Connecting SharePoint to GovEagle

One of GovEagle's core capabilities is using your past content to influence and draft new proposals. Teams can bring content into GovEagle by uploading files manually, connecting to SharePoint, or connecting to other knowledge management solutions.

This guide covers how to connect SharePoint to GovEagle from an IT perspective. Before getting started, here are a few things to know:

• GovEagle supports Commercial, GCC, and GCC High SharePoint tenants.

• You can connect to multiple SharePoint sites or document libraries within the same tenant, or even across different tenants.

• GovEagle can connect to both commercial and government tenants within the same instance.

• GovEagle syncs with your SharePoint every night to pull the latest snapshot of your content.

Choosing a Connection Method

GovEagle offers two ways to connect to SharePoint: Admin Consent and Service Principal. Both methods are fully supported — the right choice depends on your organization's IT preferences.

Admin Consent is the simplest option and is recommended for most teams. You sign in with your Microsoft 365 admin account, grant permissions through a standard Microsoft consent flow, and you're done. This method requires the Sites.Read.All permission at the tenant level, which GovEagle uses solely to list your SharePoint sites so you can choose which ones to sync. See the FAQ below for more detail on why this permission is required.

Service Principal gives your IT team more direct control. You register an application in Azure AD, configure the exact permissions, and provide the credentials to GovEagle. This is a good fit for organizations that prefer to manage app registrations internally. Within this method, you also get to choose between broad access (Sites.Read.All) or granular per-site access (Sites.Selected) — see Option B below for details.

Option A: Admin Consent (Recommended)

Requirements

• You must be a Global Administrator of your Microsoft 365 tenant.

• You must have identified the SharePoint sites you'd like to connect. See Building Your Content Library for guidance.

• You must have a GovEagle Admin account.

Permissions Granted

• Sites.Read.All — A tenant-wide permission that allows GovEagle to list the SharePoint sites across your tenant. GovEagle does not use this permission for anything other than presenting your sites for selection.

• Sites.Selected — Allows GovEagle to access only the specific sites you choose via the Microsoft Graph API. This is what enables the actual content sync.

• User.Read — Allows the app to read basic profile information. This is the most common baseline permission and is required for any application built on top of Microsoft.

Steps

1. Log in to GovEagle at app.goveagle.com.

2. Click on the Profile icon at the bottom left of the sidebar.

3. Click Settings in the profile menu.

4. Click Integrations.

5. Click Add Integration at the top right, then select Microsoft SharePoint.

6. In the connection dialog, stay on the Admin Consent tab.

7. Choose the type of SharePoint environment you're connecting to: Commercial or Government.

8. You will be redirected to log in with your Microsoft 365 credentials. Microsoft may prompt you for a code from your two-factor authentication app.

9. On the Permissions requested screen, review the permissions listed above and click Accept.

8. You'll be navigated back to GovEagle Settings, where you should see a list of your SharePoint sites.

11. Select the sites you want GovEagle to ingest. You can click the arrow at the end of each row to select individual document libraries rather than entire sites.

12. Once you've made your selections, click Sync SharePoint at the top right.

13. To manage connected sites or libraries later, click Manage Drives on the integration card.

14. To add content from a different SharePoint tenant, repeat from Step 5.

Option B: Service Principal

The Service Principal method involves two parts: registering an app in Azure AD, then connecting that app to GovEagle. During setup, you'll choose one of two permission levels depending on how much control your IT team wants.

Requirements

• You must have access to Azure Portal and the ability to create app registrations.

• You must be able to grant admin consent for API permissions in your Azure AD tenant.

• You must have a GovEagle Admin account.

Part 1: Create an App Registration in Azure

Step 1: Register the Application

1. Go to the Azure Portal (or portal.azure.us for GCC High tenants) and navigate to Azure Active Directory → App registrations → New registration.

2. Give the application a name (e.g., "GovEagle SharePoint Integration").

3. Select the appropriate supported account type for your organization.

4. Click Register.

Step 2: Create Client Credentials

1. In your new app registration, navigate to Certificates & secrets.

2. Click New client secret.

3. Add a description and set an expiration period.

4. Click Add, then immediately copy and save the secret value — you will not be able to see it again.

Step 3: Configure API Permissions

Navigate to API permissions in your app registration, then click Add a permission → Microsoft Graph → Application permissions. At this point, you need to choose one of two permission approaches:

Approach 1: Sites.Read.All or Sites.ReadWrite.All (Recommended)

This is the easier path. Once approved by an administrator, GovEagle can list all SharePoint sites, allow users to browse and select sites directly in the UI, and sync documents without additional IT involvement.

1. Search for and add Sites.Read.All (or Sites.ReadWrite.All if write access is needed).

2. Click Add permissions.

3. Click Grant admin consent for your organization and confirm.

You're done with Azure setup — skip ahead to Part 2.

Approach 2: Sites.Selected (Granular Access)

This approach is recommended for strict IT environments. Instead of granting broad read access, your IT administrator manually grants GovEagle permission to each specific SharePoint site. Keep in mind that with this approach, sites will not appear automatically in GovEagle — an admin must approve each site individually, and adding a new site later requires another approval step.

1. Search for and add Sites.Selected.

2. Click Add permissions.

3. Click Grant admin consent for your organization and confirm.

1. Follow the instructions in Granting Per-Site Permissions below to authorize GovEagle for each SharePoint site.

Part 2: Connect in GovEagle

1. Log in to GovEagle at app.goveagle.com.

2. Click on the Profile icon at the bottom left → Settings → Integrations.

3. Click Add Integration at the top right, then select Microsoft SharePoint.

4. In the connection dialog, click the Service Principal tab.

5. Enter your Azure Tenant ID (Directory/tenant ID from the app registration overview), Client ID (Application/client ID), and Client Secret (the value you saved earlier).

6. If you are connecting to an Azure Government (.gov) tenant, toggle Government Cloud on.

7. Optionally, enter a Tenant Name (e.g., "Main Tenant" or "Production") to help identify this connection.

1. Click Connect.

2. Click Manage Drives to configure which sites and document libraries you want to sync.

3. Click Resync to begin your first SharePoint sync.

Granting Per-Site Permissions (Sites.Selected Only)

If you chose the Sites.Selected permission approach in the Service Principal method, you'll need to manually grant your app registration access to each SharePoint site using Microsoft Graph Explorer. This is a one-time setup per site.

Step 1: Log into Graph Explorer as a Tenant Admin

Navigate to Microsoft Graph Explorer and sign in with a tenant admin account.

Step 2: Grant Graph Explorer the Required Permissions

Before you can grant site-level permissions, Graph Explorer itself needs the Sites.FullControl.All permission.

1. In Graph Explorer, click Modify Permissions.

2. Find and consent to Sites.FullControl.All.

3. This is a one-time admin setup action. Once you've completed the permission grants below, you can revoke this consent from Graph Explorer if you'd like — the permissions you grant to your app will persist.

Step 3: Get the SharePoint Site ID

If you don't already know your site ID, run the following GET request in Graph Explorer:

GET https://graph.microsoft.com/v1.0/sites/{YOUR-DOMAIN}.sharepoint.com:/sites/{YOUR-SITE-NAME}

Copy the id value from the response.

Step 4: Grant Your App Access to the Site

1. In Graph Explorer, switch to a POST request.

2. Set the URL to:

POST https://graph.microsoft.com/v1.0/sites/{site-id-from-step-3}/permissions

3. Use the following request body. Use "read" for read-only access, or ["read", "write"] if write access is needed:

{
  "roles": ["read"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<your-azure-app-client-id>",
        "displayName": "GovEagle SharePoint Integration"
      }
    }
  ]
}

4. Click Run Query and verify the API call was successful.

5. The site should appear in the GovEagle platform within a few minutes.

Repeat Steps 3–4 for each additional SharePoint site you want to connect.

Managing Your Connection

Once connected, you can manage your SharePoint integration from the Integrations page in Settings:

• Manage Drives — Add or remove synced sites and document libraries.

• Resync — Trigger a sync of the content that is connected to GovEagle.

FAQ

Why does the Admin Consent method require the Sites.Read.All permission?

This is due to how Microsoft has structured their Graph API. The Sites.Selected permission does not allow an application to list or discover available sites — it can only access sites that have already been specified. To let you browse and choose which sites to sync, GovEagle first needs Sites.Read.All to enumerate your sites. Once you've made your selections, GovEagle uses Sites.Selected to access only those specific sites.

GovEagle only uses the Sites.Read.All permission to present your sites for selection. It is not used for any other purpose.

Microsoft has confirmed this is a known limitation of their permission model. For organizations that prefer not to grant Sites.Read.All, the Service Principal method with Sites.Selected is available as an alternative.

What's the difference between Sites.Read.All and Sites.Selected in the Service Principal method?

With Sites.Read.All (or Sites.ReadWrite.All), GovEagle can automatically list all your SharePoint sites in the UI so users can browse and select which ones to sync. With Sites.Selected, sites don't appear automatically — an IT admin must manually grant access to each site through Microsoft Graph Explorer before it becomes available in GovEagle. Sites.Read.All is easier to set up; Sites.Selected offers tighter control.

Can I connect to both Commercial and Government tenants?

Yes. GovEagle supports connecting to both commercial and government tenants within the same instance.

How often does GovEagle sync with SharePoint?

GovEagle syncs with your connected SharePoint sites every night to pull the latest content.

Can I select individual document libraries instead of full sites?

Yes. When selecting content to sync, click the arrow at the end of any site row to expand it and select individual document libraries.