Configuring Document-level Security for SharePoint Online

Applies to version and subsequent versions unless specifically overridden To enable document level-security for SharePoint Online, you need to follow the procedures below:

  1. Register an application with Microsoft Azure Active Directory, and
  2. Configure SharePoint crawler to enable document-level security for SharePoint Online.


SharePoint crawler can crawl SharePoint Online only with the default Azure Active Directory (Azure AD) authentication at this point. It is not supported to crawl SharePoint Online with the other types of authentication, such as using your own local Active Directory Federation Service (ADFS). The user name for the default Azure AD authentication would be in the form of <username>@<domain> Consult with Microsoft support for more details about SharePoint Online configuration.

Register with Microsoft Azure Active Directory

  1. Log in to Microsoft Azure Portal with an account with administrator role of your SharePoint Online. The user name would be in the form of <admin_user>@<domain>
  2. Register an application. You can register an application from the Azure Active Directory > App registrations > New registration page on the portal. You can set an arbitrary name for the application (e.g. WEX). You may be asked to set a redirect URL of the application when you register an application. Because Watson Explorer does not use the URL, you may set any URL to complete the registration.
  3. An application (client) ID should be assigned to the application when you register it. Make a record of the application ID. You need to supply it to your SharePoint crawler configuration to enable document-level security.
  4. Set the client type to treat it as a public client. You can set it by navigating to the Authentication > Advanced settings > Default client type menu and setting it to Yes.
  5. Add and grant the following permissions to the application. You can add permissions from the API permissionsAdd a permission button. Make sure to grant the permissions after you add them, by clicking the Grant admin consent for *** button at the bottom of the API permissions page.
    API Permissions
    (Choose at least one of permissions in each row)
    Microsoft Graph
    • Read all groups (Group.Read.All)
    • Read and write all groups (Group.ReadWrite.All)
    • Access directory as the signed in user (Directory.AccessAsUser.All)
    • Read directory data (Directory.Read.All)
    • Read and write directory data (Directory.ReadWrite.All)
    (Office 365 SharePoint Online)
    • Read user profile (User.Read.All)
    • Read and write user profiles (User.ReadWrite.All)

    For more details on how to register an application and/or grant permissions, consult with Microsoft support.

Configure SharePoint crawler to enable document-level security for SharePoint Online

Make sure to do the following:

  1. Check the Enable document-level security option when you create a dataset and add a SharePoint crawler to the dataset,
  2. Enable the Crawl SharePoint Online option, and
  3. Set the application ID provided by Azure Active Directory to the Application (Client) ID assigned on Azure Portal property on your SharePoint crawler - configuration properties.