AWS Security ChangesHomeSearch

AWS quick documentation change

Service: quick · 2026-05-01 · Documentation low

File: quick/latest/userguide/sharepoint-action-integration.md

Summary

Updated SharePoint integration documentation to add details about multiple authentication methods (Default OAuth, Custom OAuth, Service-to-Service OAuth), restructured setup instructions, and added a new section about admin consent requirements for Microsoft 365.

Security assessment

The changes add detailed documentation about security features (OAuth authentication methods) and admin consent processes, but there's no evidence of addressing a specific security vulnerability. The updates improve security awareness by explaining authentication options and admin consent requirements.

Diff

diff --git a/quick/latest/userguide/sharepoint-action-integration.md b/quick/latest/userguide/sharepoint-action-integration.md
index 06620925f..31ae0e1db 100644
--- a//quick/latest/userguide/sharepoint-action-integration.md
+++ b//quick/latest/userguide/sharepoint-action-integration.md
@@ -7 +7 @@
-Before you beginConfigure Microsoft EntraSet up the integration in Amazon QuickAvailable actionsManage and troubleshoot
+Before you beginConfigure Microsoft EntraSetting up the connector in Amazon QuickAvailable actionsManage and troubleshootAdmin consent for Microsoft 365
@@ -13 +13,12 @@ Use the Microsoft SharePoint action connector to manage lists, items, files, and
-Setting up this integration involves two steps. First, you register an application in Microsoft Entra and configure its permissions. Then, you create the integration in Amazon Quick and connect it to your Entra app. For information about the authentication methods that Amazon Quick supports, see [Authentication methods](./quick-action-auth.html).
+Amazon Quick supports multiple authentication methods for Microsoft SharePoint. Choose the method that best fits your organization's security requirements.
+
+  * **Default OAuth app** – Uses an AWS-managed OAuth application. No additional credentials are needed. Users authenticate directly with their Microsoft account.
+
+  * **Custom OAuth app** – Uses a customer-managed application registered in Microsoft Entra. This option gives your organization full control over the OAuth configuration. Users authenticate on behalf of a signed-in user (delegated permissions).
+
+  * **Service-to-Service OAuth** – Uses client credentials for server-to-server authentication without user interaction (application permissions). Suitable for automated workflows.
+
+
+
+
+For more information about the authentication methods that Amazon Quick supports, see [Authentication methods](./quick-action-auth.html).
@@ -21 +32 @@ Make sure you have the following before you set up the integration.
-  * Access to the [Microsoft Entra admin center](https://entra.microsoft.com/) with at least Application Developer permissions.
+  * For **Custom OAuth app** or **Service-to-Service OAuth** : Access to the [Microsoft Entra admin center](https://entra.microsoft.com/) on the Microsoft website with at least Application Developer permissions.
@@ -29,0 +41,2 @@ Make sure you have the following before you set up the integration.
+If you are using **Default OAuth app** authentication, skip this section and proceed to Setting up the connector in Amazon Quick.
+
@@ -123 +136,26 @@ Client secret value | Certificates & secrets page
-## Set up the integration in Amazon Quick
+## Setting up the connector in Amazon Quick
+
+### Connect from the Available tab
+
+If you want to use Default OAuth app authentication, you can connect directly from the **Available** tab without additional configuration.
+
+  1. In the Amazon Quick console, choose **Connectors**.
+
+  2. On the **Available** tab, find **SharePoint** and choose **Connect**.
+
+  3. Complete the Microsoft sign-in flow and grant the requested permissions.
+
+
+
+
+To configure a connector with Custom OAuth app or Service-to-Service OAuth instead, use the **Create for your team** tab as described below.
+
+### Create from the Create for your team tab
+
+After you complete any required Entra configuration, create the connector in Amazon Quick.
+
+  1. In the Amazon Quick console, choose **Connectors**.
+
+  2. Choose the **Create for your team** tab.
+
+  3. Find and choose **Microsoft SharePoint**.
@@ -125 +163 @@ Client secret value | Certificates & secrets page
-After you complete the Entra configuration, create the integration in Amazon Quick.
+###### Note
@@ -127 +165 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  1. In the Amazon Quick console, choose **Integrations**.
+If a Microsoft SharePoint connector already exists, a dialog appears with your existing connectors. To use an existing connector, choose it. To create a new one, choose **No, create new**.
@@ -129 +167 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  2. Choose **Microsoft SharePoint** and choose the Add (plus "+") button.
+  4. On the **Integration type** page, select **Perform actions in Microsoft SharePoint Online** and choose **Next**.
@@ -131 +169 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  3. Choose the **Actions** tab.
+  5. Enter a **Name** for your connector. Optionally, choose **\+ Add Description** to add a description.
@@ -133 +171 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  4. Choose **Perform actions in Microsoft SharePoint**.
+  6. For **Connection type** , choose **Public network**.
@@ -135 +173 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  5. Fill in the integration details:
+  7. For **OAuth Configuration** , choose one of the following authentication methods and configure the required fields.
@@ -137 +175 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-     * **Name** – Descriptive name for your SharePoint integration.
+    1. For **Default OAuth app** :
@@ -139 +177 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-     * **Description** (Optional) – Purpose of the integration.
+No additional credentials are needed. Choose **Next** to continue.
@@ -141 +179 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  6. Choose your connection type and fill in the connection settings:
+    2. For **Custom OAuth app** (user authentication with delegated permissions), configure the following fields:
@@ -143 +181 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-    1. For **User authentication (OAuth)** , configure the following fields:
+       * **Base URL** (Optional) – The Microsoft Graph API base URL. Example: `https://graph.microsoft.com/v1.0`
@@ -145 +183 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Base URL** – `https://graph.microsoft.com/v1.0`
+       * **Client ID** – The Application (client) ID from your Entra app registration.
@@ -147 +185 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Client ID** – Application (client) ID from your Entra app registration.
+       * **Client secret** – The client secret value from your Entra app registration.
@@ -149 +187 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Client Secret** – Client secret value from your Entra app registration.
+       * **Token URL** – The token endpoint. Example: `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/token`
@@ -151 +189 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Token URL** – `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/token`
+       * **Authorization URL** – The authorization endpoint. Example: `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/authorize`
@@ -153 +191 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Auth URL** – `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/authorize`
+       * **Redirect URL** – Pre-filled with the Amazon Quick callback URL.
@@ -155 +193 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Redirect URL** – `https://`{region}`.quicksight.aws.amazon.com/sn/oauthcallback`
+    3. For **Service-to-Service OAuth** (service authentication with application permissions), configure the following fields:
@@ -157 +195 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-    2. For **Service authentication** , configure the following fields:
+       * **Base URL** (Optional) – The Microsoft Graph API base URL. Example: `https://graph.microsoft.com/v1.0`
@@ -159 +197 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Client ID** – Application (client) ID from your Entra app registration.
+       * **Client ID** – The Application (client) ID from your Entra app registration.
@@ -161 +199 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Client Secret** – Client secret value from your Entra app registration.
+       * **Client secret** – The client secret value from your Entra app registration.
@@ -163 +201 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Token URL** – `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/token`
+       * **Token URL** – The token endpoint. Example: `https://login.microsoftonline.com/`{tenant-id}`/oauth2/v2.0/token`
@@ -165 +203 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-       * **Scope** – `.default`
+###### Note
@@ -167 +205 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  7. Choose **Create and continue**.
+The scope for the client credentials token request (`https://graph.microsoft.com/.default`) is set automatically by Amazon Quick. You do not need to configure it manually.
@@ -169 +207 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  8. Choose users to share the integration with.
+  8. Choose **Next**.
@@ -171 +209,9 @@ After you complete the Entra configuration, create the integration in Amazon Qui
-  9. Choose **Next**.
+  9. If you chose **Default OAuth app** or **Custom OAuth app** , a Microsoft authorization window opens. Review the requested permissions and choose **Accept**.
+
+If you see an error instead of the consent dialog, your organization might restrict third-party app access. See Admin consent for Microsoft 365.
+
+  10. On the **Review** page, review the available actions for the connector. Choose **Next**.
+
+  11. On the **Publish** page, choose who can access the connector. You can enable access for everyone in your organization or search for specific teams or groups.
+
+  12. Choose **Publish**.
@@ -225,0 +272,28 @@ To edit, share, or delete your integration, see [Managing existing integrations]
+## Admin consent for Microsoft 365
+
+When you use the **Default OAuth app** authentication method, Amazon Quick uses an AWS-managed application to access Microsoft SharePoint on behalf of the signed-in user. Most users can complete setup without any extra steps. However, if your Microsoft 365 tenant restricts third-party app access, a Microsoft 365 administrator must grant one-time consent before users can connect.
+
+If you see an error when you sign in during connector setup, your organization might restrict third-party app access. Share the following information with your Microsoft 365 administrator:
+
+  * **What to do:** Grant admin consent for the Amazon Quick Microsoft SharePoint integration application.
+
+  * **Why:** Amazon Quick needs delegated access to SharePoint sites, lists, files, and Excel workbooks to perform actions on behalf of users.
+
+
+
+
+An administrator can grant consent in one of the following ways:
+
+  * **Through the consent dialog** – A Global Administrator or Privileged Role Administrator initiates the connector setup flow. In the Microsoft sign-in dialog, they select the **Consent on behalf of your organization** check box and choose **Accept**.
+
+  * **Through the Microsoft Entra admin center** – Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) on the Microsoft website. Choose **Enterprise applications** , locate the Amazon Quick application, choose **Permissions** , and choose **Grant admin consent for`Your Organization`**.
+
+
+
+
+After consent is granted, any user in your organization can connect without being prompted for individual consent.
+
+###### Note
+
+To check whether your tenant restricts user consent, go to the Microsoft Entra admin center and choose **Enterprise applications** , **Consent and permissions** , **User consent settings**. If the setting is **Do not allow user consent** , an administrator must grant consent before users can use the connector.
+