Generative AI  

Create Amazon Bedrock KB with SharePoint App-Only Auth

Introduction

Amazon Bedrock Knowledge Bases allow you to answer user queries by retrieving relevant information from various data sources, including SharePoint Online. This helps generate accurate responses, with the option to include citations for added reference. In this article, you'll learn how to create and configure an Amazon Bedrock Knowledge Base that connects to SharePoint Online using the SharePoint connector (Preview), and how to test it to generate responses based on SharePoint data. OAuth 2.0 and SharePoint App-Only are the supported authentication methods currently available for connecting Amazon Bedrock Knowledge Base to SharePoint Online. In this article, we will use SharePoint App-Only authentication to connect to the SharePoint Online data source.

Verify DisableCustomAppAuthentication tenant property

Microsoft documentation: For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure. But you can change the behavior by running the following commands (needs the latest SharePoint admin PowerShell).

Get-SPOTenant | Select-Object -Property DisableCustomAppAuthentication

The value was set to true by default in my tenant, which was causing an issue with performing the indexing. I updated this value to false by running the command below.

set-spotenant -DisableCustomAppAuthentication $false

Note. Before making any changes to the tenant level, please ensure it doesn’t impact any of the existing functionality.

Register an app in Microsoft Entra ID

The following values are required and should be stored in AWS Secrets Manager.

clientId: client ID associated with your Microsoft Entra application
clientSecret: client secret associated with your Microsoft Entra application
sharePointClientId: client ID generated when registering your SharePoint app for App-Only authentication
sharePointClientSecret: client secret generated when registering your SharePoint app for App-Only authentication

Perform the following steps to register an application in Microsoft Entra ID.

  1. Navigate to the Microsoft Azure Portal.
  2. Search for and click App registrations.
  3. Click New registration.
  4. Enter a name for your application, select who can use this application, and click Register.
  5. An application will be created. You will see a page like the following screenshot. Note the application (client) ID and the directory (tenant) ID.
    Microsoft Entra ID
  6. Select Certificates & secrets in the navigation pane. Select Client secrets and then click New client secret. Note the secret value.
    Client Secrets
  7. The copied clientId and client secret will be used for the following parameters. 
    clientId: client ID associated with your Microsoft Entra application
clientSecret: client secret associated with your Microsoft Entra application

Configure SharePoint App-Only

Perform the following steps to register an app in SharePoint at the site collection level.

  1. Navigate to SharePoint Online site collection - https://xxxxxxxx.sharepoint.com/sites/DemoProject2025/
  2. Navigate to app registration page - https://xxxxxxxx.sharepoint.com/sites/DemoProject2025/_layouts/15/appregnew.aspx
  3. Enter the app name, domain, and redirect URI as shown below. Select Create.
    URI
  4. Copy the client ID and client secret values.
  5. The copied clientId and client secret will be used for the parameters below.
    Parameters 
    sharePointClientId: client ID generated when registering your SharePoint app for App-Only authentication
sharePointClientSecret: client secret generated when registering your SharePoint app for App-Only authentication
  6. Navigate to the app inventory page to update the permissions - https://xxxxxxxx.sharepoint.com/sites/DemoProject2025/_layouts/15/appinv.aspx
  7. Enter the app ID and select Lookup. Paste the app permission XML below and select Create.
    Permission XML 
    <AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read" />
</AppPermissionRequests>

Create a Knowledge Base in Amazon Bedrock

Perform the following steps to create and configure a knowledge base in Amazon Bedrock using the AWS console.

  1. Navigate to the Amazon Bedrock service in the AWS Console.
  2. Select Knowledge Bases in the navigation pane. Select Create and click Knowledge Base with vector store.
  3. Enter the knowledge base name, description, and select Create and use a new service role.
  4. Select SharePoint as the data source.
  5. Optional: Add tags and configure log delivery. Click Next.
  6. Enter the data source name and description.
  7. Enter the SharePoint site URL (example: https://xxxxxxxx.sharepoint.com/sites/DemoProject2025) and domain name (xxxxxxxx).
  8. Under the Authentication section, select SharePoint App-Only authentication, and click AWS Secrets Manager to create a new secret.
  9. Choose other types of secret options and enter the key value pairs as shown below. Click Next.
  10. Enter the secret name and click Next. Review all the settings and click Store. Note the secret ARN.
    Store
  11. Enter the tenant ID and secret ARN.
    Tenant ID
  12. Click Next.
  13. Under the embeddings model section, select any one of the embedding models.
  14. Leave the default selected values for the vector database and click Next.
    Vector database
  15. Review the configuration and click Create Knowledge Base.
  16. Once the knowledge base is created, select the newly created data source and click Sync.
  17. It could take a few minutes to hours to sync, depending on the size of your data. Once the sync is completed successfully, test the knowledge base.

Validate the knowledge base

Perform the following steps to validate the newly created knowledge base using the AWS Console.

  1. Navigate to the Amazon Bedrock service in the AWS Console.
  2. Select Knowledge Bases in the navigation pane.
  3. Select the newly created knowledge base. On the right-hand side, you will see the "Test Knowledge Base" section. Click on Select model.
  4. Choose any model based on your requirement. Click Apply.
  5. Enter the prompt, and you could see the response generated from the knowledge base as shown below.
    Response generated

References

https://docs.aws.amazon.com/bedrock/latest/userguide/sharepoint-data-source-connector.html

Summary

This article describes how to create and configure an Amazon Bedrock Knowledge Base with SharePoint Online using SharePoint App-Only Authentication.

Membership not found