Microsoft 365

The Microsoft 365 connector provides shared authentication and identity crawling for SharePoint and OneDrive. Set up Microsoft 365 first, then configure SharePoint and OneDrive as child connectors that inherit the parent credentials.

Scope

This merged setup flow currently applies to SharePoint and OneDrive only. Outlook and Teams are not part of this setup and continue to be configured separately.

How it works

You register one parent app in Microsoft Entra ID. This app handles identity crawling for your Microsoft 365 tenant and provides credentials that SharePoint and OneDrive inherit automatically.

After saving the Microsoft 365 suite, configure SharePoint and/or OneDrive as child connectors. Each child connector inherits the parent credentials and only requires child-specific configuration.

Plan your permissions request

You register a single Glean application in Microsoft Entra ID for the entire Microsoft 365 suite. The parent connector requires only identity permissions, but the SharePoint and OneDrive child connectors add content permissions to this same application.

To avoid requesting scopes incrementally — and filing multiple IT tickets — request the full set from your Azure administrator up front. All scopes in the tables below are Application permissions, finalized with a single admin-consent step.

Security and compliance notes

Glean operates strictly in read-only mode for your content — it never modifies or deletes data. Two scopes warrant extra context for your security review, because of how Microsoft's APIs are designed:

• Sites.FullControl.All: Microsoft's SharePoint REST API exposes site, page, and list permissions only at the FullControl tier — there is no granular read-only equivalent for reading these ACLs. Glean uses it strictly to read permissions and metadata.
• Files.ReadWrite.All: Required solely to create, update, and reauthorize Microsoft Graph webhook subscriptions for change notifications. Glean never writes, modifies, or deletes files.

Microsoft Graph API

Permission	Required by	Why Glean needs it
User.Read.All	Suite, OneDrive, SharePoint	Enumerates tenant users to map identities and enforce document-level permissions.
GroupMember.Read.All	Suite, OneDrive, SharePoint	Resolves group membership so group-based permissions are applied correctly.
Member.Read.Hidden	Suite, OneDrive, SharePoint	Resolves hidden-visibility group membership, used when confidential groups share content.
Reports.Read.All	Suite, OneDrive, SharePoint	Reads usage reports to validate crawl coverage and scale indexing for your tenant size.
Sites.FullControl.All	OneDrive, SharePoint	Reads site, page, and list permissions and powers near-real-time permission updates via deltas.
Files.ReadWrite.All	OneDrive, SharePoint	Creates and manages webhook subscriptions over drives. No files are written.
Files.Read.All	SharePoint	Reads SharePoint file content for indexing.

SharePoint REST API

Permission	Required by	Why Glean needs it
Sites.FullControl.All	OneDrive, SharePoint	Retrieves permissions for site pages and lists through the SharePoint REST API.

note

• Bundling requests: The identity permissions (User.*, GroupMember.*, Member.*, Reports.*) are typically low-friction approvals. The content permissions (Sites.*, Files.*) usually trigger a formal security review. Bundling them into your initial request prevents a second approval cycle when you deploy child connectors.
• OneNote exception: If you plan to enable OneNote page-body indexing later, it requires Notes.Read.All (Delegated). This scope is handled separately during OneNote setup and doesn't need to be in this base request.

Required permissions for setup

The user setting up this connector must be the Global Admin.

Register a new app

1. Sign in to the Azure portal.
2. Select Microsoft Entra ID → Manage → App registrations → New registration.
3. On the Register an application page, register an app with the following:

Field	Value
Name	Glean
Supported account types	Accounts in this organizational directory only (Single tenant)
Redirect URI	Leave this field blank

4. Click Register.

Configure permissions

1. On the overview page, click Manage → API Permissions.
2. Click Add a permission and select Microsoft Graph.
3. Choose Application permissions and add the following:
   • User.Read.All
   • GroupMember.Read.All
   • Reports.Read.All
   • Member.Read.Hidden

note

These four identity permissions cover the parent connector. SharePoint and OneDrive add content permissions to this same app — see Plan your permissions request for the complete list, and add them all now if you already know you'll configure those child connectors.

Grant admin consent

1. Ensure you are signed in to Azure as a Global, Application, or Cloud Application Administrator.
2. Use the search box to navigate to Enterprise applications.
3. Select the Glean app you created.
4. Click Permissions under Security.
5. Review the permissions shown, then click Grant admin consent.

Set up certificate authentication

Glean uses app-only credentials to authenticate to Microsoft Graph and SharePoint APIs for Microsoft 365 connectors.

For SharePoint and OneDrive, use certificate-based authentication. If you're migrating an older setup that used a client secret for SharePoint REST, switch to certificate-based authentication as described in the migration guidance.

The steps below show how to generate a certificate and private key with OpenSSL. Before uploading the files, make sure the private key is PEM-encoded PKCS#8, unencrypted, and uses BEGIN PRIVATE KEY / END PRIVATE KEY headers.

Generate with OpenSSL

Install OpenSSL

OpenSSL is installed by default on macOS terminals. If you are using Windows, follow these instructions to download OpenSSL for use with PowerShell.

1. Download the relevant OpenSSL installation manager for your version of Windows. OpenSSL offers a list of third-party binary distributions, with Shining Light Productions as an option.
2. During the installation process, select the option to copy the OpenSSL binaries into the /bin directory.
3. Open a new PowerShell instance and run the following command to make OpenSSL binaries available:

$env:Path += ";C:\\Program Files\\OpenSSL-Win64\\bin"

Generate certificate and private key

Run the following commands line by line. Microsoft SDK requires the certificate to be verified with a private key in PKCS#8 syntax.

openssl genrsa -out tempprivatekey.key 2048
openssl pkcs8 -topk8 -inform PEM -outform PEM -in tempprivatekey.key -out privatekey.key -nocrypt
openssl req -new -key privatekey.key -out request.csr
openssl x509 -req -days 365 -in request.csr -signkey privatekey.key -out certificate.crt

Verify that both certificate.crt and privatekey.key exist. Open each file and confirm the formats:

• The certificate file should start with BEGIN CERTIFICATE and end with END CERTIFICATE.
• The private key should begin with BEGIN PRIVATE KEY and end with END PRIVATE KEY. It should not include RSA in the headers, nor be encrypted.

Upload certificate to Azure

1. Navigate back to Microsoft Entra ID → Manage → App registrations and select the app you created.
2. Click Manage → Certificates & secrets.
3. Click the Certificates tab and then Upload certificate.
4. Upload the certificate.crt file you generated.

Fill out keys

1. In Azure, click Overview.

2. Copy the following values from the Essentials panel and enter them in Glean:

   • Application (client) ID
   • Directory (tenant) ID

3. Upload certificate.crt in Glean under Client Certificate.

4. Upload privatekey.key in Glean under Private Key.

5. Select your tenant size in Glean.

6. Click Save to create the Microsoft 365 suite.

Additional apps for faster indexing

If your tenant size is greater than 1000, add 5 additional applications to improve full crawl speed. In general, Glean recommends between 1 and 10 additional applications with the same permission settings as the initial app created.

For each additional app, repeat the steps from Register a new app through Upload certificate to Azure, then paste the additional Application (client) ID into Glean. You only need to upload the certificate once in Glean.

After saving the Microsoft 365 suite, continue setting up SharePoint and OneDrive. Those child connectors inherit the parent credentials. The content permissions they require are listed in Plan your permissions request — add them to this same app (and any additional apps) in a single request, ideally alongside the identity permissions above.

Next steps

• SharePoint setup
• OneDrive setup
• Real-time access for OneDrive
• Real-time access for SharePoint