Skip to main content
This guide shows you how to register your own app with SharePoint Online (v2) (via Microsoft Entra ID) to obtain your OAuth credentials (client ID & secret). These are required to let your users grant your app access to their SharePoint Online account.

Registering your OAuth app

1

Create a Microsoft account and Azure account

If you don’t already have them, sign up for a Microsoft account and an Azure account.
2

Register an application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center as at least an Application Developer.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application.
  3. From the search bar at the top of the Azure portal, search for App registrations and select it. Then choose New registration. Or from your left navigation tab, navigate to Applications > App registrations then choose New registration.
  4. Enter a meaningful name for your application, for example “Nango Integration”.
  5. Under Supported account types you need to decide who can install your integration:
    • Accounts in any organizational directory - Any user account in a professional Microsoft organization (Business, School, etc.)
    • Accounts in any organizational directory and personal Microsoft accounts - The accounts from the first option, plus personal Microsoft accounts (pick this unless you want to restrict your integration to business accounts)
  6. Leave the Redirect URI section blank for now; we’ll configure it in a later step.
  7. Click Register to complete the app registration.
3

Note your application (client) ID

After registration, you’ll be taken to the application’s Overview page. Record the Application (client) ID, which uniquely identifies your application and is used in your application’s code as part of validating security tokens.
4

Add a redirect URI

  1. In the left sidebar, select Authentication.
  2. Under Platform configurations, select Add a platform.
  3. Select Web as the platform type.
  4. Enter https://api.nango.dev/oauth/callback as the Redirect URI.
  5. Under Advanced settings, keep Allow public client flows set to the default No for web applications.
  6. Click Configure to save your changes.
5

Add API permissions

  1. In the left sidebar, select API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph to integrate with SharePoint Online (v2).
  4. Select the required permissions from the Delegated permissions section.
  5. Select the specific permissions your app requires. See the commonly used scopes table below for reference.
  6. Click Add permissions.
  7. If your application requires admin consent, click Grant admin consent for [tenant] to pre-authorize the permissions.
To obtain the sharepointAccessToken, your integration must include and request the Sites.Read.All scope during authorization. Without this scope, the SharePoint token will not be issued — only the Graph token will be available for your connection.
6

Create a client secret

  1. In the left sidebar, select Certificates & secrets.
  2. Under Client secrets, click New client secret.
  3. Enter a description for the secret and select an expiration period (6 months, 12 months, 24 months, or custom). Please select a date further in the future to avoid interruptions, note that the Custom date can only be set to a maximum of 1 year from the current date. If the secret expires, you will need to regenerate a new one and update your integration within Nango.
  4. Click Add.
  5. Important: Copy the secret value immediately and store it securely. You won’t be able to see it again after you leave this page.
7

Configure token settings (optional)

  1. In the left sidebar, select Token configuration. Here you can configure optional claims to be included in the access tokens issued for your application.
  2. Click Add optional claim and select the claims you want to include in your access tokens.
8

Configure app visibility (optional)

If you want users to see your app on their My Apps page:
  1. From the search bar at the top of the Azure portal, search for Enterprise applications, select it, and then choose your app.
  2. On the Properties page, set Visible to users? to Yes.

Common Scopes

ScopeDescription
Sites.Read.AllRead SharePoint sites and lists across the organization
Sites.ReadWrite.AllRead and write SharePoint sites and lists across the organization
Sites.Manage.AllFull control of all site collections without a signed-in user
Sites.FullControl.AllHave full control of all site collections (includes manage, read/write)
Files.ReadRead user files and file properties
Files.Read.AllRead all files the user can access
Files.ReadWriteRead and write user files
Files.ReadWrite.AllRead and write all files the user can access
offline_accessAccess to refresh tokens for offline access
User.Read.AllRead user profiles in the organization (useful if mapping users to files)
For a comprehensive list of available permissions and their requirements, see the Microsoft Graph permissions reference.

Understanding SharePoint and Graph tokens

Each connection issues two tokens:
  1. Main Token (Graph Token): Used for standard Microsoft Graph API operations, such as making proxy calls to the Graph API at https://graph.microsoft.com.
  2. SharePoint Token (sharepointAccessToken): Available under connection_config and required when interacting with SharePoint-specific components, such as the latest File Picker (v8.0).
The sharepointAccessToken is only available for new connections. If it’s missing from your connection_config, please reauthorize your connection to obtain and include the token.

API version differences

Nango supports both SharePoint Online v1 and v2, providing flexibility for integrations depending on your requirements:
  • SharePoint v1 refers to the older REST API, which uses legacy authentication methods like SharePoint Online (SPO) or older OAuth implementations. Its endpoints follow the pattern https://<your-tenant>.sharepoint.com/_api/, and it supports basic SharePoint operations. However, v1 lacks modern features such as delta queries for incremental sync and deep integration with Microsoft 365.
  • SharePoint Online v2 is a modernized version aligned with the Microsoft Graph API. It uses OAuth 2.0 with the Microsoft Identity Platform (formerly Azure AD) for secure and scalable authentication. Endpoints for v2 are primarily accessed through https://graph.microsoft.com/v1.0/sites/..., and it offers advanced capabilities like delta queries for incremental sync, enhanced performance, and seamless integration with Microsoft 365 services.

Finding required permissions

You can find permissions required for each API call in their corresponding API methods section. For example, to get metadata for a list from SharePoint, see Get metadata for a list permissions. For more details on SharePoint Online’s implementation, see Microsoft Graph SharePoint documentation.