AWS Security ChangesHomeSearch

AWS amazonq high security documentation change

Service: amazonq · 2025-03-10 · Security-related high

File: amazonq/latest/qbusiness-ug/sharepoint-cloud-console.md

Summary

Updated authentication methods for SharePoint integration, replacing Basic Authentication with Azure AD App-Only authentication details, adding certificate generation instructions, reorganizing authentication steps, and adding warnings about MFA requirements for OAuth 2.0/Basic Auth.

Security assessment

The changes explicitly deprecate less secure methods (Basic Auth) in favor of Azure AD App-Only authentication with certificates, include security-focused warnings about disabling MFA ('not recommended'), and add detailed certificate-based authentication guidance. These changes address authentication security improvements and highlight risks of weaker methods.

Diff

diff --git a/amazonq/latest/qbusiness-ug/sharepoint-cloud-console.md
index 0901b3f2b..d06398ec0 100644
--- a/amazonq/latest/qbusiness-ug/sharepoint-cloud-console.md
+++ b/amazonq/latest/qbusiness-ug/sharepoint-cloud-console.md
@@ -37 +37 @@ You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric charac
-    3. **Domain** – Enter the SharePoint domain. For example, the domain in the URL `https://yourdomain.sharepoint.com/sites/mysite` is `yourdomain`. 
+    3. **Domain** – Enter the SharePoint domain. For example, the domain in the URL `https://yourdomain.sharepoint.com/sites/mysite` is `yourdomain`. Note that the domain name in the URL and the domain name you're expected to enter in the domain field can be different.
@@ -55 +55,12 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-    1. If using **Basic Authentication** , enter the following information:
+    1. If using **Azure AD App-Only authentication** , enter the following information:
+
+       * **Tenant ID** – Tenant ID of your SharePoint account. To learn how to find your Tenant ID, see [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) in Azure portal documentation.
+
+       * **Azure AD self-signed X.509 certificate** – Certificate to authenticate the connector for Azure AD. For more information on how to do this, see [Granting access via Azure AD App-Only](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread) and New-PnPAzureCertificate in _Microsoft developer documentation_.
+
+       * **Generate a certificate using OpenSSL** – As an example: 
+            
+                        openssl req -x509 -newkey
+                    rsa:2048 -noenc -sha1 -keyout /tmp/private.key -out /tmp/sharepoint.crt -nodes -set_serial 1
+                    -days 365 -subj
+                    "/CN=amazon/[email protected]/C=US/ST=Texas/L=Dallas/O=amazon/OU=amazon"
@@ -61 +72 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Username** – Username for your SharePoint account.
+         * **Client ID** – The Client ID generated when you complete Azure App registration for SharePoint (Online) in Entra ID. 
@@ -63 +74 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Password** – Password for your SharePoint account.
+         * **Private key** – A private key to authenticate the connector for Azure AD.
@@ -65 +76 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-    2. If using **OAuth 2.0 authentication** , enter the following information:
+         * **Register a new app in the Microsoft Azure portal** :
@@ -67 +78 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-       * **Tenant ID** – Tenant ID of your SharePoint account. To learn how to find your Tenant ID, see [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) in Azure portal documentation.
+           1. Log in to the Azure Portal with your Microsoft account.
@@ -69 +80 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-       * For **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your SharePoint authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens. Enter the following information in the window:
+           2. Choose New Registration:
@@ -71 +82 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Secret name** – A name for your secret.
+             1. Provide the name for your application. In the example we are using the name `TargetApp`. The Amazon Q Business application uses TargetApp to connect to the SharePoint Online site to crawl and index the data.
@@ -73 +84 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Username** – Username for your SharePoint account.
+             2. Choose "Accounts" in the organizational directory. (`Tenant name` only - Single tenant).
@@ -75 +86 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Password** – Password for your SharePoint account.
+             3. Choose "Register".
@@ -77 +88 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Client ID** – The Client ID generated when you complete Azure App registration for SharePoint (Online) in Entra ID. 
+             4. Note down the application (client ID and the directory (tenant) on the Overview page, as you'll need them when prompted for "TargetApp-ClientId" and "TenantId".
@@ -79 +90 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Client secret** – The Client secret generated when you complete Azure App registration for SharePoint (Online) in Entra ID.
+             5. Choose API permissions under "Manage" in the navigation pane.
@@ -81 +92 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-    3. If using **Azure AD App-Only authentication** , enter the following information:
+             6. Choose "Add a permission" to allow the application to read data in your organization's directory regarding the signed-in user.
@@ -83 +94 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-       * **Tenant ID** – Tenant ID of your SharePoint account. To learn how to find your Tenant ID, see [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) in Azure portal documentation.
+             7. Choose "Sharepoint".
@@ -85 +96 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-       * **Azure AD self-signed X.509 certificate** – Certificate to authenticate the connector for Azure AD. For more information on how to do this, see [Granting access via Azure AD App-Only](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread) and [New-PnPAzureCertificate](https://pnp.github.io/powershell/cmdlets/New-PnPAzureCertificate.html) in _Microsoft developer documentation_.
+             8. Choose "Application permissions".
@@ -87 +98 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-       * For **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your SharePoint authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens. Enter the following information in the window:
+             9. Choose "Sites.FullControl.All" from the User section.
@@ -89 +100 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Secret name** – A name for your secret.
+             10. Choose "Add permissions".
@@ -91 +102 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Client ID** – The Client ID generated when you complete Azure App registration for SharePoint (Online) in Entra ID. 
+           3. On the options menu, choose to "Remove" a permssion.
@@ -93 +104 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-         * **Private key** – A private key to authenticate the connector for Azure AD.
+           4. Remove the original `User.Read - Delegated` permission.
@@ -95 +106,3 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
-    4. If using **SharePoint App-Only authentication** , enter the following information:
+           5. Choose "Grant admin content" for the Default Directory.
+
+    2. If using **SharePoint App-Only authentication** , enter the following information:
@@ -110,0 +124,26 @@ OneNote can only be crawled by the connector using a Tenant ID, and with OAuth 2
+    3. If using **OAuth 2.0 authentication** , you must disable MFA in SharePoint. This is not recommended, but if you choose to use OAuth 2.0 authentication anyway, enter the following information:
+
+       * **Tenant ID** – Tenant ID of your SharePoint account. To learn how to find your Tenant ID, see [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) in Azure portal documentation.
+
+       * For **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your SharePoint authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens. Enter the following information in the window:
+
+         * **Secret name** – A name for your secret.
+
+         * **Username** – Username for your SharePoint account.
+
+         * **Password** – Password for your SharePoint account.
+
+         * **Client ID** – The Client ID generated when you complete Azure App registration for SharePoint (Online) in Entra ID. 
+
+         * **Client secret** – The Client secret generated when you complete Azure App registration for SharePoint (Online) in Entra ID.
+
+    4. If using **Basic Authentication** , you must disable MFA in SharePoint. This is not recommended, but if you choose to use Basic Auth anyway, enter the following information:
+
+       * For **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your SharePoint authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens. Enter the following information in the window:
+
+         * **Secret name** – A name for your secret.
+
+         * **Username** – Username for your SharePoint account.
+
+         * **Password** – Password for your SharePoint account.
+