Get Ahead of the Amazon Q Business and Amazon Kendra Sharepoint Connector Security Update
Updating the Microsoft Graph API permissions of your Amazon Q Business and Amazon Kendra Sharepoint connectors: Essential steps to prepare for the upcoming security update
Abhinand Sukumar
Amazon Employee
Published May 19, 2025
AWS announced security updates to the Amazon Q Business and Amazon Kendra Sharepoint connectors scheduled for June 5, 2025. Customers should make updates to the Microsoft Graph API permissions for their connectors to leverage these updates by June 5, 2025 to avoid experiencing sync failures. This security update to the Sharepoint connector brings improvements to access control that will reduce the risk of disabled Sharepoint users accessing Sharepoint data through Amazon Q Business or Amazon Kendra.
Organizations using the Amazon Q Business or Amazon Kendra Sharepoint connector need to reach out to their Sharepoint admin to verify that their Sharepoint connector has the Microsoft Graph API permissions listed in this article and add the permissions if missing.
We are requiring the following additional Microsoft Graph permissions for the Q Business Sharepoint connector starting June 5, 2025:
- "GroupMember.Read.All”
- “Notes.Read.All”
- “User.Read.All”
This will help improve the Q Business connector user experience and help Q Business perform additional checks to protect your sensitive data.
To enable these permissions for your Q Business Sharepoint connector, perform the following steps:
- Login to your Azure portal.
Azure Portal - Navigate to "App Registrations".
App Registrations - Search for the application you configured for Amazon Q Business and click on it.
Sharepoint application - In the left navigation bar, click on "manage > API permissions".
- Click on "Add a permission". And then add the following permissions to your application:
- "GroupMember.Read.All”
- “Notes.Read.All”
- “User.Read.All”An example is shown below.
Graph permissions
- If you configured the application with SharePoint permission "Sites.FullControl.All", add the Microsoft Graph permission "Sites.Read.All".
Sites fullcontrol - If you configured the application with SharePoint permission "Site.Selected", add the Microsoft Graph permission "Site.Selected".
Congrats! Your Sharepoint connector is now set up for the upcoming security updates. By completing these steps, you have ensured uninterrupted service for your Sharepoint connector uninterrupted service when the updates are released on June 5, 2025. Your users will continue to enjoy seamless access to Sharepoint content through Amazon Q Business or Amazon Kendra, with all search and retrieval capabilities working as expected.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.