#### Connectors

# SharePoint

**Available on Grok Business and Enterprise plans only.**

The SharePoint connector lets Grok access files and documents across your organization's SharePoint sites and document libraries. Search for documents, read file contents, and browse folder structures directly from a conversation.

## Prerequisites

Before team members can use SharePoint in Grok, a **team admin** must add the connector through the [console](https://console.x.ai). This is a one-time setup that involves three steps:

### 1. Choose an access mode

The admin selects how Grok should access SharePoint:

* **Delegated permissions** *(recommended)* -- Grok accesses SharePoint on behalf of the signed-in user, scoped by the `Sites.Read.All` permission. The recommended approach is to create a dedicated user account with access limited to specific SharePoint sites, then connect using that account. Because delegated permissions are bounded by the connecting account's own access, this limits Grok to only the sites that account can see. No additional Azure portal configuration is needed.
* **Application-level permissions** -- Uses `Sites.Selected` to grant Grok access to specific sites chosen during setup. This provides fine-grained, least-privilege access at the application level, but requires an admin to [manually configure allowed sites](https://learn.microsoft.com/en-us/graph/permissions-reference#sites-permissions) in the Azure portal.

### 2. Provide the Azure AD Tenant ID

The admin enters the organization's Microsoft Entra (Azure AD) tenant identifier. This is either a domain like `xai.onmicrosoft.com` or a GUID, and can be found in the Azure portal under **Azure Active Directory > Overview**.

### 3. Grant admin consent

A Microsoft 365 administrator must approve Grok's access to SharePoint. This is a one-time authorization for the entire organization. The console provides three options:

* **Approve as admin** -- Opens a Microsoft consent popup for the logged-in admin to approve directly.
* **Copy link for your IT admin** -- Copies the consent URL so the admin can share it with the appropriate person.
* **Skip** -- The admin can complete this step later, but team members will not be able to authenticate until consent is granted.

After admin consent is complete, individual team members can connect their own Microsoft accounts on [grok.com](https://grok.com/connectors).

### 4. Enable write access (optional)

Write access (uploading and creating files in SharePoint) uses a separate Microsoft Entra application with its own permissions. To enable it, click the **Enable Write Access** button in the console and complete the admin consent flow for the write application. This grants the `Files.ReadWrite.All` scope and is independent of the read-only consent from step 3.

## Capabilities

* **Search documents** across all SharePoint sites you have access to.
* **Read files** by downloading content from any accessible document library.
* **Browse folders** and list drives to navigate your SharePoint hierarchy.
* **Upload files** *(opt-in)* upload artifacts generated by Grok (spreadsheets, PDFs, reports) directly to a SharePoint drive. This capability requires write access to be enabled for your organization.

## Required permissions

The SharePoint connector uses Microsoft Graph API and requests the following OAuth scopes during sign-in:

| Scope | Purpose |
|---|---|
| `Sites.Read.All` | Read items in all SharePoint site collections the user can access |
| `Files.Read.All` | Read all files the user can access (required for cross-site document search) |
| `User.Read` | Read the signed-in user's profile (used to identify the account) |
| `offline_access` | Maintain access without repeated sign-in prompts |

When write capabilities are enabled for your organization, the connector requests **Files.ReadWrite.All** instead of the read-only scopes above. This allows Grok to upload and overwrite files on your behalf.

These permissions are delegated, meaning Grok can only access content the signed-in user already has access to.

## How to connect (team members)

Once your admin has completed the prerequisites above, each team member connects their own account:

1. Go to [grok.com/connectors](https://grok.com/connectors).
2. Find **SharePoint** and click **Connect**.
3. Sign in with your Microsoft work or school account.
4. Review the requested permissions and click **Accept**.

Once connected, Grok can search and read your SharePoint files whenever you ask about documents, reports, or files stored in SharePoint.

If your admin has enabled write access (step 4 above), you can opt in to writes individually from the connectors page. **Write access is not enabled by default for team members, even when the admin has approved the write application.**

## Privacy and security

**Your data stays yours.** Grok only indexes SharePoint content when needed to answer your questions. xAI does not use your SharePoint data for model training.

**Per-user access controls.** Every time you search or request a file, Grok verifies that your Microsoft account has permission to access it. If you cannot see a file in SharePoint, you cannot see it through Grok either. This check happens on every request.

**Data removal on disconnect.** When a team member disconnects their account, any indexed data that only they had access to is deleted. If an admin removes the SharePoint connector entirely, all indexed data for the organization is deleted.

## Disconnecting

To disconnect the SharePoint connector:

1. Go to [grok.com/connectors](https://grok.com/connectors).
2. Find SharePoint in your connected list and click **Disconnect**.

You can also revoke the app's access from your Microsoft account at [myapps.microsoft.com](https://myapps.microsoft.com).