SharePoint

Available on Grok Business and Enterprise plans only.

The SharePoint connector lets Grok access files and documents across your organization's SharePoint sites and document libraries. Search for documents, read file contents, and browse folder structures directly from a conversation.

Before team members can use SharePoint in Grok, a team admin must add the connector through the console. This is a one-time setup that involves three steps:

The admin selects how Grok should access SharePoint:

• Delegated permissions (recommended) -- Grok accesses SharePoint on behalf of the signed-in user, scoped by the Sites.Read.All permission. The recommended approach is to create a dedicated user account with access limited to specific SharePoint sites, then connect using that account. Because delegated permissions are bounded by the connecting account's own access, this limits Grok to only the sites that account can see. No additional Azure portal configuration is needed.
• Application-level permissions -- Uses Sites.Selected to grant Grok access to specific sites chosen during setup. This provides fine-grained, least-privilege access at the application level. After admin consent, the console prompts the admin to select the allowed sites (see step 4 below).

The admin enters the organization's Microsoft Entra (Azure AD) tenant identifier. This is either a domain like xai.onmicrosoft.com or a GUID, and can be found in the Azure portal under Azure Active Directory > Overview.

A Microsoft 365 administrator must approve Grok's access to SharePoint. This is a one-time authorization for the entire organization. The console provides three options:

• Approve as admin -- Opens a Microsoft consent popup for the logged-in admin to approve directly.
• Copy link for your IT admin -- Copies the consent URL so the admin can share it with the appropriate person.
• Skip -- The admin can complete this step later, but team members will not be able to authenticate until consent is granted.

After admin consent is complete, individual team members can connect their own Microsoft accounts on grok.com.

If the admin chose Application-level permissions in step 1, the console displays a site picker after consent is granted. Search for each SharePoint site that Grok should be able to access and add it to the allow list. Only sites added here will be reachable through the connector -- sites can be added or removed later from the connector settings. This step is skipped entirely when using delegated permissions, since access is bounded by the connecting user account instead.

Write access (uploading and creating files in SharePoint) uses a separate Microsoft Entra application with its own permissions. To enable it, click the Enable Write Access button in the console and complete the admin consent flow for the write application. This grants the Files.ReadWrite.All scope and is independent of the read-only consent from step 3.

• Search documents across all SharePoint sites you have access to.
• Read files by downloading content from any accessible document library.
• Browse folders and list drives to navigate your SharePoint hierarchy.
• Upload files (opt-in) upload artifacts generated by Grok (spreadsheets, PDFs, reports) directly to a SharePoint drive. This capability requires write access to be enabled for your organization.

The SharePoint connector uses Microsoft Graph API and requests the following OAuth scopes during sign-in:

These permissions are delegated, meaning Grok can only access content the signed-in user already has access to.

In addition to the per-user OAuth scopes above, Grok runs a background sync that indexes SharePoint content so it can be searched quickly. The sync uses a separate set of scopes determined by the access mode the admin picked in step 1 — exactly one of the two sets below applies.

Delegated mode. The sync runs as a dedicated user account, usually specifically created for this purpose and giving it access only to the SharePoint sites that should be indexed:

Application mode. The sync runs as the Microsoft Entra application itself, using a separate app registration with application permissions:

Indexed content is access-checked against the querying user on every request, so regardless of which sync mode is in use, team members still only see results they are individually authorized to view in SharePoint.

Once your admin has completed the prerequisites above, each team member connects their own account:

1. Go to grok.com/connectors.
2. Find SharePoint and click Connect.
3. Sign in with your Microsoft work or school account.
4. Review the requested permissions and click Accept.

Once connected, Grok can search and read your SharePoint files whenever you ask about documents, reports, or files stored in SharePoint.

If your admin has enabled write access (step 5 above), you can opt in to writes individually from the connectors page. Write access is not enabled by default for team members, even when the admin has approved the write application.

Your data stays yours. Grok only indexes SharePoint content when needed to answer your questions. xAI does not use your SharePoint data for model training.

Per-user access controls. Every time you search or request a file, Grok verifies that your Microsoft account has permission to access it. If you cannot see a file in SharePoint, you cannot see it through Grok either. This check happens on every request.

Data removal on disconnect. When a team member disconnects their account, any indexed data that only they had access to is deleted. If an admin removes the SharePoint connector entirely, all indexed data for the organization is deleted.

To disconnect the SharePoint connector:

1. Go to grok.com/connectors.
2. Find SharePoint in your connected list and click Disconnect.

You can also revoke the app's access from your Microsoft account at myapps.microsoft.com.