AWS Security ChangesHomeSearch

AWS amazonq high security documentation change

Service: amazonq · 2025-05-10 · Security-related high

File: amazonq/latest/qbusiness-ug/sharepoint-cloud-prereqs.md

Summary

Reorganized authentication method order and significantly expanded Azure AD App-Only/OAuth 2.0 documentation with detailed setup steps, certificate management, and granular permission configurations. Moved basic authentication to end and added warnings about MFA deactivation.

Security assessment

Explicitly instructs users to disable MFA ('Deactivate multi-factor authentication') which weakens security posture. However, adds substantial security documentation for certificate-based authentication (X.509), least-privilege permissions (Sites.Selected), and ACL configuration guidance which improves security practices.

Diff

diff --git a/amazonq/latest/qbusiness-ug/sharepoint-cloud-prereqs.md b/amazonq/latest/qbusiness-ug/sharepoint-cloud-prereqs.md
index d682ade17..447459ab3 100644
--- a//amazonq/latest/qbusiness-ug/sharepoint-cloud-prereqs.md
+++ b//amazonq/latest/qbusiness-ug/sharepoint-cloud-prereqs.md
@@ -5 +5 @@
-Prerequisites for using basic authenticationPrerequisites for using OAuth 2.0 authenticationPrerequisites for using Azure AD App-Only authenticationPrerequisites for using SharePoint App-Only authentication
+Prerequisites for using Azure AD App-Only authenticationPrerequisites for using OAuth 2.0 authenticationPrerequisites for using SharePoint App-Only authenticationPrerequisites for using basic authentication
@@ -17 +17 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-  * Prerequisites for using basic authentication
+  * Prerequisites for using Azure AD App-Only authentication
@@ -21,2 +20,0 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-  * Prerequisites for using Azure AD App-Only authentication
-
@@ -24,0 +23,2 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
+  * Prerequisites for using basic authentication
+
@@ -28 +28 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-## Prerequisites for using basic authentication
+## Prerequisites for using Azure AD App-Only authentication
@@ -30 +30 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-**If you're using basic authentication, make sure you've completed the following steps in SharePoint (Online):**
+**If you're using Azure AD App-Only authentication, make sure you've completed the following steps in SharePoint (Online):**
@@ -36 +36 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-  * Noted your basic authentication credentials containing the username and password that you use to connect to SharePoint (Online) Online.
+  * Copied the tenant ID of your Microsoft SharePoint (Online) instance. For details on how to find your tenant ID, see [Find your Microsoft 365 tenant ID](https://learn.microsoft.com/en-us/sharepoint/find-your-office-365-tenant-id) on the Microsoft website.
@@ -38 +38 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-  * Deactivated **Security Defaults** in your Azure portal using an administrative user. For more information on managing security default settings in the Azure portal, see [Microsoft documentation on how to enable/disable security defaults](https://learn.microsoft.com/en-us/answers/questions/101179/how-to-disable-the-two-factor-authentication-from).
+  * Generated an X.509 certificate. For more information on how to create and configure an X.509 certificate, see [Granting access via Azure AD App-Only](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread) and [New-PnPAzureCertificate](https://pnp.github.io/powershell/cmdlets/New-PnPAzureCertificate.html) in _Microsoft developer documentation_.
@@ -40 +40,5 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-  * Deactivated multi-factor authentication (MFA) in your SharePoint account, so that Amazon Q is not blocked from crawling your SharePoint content.
+  * After generating the X.509 certificate, upload your .CRT file (the public certificate) to an Amazon S3 bucket. Note the file path to a X.509 certificate you have created and stored in an Amazon S3 bucket. (Ex. `s3://bucket-name/path/to/certificate.crt`). Ensure that your Amazon Q Business IAM role has permissions to read from this Amazon S3 bucket. 
+
+  * Noted the private key and the Client ID you generated after SharePoint (Online) Azure App registration.
+
+  * Deactivate multi-factor authentication (MFA) in your SharePoint account, so that Amazon Q is not blocked from crawling your SharePoint content. 
@@ -41,0 +46 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
+  * Configured a Sharepoint (Online) Azure App using one of the two options below and noted its Client ID and Client secret.
@@ -42,0 +48 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
+**If you're _not_ using ACL, added the following permissions:**
@@ -43,0 +50,9 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
+**SharePoint**  
+---  
+    * Sites.Read.All (Application) – Read items in all site collections  
+  
+  * **If you're using ACL** , added the following permissions:
+
+**SharePoint**  
+---  
+    * Sites.FullControl.All (Application) – Have full control of all site collections  
@@ -47 +62,4 @@ For more information on connecting SharePoint (Online) to Amazon Q Business, see
-No API permissions are required for crawling entities using **Basic authentication**.
+If you want to crawl specific sites, you can choose to restrict permissions to specific sites rather than all sites available in the domain. To do this, use the Sites.Selected (Application) permission. With this API permission, you need to set access permission on every site explicitly through the Microsoft Graph API. For more information, see [Microsoft's blog on Sites.Selected permissions QQQQ](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476).
+
+
+
@@ -67,0 +86,288 @@ For a list of things to consider while configuring your data source, see [ Data
+_Azure AD App-Only Option 1: Global Read Access_
+
+If you anticipate that you will be indexing several Sharepoint sites and would like to simplify your setup process, you can take the following steps to provide the Q Business Sharepoint connector global access. Otherwise, skip to section 2 below.
+
+  1. Create a Sharepoint client app to which we will assign the permissions needed by your Q Business connector. To register the app:
+
+    1. Log in to the Azure Portal with your Microsoft account.
+
+    2.       1. Provide the name for your application. In the example we are using the name TargetApp. The Amazon Q Business application uses TargetApp to connect to the SharePoint Online site to crawl and index the data.
+
+      2. Choose "Accounts" in the organizational directory. (Tenant name only - Single tenant).
+
+      3. Choose "Register".
+
+      4. Note down the application (client ID and the directory (tenant) on the Overview page, as you'll need them when prompted for "TargetApp-ClientId" and "TenantId".
+
+      5. Navigate to "Manage > API Permissions" in the navigation pane
+
+      6. Navigate to "Add a permission > Sharepoint > Application permissions" to allow the application to read data in your organization's directory regarding the signed-in user.
+
+      7. Search "AllSites.Read".
+
+      8. Choose "Add permissions".
+
+      9. Navigate to "Add a permission > Microsoft Graph > Application permissions"
+
+      10. Search and add the following permissions:
+
+         * "Notes.Read.All"
+
+         * "Sites.Read.All"
+
+         * "Sites.FullControl.All" (required only if you intend to enable ACLs)
+
+         * "GroupMember.Read.All" (required only if you intend to enable ACLs)
+
+         * "User.Read.All" (required only if you intend to enable ACLs)
+
+      11. Navigate to "Remove permission"
+
+      12. Remove the original "User.Read - Delegated" permission
+
+      13. Choose "Grant admin consent" for the default directory
+
+      14. Save the client ID generated from this app for when you configure the Sharepoint connector in the Q Business console or API
+
+The following tables summarize all the permissions your application should have. 
+
+         * If you're not using ACL, your application should have the permission:
+
+**Microsoft Graph** |  **Sharepoint**  
+---|---  
+Notes.Read.All (Application) – Read all OneNote notebooks |  AllSites.Read (Delegated) - Read items in all site collections  
+Site.Read.All (Application) - Read items in all site collections |   
+  
+###### Note
+
+Read.All and Sites.Read.All are required only if you want to crawl OneNote Documents.
+
+         * If you're using ACL, your application should have the following permissions:
+
+Microsoft Graph | Sharepoint  
+---|---  
+GroupMember.Read.All (Application) – Read all group memberships | AllSites.Read (Delegated) – Read items in all site collections  
+Notes.Read.All (Application) – Read all OneNote notebooks |   
+Sites.FullControl.All (Delegated) – Have full control of all site collections |   
+Sites.Read.All (Application) – Read items in all site collections |   
+User.Read.All (Application) – Read all users' full profiles |   
+  
+  2. Create a client secret for your Sharepoint App:
+
+    1. Within your client App navigate to "Clients and secrets > Client secrets"
+
+    2. Click on create a new secret.
+
+  3. Generate a new Certificate to be shared between Q Business SharePoint Connector and Azure AD App:
+
+    1. Use the example command below to generate your own x509 certificate.
+
+    2. Run the following command:`openssl req -x509 -newkey rsa:2048 -noenc -sha1 -keyout /tmp/private.key -out /tmp/sharepoint.crt -nodes -set_serial 1 -days 365 -subj "/CN=amazon/[email protected]/C=US/ST=Texas/L=Dallas/O=amazon/OU=amazon`
+
+    3. Save the generated private key located in /tmp/private.key for later when you configure the Q Business Sharepoint connector via the Q Business console or API.
+
+
+
+
+_Azure AD App-Only Option 2: Read Access for only Selected Sites_
+
+If you anticipate that you will be indexing a manageable number of Sharepoint sites and would prefer to limit the permissions of the Q Business connector to just the Sharepoint sites you intend to index, you can take the following steps:
+
+  1. Create a Sharepoint client app: Create a Sharepoint client app to which we will assign the permissions needed by your Q Business connector. To register the app: 
+
+    1. Log in to the Azure Portal with your Microsoft account.
+
+    2. Choose "New Registration":
+
+      1. Provide the name for your application. In the example we are using the name TargetApp. The Amazon Q Business application uses TargetApp to connect to the SharePoint Online site to crawl and index the data.
+
+      2. Choose "Accounts" in the organizational directory. (Tenant name only - Single tenant).
+
+      3. Choose "Register".
+
+      4. Note down the application (client ID and the directory (tenant) on the Overview page, as you'll need them when prompted for "TargetApp-ClientId" and "TenantId".
+
+      5. Navigate to "Manage > API Permissions" in the navigation pane
+
+      6. Navigate to "Add a permission > Sharepoint > Application permissions" to allow the application to read data in your organization's directory regarding the signed-in user.
+
+      7. Search "Sites.Selected".
+
+      8. Choose "Add permissions".
+
+      9. Navigate to "Add a permission > Microsoft Graph > Application permissions"
+
+      10. Search and add the following permissions:
+
+         * "Notes.Read.All"
+
+         * "Sites.Selected"
+
+         * "GroupMember.Read.All" (required only if you intend to enable ACLs)
+
+         * "User.Read.All" (required only if you intend to enable ACLs)
+
+      11. Navigate to "Remove permission"
+
+      12. Remove the original "User.Read - Delegated" permission
+
+      13. Choose "Grant admin consent" for the default directory
+
+      14. Save the client ID generated from this app for when you configure the Sharepoint connector in the Q Business console or API
+
+The following tables summarize all the permissions your application should have.
+
+         * If you're not using ACL, your application should have the permissions:
+
+**Microsoft Graph** |  **Sharepoint**  
+---|---  
+Notes.Read.All (Application) – Read all OneNote notebooks |  AllSites.Read (Delegated) - Read items in all site collections  
+Site.Read.All (Application) - Read items in all site collections |   
+  
+###### Note
+
+Read.All and Sites.Read.All are required only if you want to crawl OneNote Documents.