Skip to main content
Setup Guide You can find your SharePoint application credentials by visiting your Microsoft Azure Portal. You’ll need the following information to set up your SharePoint app with Paragon Connect:
  • Client ID
  • Client Secret
  • Scopes Requested

Prerequisites

Add the Redirect URL to your SharePoint app

Paragon provides a redirect URL to send information to your app. To add the redirect URL to your SharePoint app:
  1. Copy the link under “Redirect URL” in your integration settings in Paragon. The Redirect URL is:
https://passport.useparagon.com/oauth
  1. Log in to the Microsoft Azure Portal using your Microsoft account.
  2. Navigate to All Services > App Registrations and select your application.
  3. Select Authentication from the sidebar.
  4. Under Platform configurations, press the “Add a platform” button.
  5. Select the Web platform.
  6. Paste the Redirect URL from Step 1 under Redirect URIs.
  7. Press the Save button at the top of the page.

Generate a Client Secret

Since SharePoint does not automatically provide you with a Client Secret for your application, we’ll need to make one. To get your Client Secret:
  1. Navigate to Manage > Certificates & secrets in the sidebar.
  2. Under Client Secrets, press the + New client secret button.
  3. Name your client credentials and select an expiry that works best for your application. Press Add to create your credentials.
  4. Copy the displayed Client Secret under the Value column.
Note: You will need to periodically create new and update your Client Secret as they expire for all Microsoft integrations.

Enable Multi-tenancy to your SharePoint app

To allow Microsoft users from outside of your organization to connect to your SharePoint application, you must specify this as an option within the SharePoint application registration.
  1. Log in to the Microsoft Azure Portal using your Microsoft account.
  2. Navigate to All Services > App Registrations and select your application.
  3. Select Authentication from the sidebar.
  4. Under Supported account types, press the “Accounts in any organizational directory” option.
  5. Click Save.

Using Application Permissions

Application Permissions can be used with SharePoint if your integration should make requests as an application (like a service account), rather than in the context of an authenticated user. Using Application Permissions requires Connected Users to provide organization-wide admin consent for the application, by either:
  • Requiring Entra ID administrators to follow the Connect Portal flow and checking “Consent on behalf of your organization” during the authorization flow
  • OR directing admins to the /adminconsent URL (described below) to explicitly grant admin consent.
If you are only using Delegated Permissions (the default option to use the integration in the context of an authenticated user), you can skip this section and proceed to Add your SharePoint app to Paragon.
1

Generate a certificate key pair

Locally on your machine, create a self-signed certificate and private key using openssl:
openssl req -x509 -newkey rsa:2048 \
  -keyout private-key.pem \
  -out certificate.pem \
  -days 365 -nodes \
  -subj "/CN=ParagonIntegration"
This produces two files:
  • private-key.pem — the private key (keep this secret, you will provide it to Paragon)
  • certificate.pem — the public certificate (you will upload this to Azure AD)
2

Get the certificate thumbprint

Extract the SHA-1 thumbprint in hex format (this matches what Azure portal displays):
openssl x509 -in certificate.pem -fingerprint -sha1 -noout \
  | sed 's/sha1 Fingerprint=//;s/://g'
Save the output (a 40-character hex string). You will provide this to Paragon.
3

Upload the certificate to Azure AD

  1. In the Azure Portal, navigate to All Services > App Registrations and select your application.
  2. Navigate to Manage > Certificates & secrets in the sidebar.
  3. Select the Certificates tab.
  4. Click Upload certificate and select the certificate.pem file from Step 1.
  5. Confirm the displayed thumbprint matches the value from Step 2.
4

Add Application Permissions

  1. In your app registration, navigate to API permissions in the sidebar.
  2. Click Add a permission > Microsoft Graph > Application permissions.
  3. Add the required scopes for your use case. For Managed Sync, add:
    • Sites.Read.All
    • Files.Read.All
    • User.Read.All
    • Group.Read.All
  4. Click Add permissions.
5

Grant admin consent

A tenant admin must grant consent for the Application Permissions. Direct your admin to visit the following URL in their browser:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri=https://passport.useparagon.com/oauth
  • Replace {tenant-id} with the Entra ID Directory (tenant) ID (or use organizations, if it is not known).
  • Replace {client-id} with the Client ID of your App Registration.
The admin will be prompted to sign in and grant consent for the requested permissions.
6

Add your certificate to Paragon

Continue in the next section to add your SharePoint app to Paragon.

Add your SharePoint app to Paragon

  1. Select SharePoint from the Integrations Catalog.
  2. Under App Configuration > Configure, fill out your credentials as follows:
    • Client ID: Overview > Application (client) ID on your Microsoft app registration.
    • Client Secret: The value generated in the Certificates & secrets section of your Microsoft app registration.
    • Permissions: The scopes you require for your application, as designated in the API permissions section of your Microsoft app registration.
      Note: You should only add the scopes you’ve requested in your app registration to Paragon. Any permissions changes will need to be made in both the Azure Portal and Paragon.
  3. If you are using Application Permissions, additionally provide:
    • Private Key: The contents of private-key.pem from the certificate generation step.
    • Certificate Thumbprint: The 40-character SHA-1 hex thumbprint from Azure portal (no colons or spaces).
  4. Press the purple “Save Changes” button to save your credentials.

Connecting to SharePoint

Once your users have connected their SharePoint account, you can use the Paragon SDK to access the SharePoint API on behalf of connected users. See the SharePoint REST API documentation for their full API reference. Any SharePoint API endpoints can be accessed with the Paragon SDK as shown in this example. 
// You can find your project ID in the Overview tab of any Integration

// Authenticate the user
paragon.authenticate(<ProjectId>, <UserToken>);

// Get organization’s default site
await paragon.request("sharepoint", "/sites/root", { 
  method: "GET",
});


// Get list under a site
await paragon.request("sharepoint", "/sites/{site-id}/lists", { 
  method: "GET",
});

// Create task in list
await paragon.request("sharepoint", "sites/{site-id}/lists/{list-id}/items", { 
  method: "POST",
  body: {
    "fields": {
      "Title": "Widget",
      "Color": "Purple",
      "Weight": 32
    }
}
});

Building SharePoint workflows

Once your SharePoint account is connected, you can add steps to perform the following actions:
  • Create Item
  • Update Item
  • Get Item by ID
  • Get Items in a List
  • Delete Item
  • Create List
  • Get List by ID
  • Get Lists
  • Create List Column
  • Get List Columns
You can also use the SharePoint Request step to access any of SharePoint’s API endpoints without the authentication piece. When creating messages in SharePoint, you can reference data from previous steps by typing {{ to invoke the variable menu.

Using Webhook Triggers

Webhook triggers can be used to run workflows based on events in your users’ Sharepoint account. For example, you might want to trigger a workflow whenever new items are created in Sharepoint to sync your users’ Sharepoint items to your application in real-time.
You can find the full list of Webhook Triggers for Sharepoint below:
  • Item Created
  • Item Updated
  • File Deleted
  • Page Modified

Using the SharePoint File Picker

You can allow your user to select files from their SharePoint account in your app with the SharePoint File Picker provided by the Paragon SDK. Showing the File Picker Use the Paragon SDK in your frontend application to show the File Picker in your app. The SDK provides an ExternalFilePicker class to load SharePoint’s JavaScript into your page and authenticate with your user’s connected SharePoint account. 
let picker = new paragon.ExternalFilePicker("sharepoint", {
    onFileSelect: (files) => {
        // Handle file selection
    }
});

// Loads external dependencies and user's access token
await picker.init();

// Open the File Picker
picker.open();
You can configure the File Picker to listen for additional callbacks or to restrict allowed file types. Learn more about configuring File Picker options in the SDK Reference.

Downloading the Selected File

The SharePoint File Picker callback will return a Response object describing the user’s file picker interaction including an array of any files selected. Using this array of fileIds, you can use the Proxy API to perform an authenticated proxy requests to download the files. 
await paragon.request('sharepoint', '/_api/web/GetFileById(<fileID>)/$value', {
	method: 'GET'
});