Set up a Microsoft SharePoint connector

Capabilities

Resource	Sync	Provision
Accounts	ℹ️
Sites
SharePoint groups
Security principals

This connector must pull account information from another connector. You’ll configure this relationship when setting up the connector.

Gather SharePoint credentials

Each setup method requires you to pass in credentials generated in SharePoint. Gather these credentials before you move on.

A user with at least the Cloud Application Administrator permission in Azure must perform this task.

Create a new application

In Microsoft Entra admin center, navigate to App registrations.

Click New registration.

Give the application a name, such as “C1”, and select the relevant supported account type. You do not need to set a redirect URI.

Click Register.

The new app is created. Carefully copy and save the Application (client) ID and the Directory (tenant) ID shown on the application summary page.

Next, we’ll generate a client secret for this app. Click Certificates & secrets.

Click + New client secret.

Give the client secret a description and set its expiration.

Click Add.

The client secret is generated. Carefully copy and save the Secret Value.

Give the new application API permissions

Click API permissions.

Click + Add permissions > Microsoft Graph.

Click Application permissions and select User.Read.All.

Click + Add permissions > SharePoint.

Click Application permissions and choose one of the following permission levels:Option A — Minimal permissions (recommended for most deployments)Select Sites.Read.All. With this option, you must also enable the --skip-membership-restricted-groups flag (see Groups with restricted membership visibility below). SharePoint groups that restrict membership visibility (OnlyAllowMembersViewMembership) are excluded from the sync.Option B — Full permissionsSelect Sites.FullControl.All. This allows the connector to sync all SharePoint groups, including groups that restrict membership visibility. Choose this option if you need visibility into those groups in C1.

Save your changes.

Create and upload a self-signed certificate

Next, you’ll create a self-signed certificate and a private key in PEM format using OpenSSL. The commands to create the certificate are the same regardless of your operating system.

Use the following command to create both a private key and a self-signed certificate. Be sure to replace your_domain_name with your actual domain or a descriptive name.

openssl req -x509 -nodes -newkey rsa:4096 -keyout your_domain_name.key -out your_domain_name.crt -sha256 -days 365

Next, you’ll be prompted to enter details for the certificate. The most crucial field here is the Common Name.For the Common Name, enter your domain (such as example.com).

Once the process is complete, two files will be created in your current directory:

your_domain_name.key: This is your private key
your_domain_name.crt: This is your self-signed certificate in PEM format

Upload the certificate to your application by navigating to Certificates & secrets > Certificates.

Done. Next, move on to the connector configuration instructions.

Groups with restricted membership visibility

Some SharePoint groups have OnlyAllowMembersViewMembership enabled, which prevents applications from listing group members unless the application has the Sites.FullControl.All permission. If the connector encounters one of these groups during sync with only Sites.Read.All, the sync fails with a 403 error. To handle this, the connector provides the --skip-membership-restricted-groups flag:

Flag	Environment variable	Default
`--skip-membership-restricted-groups`	`BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS`	`false`

When enabled, groups with restricted membership visibility are excluded from the sync entirely — both the group and its memberships are skipped.

If you granted the application Sites.Read.All (Option A) instead of Sites.FullControl.All, you must enable this flag. Otherwise, the sync fails when it encounters a group with restricted membership visibility.

Configure the SharePoint connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in C1
Access to the set of SharePoint credentials generated by following the instructions above

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by C1.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for SharePoint and click Add.Don’t see the SharePoint connector? Reach out to support@c1.ai to add SharePoint to your Connectors page.

Choose how to set up the new SharePoint connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Paste the client ID into the Client ID field.

Paste the client secret into the Client secret field.

Paste the tenant ID into the Tenant ID field.

Enter your domain for the Microsoft Graph API in the Graph domain field. The default is graph.microsoft.com.

Upload your self-signed certificate to the PEM certificate field.

Upload the key for your certificate in the PEM key field.

Enter your SharePoint subdomain in the SharePoint domain field. (For example, enter subdomain if you access SharePoint at subdomain.sharepoint.com)

Click Save.

Finally, tell the connector where to find the identities that will be used for this app in C1.

In the Shared identity source area of the page, click Edit.
Select the connector from which you want to pull identities.
Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

Done. Your SharePoint connector is now pulling access data into C1.

Follow these instructions to use the SharePoint connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

Resources

Contact C1’s support team to download the latest version of the connector.

Step 1: Configure the SharePoint connector

In C1, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new SharePoint connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your SharePoint connector deployment:

Secrets configuration

# baton-sharepoint-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-sharepoint-secrets
type: Opaque
stringData:
  # C1 credentials
  BATON_CLIENT_ID: <C1 client ID>
  BATON_CLIENT_SECRET: <C1 client secret>
  
  # SharePoint credentials
  BATON_AZURE_CLIENT_ID: <Azure client ID>
  BATON_AZURE_CLIENT_SECRET: <Azure client secret>
  BATON_AZURE_TENANT_ID: <Azure tenant ID>
  BATON_AZURE_GRAPH_DOMAIN: <Microsoft Graph API domain (default is graph.microsoft.com)>
  BATON_PEM_CERTIFICATE: <Base-64 encoded PEM certificate>
  BATON_PEM_CERTIFICATE_KEY: <Base-64 encoded private key>
  BATON_SHAREPOINT_DOMAIN: <SharePoint subdomain (for example, "subdomain" in "subdomain.sharepoint.com")>
  BATON_EXTERNAL_SYNC_MODE: true
  BATON_EXTERNAL_RESOURCE_C1Z: <The path to the c1z file to sync external Baton resources with>
  BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER: <Optional. The entitlement that external users, groups must have access to sync external Baton resources>

  # Optional: Skip groups with restricted membership visibility.
  # Required when using Sites.Read.All instead of Sites.FullControl.All.
  # BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-sharepoint.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-sharepoint
  labels:
    app: baton-sharepoint
spec:
  selector:
    matchLabels:
      app: baton-sharepoint
  template:
    metadata:
      labels:
        app: baton-sharepoint
        baton: true
        baton-app: sharepoint
    spec:
      containers:
      - name: baton-sharepoint
        image: public.ecr.aws/conductorone/baton-sharepoint:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-sharepoint
        envFrom:
        - secretRef:
            name: baton-sharepoint-secrets

Step 3: Deploy the connector

Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the SharePoint connector to. SharePoint data should be found on the Entitlements and Accounts tabs.

Done. Your SharePoint connector is now pulling access data into C1.

​Capabilities

​Gather SharePoint credentials

​Create a new application

​Give the new application API permissions

​Create and upload a self-signed certificate

​Groups with restricted membership visibility

​Configure the SharePoint connector

​Resources

​Step 1: Configure the SharePoint connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather SharePoint credentials

Create a new application

Give the new application API permissions

Create and upload a self-signed certificate

Groups with restricted membership visibility

Configure the SharePoint connector

Resources

Step 1: Configure the SharePoint connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector