使用 OAuth 2.0 ROPC 流身份驗證方法將 Amazon Q Business 與 SharePoint（線上）集成

企業在存取和利用分散在組織各個系統中的大量資訊方面面臨重大挑戰。如果您可以簡單地提出一個問題，然後從公司的整個知識庫中獲得即時、準確的答案，同時考慮到單一使用者的資料存取級別，該怎麼辦？

Enterprises face significant challenges accessing and utilizing the vast amounts of information scattered across an organization’s various systems. What if you could simply ask a question and get instant, accurate answers from your company’s entire knowledge base, while accounting for an individual user’s data access levels?

企業在存取和利用分散在組織各個系統中的大量資訊方面面臨重大挑戰。如果您可以簡單地提出一個問題，然後從公司的整個知識庫中獲得即時、準確的答案，同時考慮到單一使用者的資料存取級別，該怎麼辦？

Amazon Q Business is a game changing AI assistant that’s revolutionizing how enterprises interact with their data. With Amazon Q Business, you can access relevant information through natural language conversations, drawing insights from diverse data sources within your organization, adhering to the permissions granted to your user account.

Amazon Q Business 是一款改變遊戲規則的 AI 助手，它徹底改變了企業與其資料互動的方式。借助 Amazon Q Business，您可以透過自然語言對話存取相關信息，從組織內的不同資料來源中獲取見解，並遵守授予您的使用者帳戶的權限。

At its core, Amazon Q Business works by first indexing the content from a variety of data sources using built-in data source connectors. These connectors function as an integration layer, unifying content from diverse systems such as Salesforce, Microsoft Exchange, and SharePoint into a centralized index. This consolidated index powers the natural language processing and response generation capabilities of Amazon Q. When a user asks a question using the built-in web experience, Amazon Q Business retrieves relevant content from the index, taking into account user profiles and permissions. It then uses large language models (LLMs) to provide accurate, personalized, and well-written responses based on the consolidated data.

Amazon Q Business 的核心工作原理是首先使用內建資料來源連接器對來自各種資料來源的內容建立索引。這些連接器可作為整合層，將來自 Salesforce、Microsoft Exchange 和 SharePoint 等不同系統的內容統一到集中索引中。此綜合索引為 Amazon Q 的自然語言處理和回應產生功能提供支援。然後，它使用大型語言模型 (LLM) 根據整合的數據提供準確、個人化且寫得好的回應。

For a full list of Amazon Q supported data source connectors, refer to Supported connectors.

有關 Amazon Q 支援的資料來源連接器的完整列表，請參閱支援的連接器。

This approach is useful when you need Amazon Q Business to crawl through OneNote or if you don’t want to deal with certificates or in scenarios that require regular password rotation.

當您需要 Amazon Q Business 爬取 OneNote 時，或者您不想處理憑證或需要定期密碼輪替的場景時，此方法非常有用。

We provide a step-by-step guide for the Azure AD configuration and demonstrate how to set up the Amazon Q connector to establish this secure integration.

我們提供了 Azure AD 配置的逐步指南，並示範如何設定 Amazon Q 連接器來建立此安全性整合。

Solution overview

解決方案概述

SharePoint is a web-based solution developed by Microsoft that enables organizations to collaborate, manage documents, and share information efficiently. It offers a wide range of features, including using document libraries, viewing lists, publishing pages, sharing events and links, and allowing users to make comments, making it a great tool for team collaboration and content management.

SharePoint 是 Microsoft 開發的基於 Web 的解決方案，使組織能夠有效率地協作、管理文件和共享資訊。它提供了廣泛的功能，包括使用文件庫、查看清單、發布頁面、共享事件和連結以及允許用戶發表評論，使其成為團隊協作和內容管理的絕佳工具。

After integrating SharePoint Online with Amazon Q Business, you can ask questions using natural language about the content stored in the SharePoint sites. For example, if your organization’s human resources team manages an internal SharePoint site and maintains a list of holidays for geographical regions, you can ask, “What are the company holidays for this year?” Amazon Q Business will then list region-specific holidays based on your location (country).

將 SharePoint Online 與 Amazon Q Business 整合後，您可以使用自然語言提出有關 SharePoint 網站中儲存的內容的問題。例如，如果您組織的人力資源團隊管理內部 SharePoint 網站並維護地理區域的假期列表，您可以問“今年公司假期是多少？”然後，Amazon Q Business 將根據您所在的位置（國家/地區）列出特定於地區的假日。

The following diagram illustrates the solution architecture. In the upcoming sections, we show you how to implement this architecture. After you integrate Amazon Q Business using the SharePoint connector, Amazon Q Business will crawl through the SharePoint content and update the index whenever content changes. Each published event, page, link, file, comment, OneNote, and attachment on the SharePoint site is treated as a document. In addition to the documents, it also crawls through access control lists (ACLs) for each document (user and group information) and stores them in the . This allows end-users to see chat responses generated only from the documents they have access to.

下圖展示了該解決方案的架構。在接下來的部分中，我們將向您展示如何實現此架構。使用 SharePoint 連接器整合 Amazon Q Business 後，Amazon Q Business 將爬取 SharePoint 內容並在內容變更時更新索引。 SharePoint 網站上的每個發佈的事件、頁面、連結、文件、評論、OneNote 和附件都被視為一個文件。除了文件之外，它還抓取每個文件（使用者和群組資訊）的存取控制清單 (ACL)，並將它們儲存在 .這允許最終用戶查看僅從他們有權訪問的文件生成的聊天回應。

You can configure Azure AD using either of the following methods:

您可以使用下列任一方法設定 Azure AD：

We demonstrate both methods in the following sections.

我們在以下部分中演示這兩種方法。

Prerequisites

先決條件

To follow along, you need the following prerequisites:

要繼續操作，您需要滿足以下先決條件：

Configure Azure AD using the Azure AD console

使用 Azure AD 控制台設定 Azure AD

To configure Azure AD using the GUI, complete the steps in this section.

若要使用 GUI 設定 Azure AD，請完成本部分的步驟。

Register an Azure AD application

註冊 Azure AD 應用程式

Complete the following steps to register an Azure AD application in the Azure AD tenant that is linked to the SharePoint Online/O365 tenant:

完成下列步驟，在連結至 SharePoint Online/O365 租用戶的 Azure AD 租用戶中註冊 Azure AD 應用程式：

An application will be created. You will see a page like the following screenshot.

將創建一個應用程式。您將看到類似以下螢幕截圖的頁面。

Now you can configure the newly registered application with Microsoft Graph and SharePoint API permissions.

現在，您可以使用 Microsoft Graph 和 SharePoint API 權限來設定新註冊的應用程式。

When configuring permissions, you have two different options:

配置權限時，您有兩種不同的選擇：

For option 1, install the MS Graph PowerShell SDK as a prerequisite.

對於選項 1，先決條件是安裝 MS Graph PowerShell SDK。

Option 1: Manually allow access to specific SharePoint sites

選項 1：手動允許存取特定 SharePoint 網站

If you choose option 1, to grant access to specific sites instead of all sites, you need to complete additional prerequisites.

如果您選擇選項 1，以授予對特定網站而不是所有網站的存取權限，則您需要完成其他先決條件。

Make sure you have access to another application in Microsoft Entra ID with Sites.FullControl.All application-level permissions, along with its client ID and client secret. This application won’t be used by the Amazon Q Business connector, but it’s needed to grant Sites.Selected permissions only to the application you just registered. If you don’t have access to an application with Sites.FullControl permissions, you can follow the previous steps to register a new application and grant Sites.FullControl as described in option 2. We refer to this application as SitesFullControlApp.

確保您有權使用 Sites.FullControl.All 應用程式層級權限存取 Microsoft Entra ID 中的另一個應用程式及其用戶端 ID 和用戶端金鑰。 Amazon Q Business 連接器不會使用此應用程序，但需要它僅向您剛剛註冊的應用程式授予 Sites.Selected 權限。如果您無法存取具有 Sites.FullControl 權限的應用程序，則可以按照前面的步驟註冊新應用程式並授予 Sites.FullControl（如選項 2 所述）。

To configure your permissions using option 1, complete the following steps:

若要使用選項 1 設定您的權限，請完成下列步驟：

You will see the permissions listed as shown in the following screenshot.

您將看到列出的權限，如以下螢幕截圖所示。

After granting admin consent, your permissions should look like the following screenshot.

授予管理員同意後，您的權限應如下圖所示。

The output from the PowerShell script will look like the following screenshot.

PowerShell 腳本的輸出將類似於以下螢幕截圖。

This completes the steps to configure permissions for a specific set of SharePoint site collections.

這就完成了為一組特定的 SharePoint 網站集配置權限的步驟。

Option 2: Manually allow

選項 2：手動允許