference the logs for activities related to these endpoints and verify they are read-only

​

Set Up Alerts for Write Activity:

• In the Audit section of Purview, create alert policies for write actions by Glean:
  • File modified or deleted: Flag if the application writes to or deletes files.
  • Permission changes: Monitor for unauthorized modifications to roles or permissions.
• Use these alerts to trigger immediate reviews.

​

Troubleshooting

​

Microsoft Tenants Created Started 2020 and After

1. Install Powershell (if it is not already installed).
2. In Powershell, install PnP by running
   ​Install-Module -Name PnP.PowerShell, Install-Module -Name, Microsoft.Online.SharePoint.PowerShell
3. Run
   Copy

   Connect-PnPOnline -Url https://<sharepointdomain>-admin.sharepoint.com
   

4. Run
   Copy

   Set-PnPTenant -DisableCustomAppAuthentication $false
   

5. Reattempt to Save.

​

Workaround for Configuring Additional SharePoint Apps

​

Background

​

Procedure

1. Create the client/secret IDs with the proper permissions as per the original SharePoint instructions. Verify all of the permissions are correct (there will be 8x Application Permissions), and that the SharePoint REST API privileges have been granted.
2. Navigate to https://app.glean.com/admin/setup/apps?advanced. A modal should pop up similar to below. ⚠️Caution! Do not use this interface outside the instructions in this document or without guidance by a Glean engineer. Doing so may result in errors within the Glean instance.
3. For each additional SharePoint app added, repeat the following steps:
   1. Set the Client ID:
      1. Open the Advanced modal above, and select Secret.
      2. For Key name, enter O365_CLIENT_ID_<X-1>, where <X> is the number of the additional apps for configuring. This is indexed at 0.
         1. For example, adding Additional App #3, the Key name will be O365_CLIENT_ID_2. For Additional App #6, the Key name will be O365_CLIENT_ID_5. Etc.
      3. For Key value, paste the Application/Client ID of the additional SharePoint app configured.
      4. Click Submit.
      Example of configuring the Application/Client ID for Additional App #3 (O365_CLIENT_ID_2)
   2. Set the Client Secret:
      1. Open the Advanced modal again, and select Secret.
      2. For Key name, enter O365_CLIENT_SECRET_<X-1>, where <X> is the number of the additional app that are configured. This is indexed at 0.
         1. For example, if adding Additional App #3, the Key name will be O365_CLIENT_SECRET_2. For Additional App #6, the Key name will be O365_CLIENT_SECRET_5. Etc.
      3. For Key value, paste the Secret of the additional SharePoint app configured.
      4. Click Submit.
   Example of configuring the Client Secret value for Additional App #3 (O365_CLIENT_SECRET_2) The mapping of the Secret names to the fields from the standard SharePoint setup page is illustrated below. This image illustrates the mapping of each Additional App field in the standard SharePoint setup workflow to the Client ID and Client Secret keys that will be used.
4. Advise your Glean engineer of the total number of additional apps thathave on-boarded. They will need to enable the usage of the Secrets that have been set in order for them to take effect.
5. The procedure is now complete. DO NOT modify anything in the SharePoint Setup page as doing so will overwrite the values entered for the secrets.