使用 OAuth 2.0 ROPC 流身份验证方法将 Amazon Q Business 与 SharePoint（在线）集成

企业在访问和利用分散在组织各个系统中的大量信息方面面临着重大挑战。如果您可以简单地提出一个问题，然后从公司的整个知识库中获得即时、准确的答案，同时考虑到单个用户的数据访问级别，该怎么办？

Enterprises face significant challenges accessing and utilizing the vast amounts of information scattered across an organization’s various systems. What if you could simply ask a question and get instant, accurate answers from your company’s entire knowledge base, while accounting for an individual user’s data access levels?

企业在访问和利用分散在组织各个系统中的大量信息方面面临着重大挑战。如果您可以简单地提出一个问题，然后从公司的整个知识库中获得即时、准确的答案，同时考虑到单个用户的数据访问级别，该怎么办？

Amazon Q Business is a game changing AI assistant that’s revolutionizing how enterprises interact with their data. With Amazon Q Business, you can access relevant information through natural language conversations, drawing insights from diverse data sources within your organization, adhering to the permissions granted to your user account.

Amazon Q Business 是一款改变游戏规则的 AI 助手，它彻底改变了企业与其数据交互的方式。借助 Amazon Q Business，您可以通过自然语言对话访问相关信息，从组织内的不同数据源中获取见解，并遵守授予您的用户账户的权限。

At its core, Amazon Q Business works by first indexing the content from a variety of data sources using built-in data source connectors. These connectors function as an integration layer, unifying content from diverse systems such as Salesforce, Microsoft Exchange, and SharePoint into a centralized index. This consolidated index powers the natural language processing and response generation capabilities of Amazon Q. When a user asks a question using the built-in web experience, Amazon Q Business retrieves relevant content from the index, taking into account user profiles and permissions. It then uses large language models (LLMs) to provide accurate, personalized, and well-written responses based on the consolidated data.

Amazon Q Business 的核心工作原理是首先使用内置数据源连接器对来自各种数据源的内容建立索引。这些连接器充当集成层，将来自 Salesforce、Microsoft Exchange 和 SharePoint 等不同系统的内容统一到集中索引中。此综合索引为 Amazon Q 的自然语言处理和响应生成功能提供支持。当用户使用内置 Web 体验提出问题时，Amazon Q Business 会考虑用户配置文件和权限，从索引中检索相关内容。然后，它使用大型语言模型 (LLM) 根据整合的数据提供准确、个性化且写得好的回复。

For a full list of Amazon Q supported data source connectors, refer to Supported connectors.

有关 Amazon Q 支持的数据源连接器的完整列表，请参阅支持的连接器。

This approach is useful when you need Amazon Q Business to crawl through OneNote or if you don’t want to deal with certificates or in scenarios that require regular password rotation.

当您需要 Amazon Q Business 爬取 OneNote 时，或者您不想处理证书或需要定期密码轮换的场景时，此方法非常有用。

We provide a step-by-step guide for the Azure AD configuration and demonstrate how to set up the Amazon Q connector to establish this secure integration.

我们提供了 Azure AD 配置的分步指南，并演示了如何设置 Amazon Q 连接器来建立这种安全集成。

Solution overview

解决方案概述

SharePoint is a web-based solution developed by Microsoft that enables organizations to collaborate, manage documents, and share information efficiently. It offers a wide range of features, including using document libraries, viewing lists, publishing pages, sharing events and links, and allowing users to make comments, making it a great tool for team collaboration and content management.

SharePoint 是 Microsoft 开发的基于 Web 的解决方案，使组织能够高效地协作、管理文档和共享信息。它提供了广泛的功能，包括使用文档库、查看列表、发布页面、共享事件和链接以及允许用户发表评论，使其成为团队协作和内容管理的绝佳工具。

After integrating SharePoint Online with Amazon Q Business, you can ask questions using natural language about the content stored in the SharePoint sites. For example, if your organization’s human resources team manages an internal SharePoint site and maintains a list of holidays for geographical regions, you can ask, “What are the company holidays for this year?” Amazon Q Business will then list region-specific holidays based on your location (country).

将 SharePoint Online 与 Amazon Q Business 集成后，您可以使用自然语言提出有关 SharePoint 网站中存储的内容的问题。例如，如果您组织的人力资源团队管理内部 SharePoint 网站并维护地理区域的假期列表，您可以问“今年公司假期是多少？”然后，Amazon Q Business 将根据您所在的位置（国家/地区）列出特定于地区的节假日。

The following diagram illustrates the solution architecture. In the upcoming sections, we show you how to implement this architecture. After you integrate Amazon Q Business using the SharePoint connector, Amazon Q Business will crawl through the SharePoint content and update the index whenever content changes. Each published event, page, link, file, comment, OneNote, and attachment on the SharePoint site is treated as a document. In addition to the documents, it also crawls through access control lists (ACLs) for each document (user and group information) and stores them in the . This allows end-users to see chat responses generated only from the documents they have access to.

下图展示了该解决方案的架构。在接下来的部分中，我们将向您展示如何实现此架构。使用 SharePoint 连接器集成 Amazon Q Business 后，Amazon Q Business 将爬取 SharePoint 内容并在内容发生更改时更新索引。 SharePoint 网站上的每个发布的事件、页面、链接、文件、评论、OneNote 和附件都被视为一个文档。除了文档之外，它还抓取每个文档（用户和组信息）的访问控制列表 (ACL)，并将它们存储在 .这允许最终用户查看仅从他们有权访问的文档生成的聊天响应。

You can configure Azure AD using either of the following methods:

您可以使用以下任一方法配置 Azure AD：

We demonstrate both methods in the following sections.

我们在以下部分中演示这两种方法。

Prerequisites

先决条件

To follow along, you need the following prerequisites:

要继续操作，您需要满足以下先决条件：

Configure Azure AD using the Azure AD console

使用 Azure AD 控制台配置 Azure AD

To configure Azure AD using the GUI, complete the steps in this section.

要使用 GUI 配置 Azure AD，请完成本部分中的步骤。

Register an Azure AD application

注册 Azure AD 应用程序

Complete the following steps to register an Azure AD application in the Azure AD tenant that is linked to the SharePoint Online/O365 tenant:

完成以下步骤，在链接到 SharePoint Online/O365 租户的 Azure AD 租户中注册 Azure AD 应用程序：

An application will be created. You will see a page like the following screenshot.

将创建一个应用程序。您将看到类似以下屏幕截图的页面。

Now you can configure the newly registered application with Microsoft Graph and SharePoint API permissions.

现在，您可以使用 Microsoft Graph 和 SharePoint API 权限配置新注册的应用程序。

When configuring permissions, you have two different options:

配置权限时，您有两种不同的选择：

For option 1, install the MS Graph PowerShell SDK as a prerequisite.

对于选项 1，先决条件是安装 MS Graph PowerShell SDK。

Option 1: Manually allow access to specific SharePoint sites

选项 1：手动允许访问特定 SharePoint 网站

If you choose option 1, to grant access to specific sites instead of all sites, you need to complete additional prerequisites.

如果您选择选项 1，以授予对特定站点而不是所有站点的访问权限，则您需要完成其他先决条件。

Make sure you have access to another application in Microsoft Entra ID with Sites.FullControl.All application-level permissions, along with its client ID and client secret. This application won’t be used by the Amazon Q Business connector, but it’s needed to grant Sites.Selected permissions only to the application you just registered. If you don’t have access to an application with Sites.FullControl permissions, you can follow the previous steps to register a new application and grant Sites.FullControl as described in option 2. We refer to this application as SitesFullControlApp.

确保您有权使用 Sites.FullControl.All 应用程序级别权限访问 Microsoft Entra ID 中的另一个应用程序及其客户端 ID 和客户端密钥。 Amazon Q Business 连接器不会使用此应用程序，但需要它仅向您刚刚注册的应用程序授予 Sites.Selected 权限。如果您无权访问具有 Sites.FullControl 权限的应用程序，则可以按照前面的步骤注册新应用程序并授予 Sites.FullControl（如选项 2 中所述）。我们将此应用程序称为 SitesFullControlApp。

To configure your permissions using option 1, complete the following steps:

要使用选项 1 配置您的权限，请完成以下步骤：

You will see the permissions listed as shown in the following screenshot.

您将看到列出的权限，如以下屏幕截图所示。

After granting admin consent, your permissions should look like the following screenshot.

授予管理员同意后，您的权限应如下图所示。

The output from the PowerShell script will look like the following screenshot.

PowerShell 脚本的输出将类似于以下屏幕截图。

This completes the steps to configure permissions for a specific set of SharePoint site collections.

这就完成了为一组特定的 SharePoint 网站集配置权限的步骤。

Option 2: Manually allow

选项 2：手动允许