Unknown Errors From Agent With SharePoint Knowledge For All Users...Except One?

Question

Hello!

Problem Statement

We are experiencing an issue with an Azure AI Foundry Project that has an agent with a SharePoint knowledge connection. All users interacting with this agent in the playground (except folks having global privileged Azure roles) experience it throwing a generic error. I turned on logging, but don't any telemetry providing more details in app insights.

I can't untangle the permissions for the admin users from whom it works. They don't have explicit rights to the SharePoint site (but I do) and do not have any unique Foundry roles. Furthermore, the AI works for these admins even when the Custom Authentication settings (see below) are not attached to an Entra ID app, which why I believe that this is a permission issue.

Our Configuration

• This is all in an active "Microsoft Sponsorship" subscription - not sure if that adds a wrinkle.
• Foundry instance and project created via Azure CLI with the following permissions assigned to the project's managed identity as well as an Entra ID app registration.

• SharePoint team site created at https://<tenant>.sharepoint.com/sites/<site>
• PDF (of a profile/resume) uploaded to the default "Shared Documents" document library at https://<tenant>.sharepoint.com/sites/<site>/Shared%20Documents/<file>.pdf
• Manually created an agent called "SharePoint-Agent" in the foundry project and created a connection to the SharePoint site with the following custom keys:
  • type: sharepoint_grounding
  • site_url: https://netorg14925960.sharepoint.com/sites/nexus-sharepoint-poc/Shared%20Documents [marked as secret]

Failed Attempts To Resolve

• Tried many additional permissions.
• Added the following keys to the authentication settings for the SharePoint connection per https://learn.microsoft.com/en-us/answers/questions/5552880/unable-to-create-a-sharepoint-connection-in-azure.
  • App Id: <Entra ID app id (guid)>
  • Secret: <Entra ID app registration secret> [marked as a secret]
• The responder to the question linked in the previous bullet (which was indeed helpful in general) mentions, per the Foundry Project documentation, that these SharePoint site collections need to have the /Teams/ managed path, not /sites/ as is the default.
  • I created https://<tenant>.sharepoint.com/teams/<site>
  • Then updated the same files to this site collection's Shared Documents
  • The behavior was different, but throws the same error whenever it tries to use the SharePoint knowledge connection
  • It should be noted that SharePoint connections which worked for my admin users indeed used the /sites/ managed path. It then follows, would this work for the root collection (https://<tenant>.sharepoint.com with no extra pathing)?

Please let us know what we are missing here! Thanks so much!

Answer 1

Okay we got this working. @Manas Mohanty pointed us in the right direction in the above thread. In addition to the Azure roles and SharePoint permissions, here's the final set of config that got this working:

• The SharePoint site needs to be modern (i.e. created under the /teams/ managed path)
• You do NOT need to reference an Entra Id app in the SharePoint connection UI; just the absolute site/doc lib/folder URL marked as a secret.
• The current user needs a Copilot license.

Answer 2

Hello Chris Domino

I am trying to grasp authentication used here along the other threads.

Wanted to let you know that we need users to have Share pointer reader on Share point and Azure AI Account user role in minimum for Azure AI foundry resource.

Attached end to end tutorial Fabric Data agent as alternate

Please help me details requested in private message for further assistance.

Thank you