Microsoft 365 Copilot Search Integration with SharePoint and OneDrive Support

overview this feature enables servicely's ai copilot to search microsoft 365 content — sharepoint , onedrive for business , and external items (connectors) — on behalf of the logged in user searches use the microsoft graph copilot retrieval api with the user's own delegated oauth token, so sharepoint access permissions are fully respected prerequisites microsoft azure active directory (entra id) tenant azure ad application registration with the following delegated permissions (not application) files read all sites read all externalitem read all (if using external connectors) offline access (for refresh token support) microsoft 365 copilot licences (required for the /copilot/retrieval graph api endpoint) setup steps 1\ configure the azure ad application registration in the azure portal navigate to azure active directory → app registrations and select (or create) your servicely app registration under api permissions , add the delegated permissions listed above and grant admin consent under authentication , add the servicely sso redirect uri\ https //\<your servicely host>/sso/oauth callback/ under certificates & secrets , note your client id , and client secret 2\ create a system oauth provider in servicely, navigate to admin → integrations → system oauth providers and create a new record field value name ms graph copilot (or any name — you will reference it in step 3) client id your azure ad app's application (client) id client secret your azure ad app's client secret authorization url https //login microsoftonline com/{tenant id}/oauth2/v2 0/authorize token url https //login microsoftonline com/{tenant id}/oauth2/v2 0/token redirect url https //{your servicely host}/sso/oauth callback scopes https //graph microsoft com/ default grant type authorization code note if scopes is left blank, the system defaults to https //graph microsoft com/ default https //graph microsoft com/ default 3\ link the oauth provider to your oidc identity provider (recommended) in servicely, navigate to administrator → authentication → identity providers and open your azure ad oidc/saml provider record in the linked oauth providers field, add the oauth provider record created in step 2 this tells servicely to automatically capture and store the user's microsoft access and refresh tokens every time they log in via azure ad sso 4\ set the application property in servicely, navigate to admin → application properties and set property key value microsoft search oauth provider name the name of the oauth provider created in step 2 (e g ms graph copilot) this property tells the microsoft search service which oauth provider to use for copilot retrieval queries how it works token lifecycle when a user logs in via azure ad sso, servicely automatically saves their access token and refresh token to the systemapioutboundtoken table, linked to the user and the configured oauth provider tokens are automatically refreshed when they expire — no user action needed after initial login if a user has never logged in via azure ad sso (or their token record is missing), the system will prompt them to complete an oauth consent flow via a "connect your microsoft account" link search behavior searches run against sharepoint , onedrive for business , and external items simultaneously in a single batched graph api call results are ranked by relevance score and the top 5 chunks (default) are returned to the ai assistant if a data source returns an error (e g user has no access), that source is skipped and results from other sources are still returned using the search in ai assistant scripts the mssearch global is available in servicely ai assistant tool scripts // basic search — runs as the currently logged in userlet results = mssearch search("change management process")// each result contains\ // title document/page title// summarychunk relevant text extract// relevancescore score between 0 and 1 (higher = more relevant)// resourcelink url to the source document// resourcetype e g "listitem", "site"// author author from document metadata (may be null)// datasource "sharepoint", "onedrivebusiness", or "externalitem" troubleshooting user sees "microsoft authorization required" message the user's delegated token is missing or has not yet been initialized resolution the user must log out and log back in via azure ad sso once they re authenticate, their token is automatically captured and stored if the user is not using azure ad sso, they will be redirected to a consent url at https //\<your servicely host>/sso/oauth outbound redirect/\<token record id> they must visit this url and complete the microsoft oauth consent flow search returns no results confirm the user has microsoft 365 content in sharepoint or onedrive confirm the azure ad app has the required delegated permissions and admin consent has been granted confirm the user has a microsoft 365 copilot license — the /copilot/retrieval endpoint requires it check servicely application logs for errors from msgraphsearchservice — look for batch response error messages that indicate the specific failure reason token not being stored at login confirm the azure ad identity provider record has the oauth provider linked (step 3 above) check servicely logs during login for errors invalidconfigurationexception systemoauthprovider for copilot search not defined the application property microsoft search oauth provider name is not set or is blank resolution follow step 4 above invalidconfigurationexception no system oauth provider found with name \<name> the name in the application property does not match any existing oauth provider record resolution verify the name field on the oauth provider record exactly matches the value in microsoft search oauth provider name security considerations servicely stores oauth access and refresh tokens encrypted in the database searches run with the logged in user's permissions — users cannot access sharepoint content they are not permitted to see in microsoft 365 application level (app only) credentials are not used for search — delegated user tokens only