User Profile
johnjohn-Peter
Steel Contributor
Joined 2 years ago
User Widgets
Recent Discussions
Re: Questions about Copilot Agents created using copilot studio, that use SharePoint & data-verse
peterfoster Thanks for the reply. A1) So for SharePoint , copilot uses the classic search index to find info? A2) No, on the same source such as SharePoint site, we can get different answers if we ask the same question twice, and most of the time the second answer will be more accurate. A3) Clear thnks A4) so even if we correct the agent, it will not learn from our feedback, is this what you mean?Questions about Copilot Agents created using copilot studio, that use SharePoint & data-verse
I have developed many copilot agents using copilot studio, which have SharePoint sites and datavesrse tables as their source.. but i have those questions that i can not find a clear answers on them:- 1- Is there an order to how knowledge sources are indexed by a copilot agent? and if the source is SharePoint does Copilot use the classic SharePoint search ? 2- Why do we sometimes get inconsistent answers when asking the same questions? 3-Is there a way to integrate a PowerBI list instead of a SharePoint list? 4- Can the agent learn through user interaction? does generative AI need to be turned on for this to occur? In other words, if we have the same source, should we expect the same Copilot agent to provide more clear answers in the future, due to improvement to the underlying AI algorithms? ThanksSharePoint Online REST API using Azure Function Managed Identity
I have created an Azure Function which uses .NET Core 8.0. and i enabled its managed identity:- also i accessed the azure function from "Enterprise Application", and i copied its AppID:- Then i run those commands as per this official documentation for Microsft @ https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azd-template#grant-the-function-app-access-to-sharepoint-online :- # This script requires the modules Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, which can be installed with the cmdlet Install-Module below: # Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Repository PSGallery -Force Connect-MgGraph -Scope "Application.Read.All", "AppRoleAssignment.ReadWrite.All" $managedIdentityObjectId = "******" # 'Object (principal) ID' of the managed identity $scopeName = "Sites.Selected" $resourceAppPrincipalObj = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 SharePoint Online'" # SPO $targetAppPrincipalAppRole = $resourceAppPrincipalObj.AppRoles | ? Value -eq $scopeName $appRoleAssignment = @{ "principalId" = $managedIdentityObjectId "resourceId" = $resourceAppPrincipalObj.Id "appRoleId" = $targetAppPrincipalAppRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -BodyParameter $appRoleAssignment | Format-List and this command, on the Analytics site:- Connect-PnPOnline -Url "https://YOUR_SHAREPOINT_TENANT_PREFIX.sharepoint.com/sites/analytics" -Interactive -ClientId "YOUR_PNP_APP_CLIENT_ID" Grant-PnPAzureADAppSitePermission -AppId "****" -DisplayName "YOUR_FUNC_APP_NAME" -Permissions Manage Everything went well, then I verify the above for the Analytics site, as follow:- here is my code inside Azure Function, to get the items inside a list named "Call Transfer Log Data":- accessToken = await GetJwtTokenUsingSystemManagedIdentity(); try { string siteUrl = "https://***.sharepoint.com/sites/analytics"; string listName = "Call Transfer Log Data"; string tenant = "****"; string site = "analytics"; string listTitle = "Call Transfer Log Data"; siteUrl = $"https://{tenant}.sharepoint.com/sites/{site}"; string apiBaseUrl = $"{siteUrl}/_api/web/lists/GetByTitle('{listTitle}')/items"; var httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); httpClient.DefaultRequestHeaders.Accept.ParseAdd("application/json;odata=verbose"); string filterDate = DateTime.UtcNow.AddDays(-120).ToString("yyyy-MM-ddTHH:mm:ssZ"); string requestUrl = $"{apiBaseUrl}?$filter=Modified ge datetime'{filterDate}'&$top=100&$orderby=Modified desc"; bool hasMore = true; int page = 1; List<CallTransferLogData> responseContent = new List<CallTransferLogData>(); while (hasMore) { Console.WriteLine($"Fetching page {page}..."); var request = new HttpRequestMessage(HttpMethod.Get, requestUrl); var response = await httpClient.SendAsync(request); Console.WriteLine("Raw response "); Console.WriteLine(response); string content = await response.Content.ReadAsStringAsync(); using JsonDocument doc = JsonDocument.Parse(content); Console.WriteLine($"Parse doc {page}..."); Console.WriteLine("Raw response content:"); Console.WriteLine(content); var root = doc.RootElement.GetProperty("d"); Console.WriteLine($"Building Root {page}..."); // Process results foreach (var item in root.GetProperty("results").EnumerateArray()) {//code goes here;; }//end of try private static async Task<string> GetJwtTokenUsingSystemManagedIdentity() { string resource = "https://****.sharepoint.com/.default"; var credential = new DefaultAzureCredential(); var tokenRequestContext = new TokenRequestContext(new[] { resource }); var token = await credential.GetTokenAsync(tokenRequestContext); Console.WriteLine("Toekn is " + token.Token) ; return token.Token; } but the content will be {"error_description":"ID3035: The request was not valid or is malformed."} the full response will be:- 2025-04-22T16:31:38Z [Information] StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers: 2025-04-22T16:31:38Z [Information] { 2025-04-22T16:31:38Z [Information] Cache-Control: private 2025-04-22T16:31:38Z [Information] Server: Microsoft-IIS/10.0 2025-04-22T16:31:38Z [Information] X-NetworkStatistics: 0,********0 2025-04-22T16:31:38Z [Information] x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client" 2025-04-22T16:31:38Z [Information] IsOCDI: 0 2025-04-22T16:31:38Z [Information] X-DataBoundary: NONE 2025-04-22T16:31:38Z [Information] X-1DSCollectorUrl: https://mobile.events.data.microsoft.com/OneCollector/1.0/ 2025-04-22T16:31:38Z [Information] X-AriaCollectorURL: https://browser.pipe.aria.microsoft.com/Collector/3.0/ 2025-04-22T16:31:38Z [Information] SPRequestGuid: 4***2 2025-04-22T16:31:38Z [Information] request-id: 4***2 2025-04-22T16:31:38Z [Information] MS-CV: o****/Q8g.0 2025-04-22T16:31:38Z [Information] SPRequestDuration: 56 2025-04-22T16:31:38Z [Information] SPIisLatency: 2 2025-04-22T16:31:38Z [Information] X-Powered-By: ASP.NET 2025-04-22T16:31:38Z [Information] MicrosoftSharePointTeamServices: 16.0.0.26002 2025-04-22T16:31:38Z [Information] X-Content-Type-Options: nosniff 2025-04-22T16:31:38Z [Information] X-MS-InvokeApp: 1; RequireReadOnly 2025-04-22T16:31:38Z [Information] P3P: CP="ALL ****" 2025-04-22T16:31:38Z [Information] WWW-Authenticate: Bearer realm="e****20",client_id="00000003-******00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,D****@*,https://sts.windows.net/*/,https://login.microsoftonline.com/*/v2.0,00000003-0000-0ff1-ce00-000000000000@***b",authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize" 2025-04-22T16:31:38Z [Information] Date: Tue, 22 Apr 2025 16:31:36 GMT 2025-04-22T16:31:38Z [Information] Content-Length: 74 2025-04-22T16:31:38Z [Information] } Also when i decode the token, i got those valid claims for all the properties.. So why the code is not working? ThanksAzure Function managed identity is raising this error "Access Denied"
We have an Azure Function on .NET 8.0. and we enabled the managed identity of the Azure Function. Then we run those commands as per this official MS link https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azd-template#grant-the-function-app-access-to-sharepoint-online:- Power shell command: # This script requires the modules Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, which can be installed with the cmdlet Install-Module below: # Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Repository PSGallery -Force Connect-MgGraph -Scope "Application.Read.All", "AppRoleAssignment.ReadWrite.All" $managedIdentityObjectId = "d3e8dc41-94f2-4b0f-82ff-ed03c363f0f8" # 'Object (principal) ID' of the managed identity $scopeName = "Sites.Selected" $resourceAppPrincipalObj = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 SharePoint Online'" # SPO $targetAppPrincipalAppRole = $resourceAppPrincipalObj.AppRoles | ? Value -eq $scopeName $appRoleAssignment = @{ "principalId" = $managedIdentityObjectId "resourceId" = $resourceAppPrincipalObj.Id "appRoleId" = $targetAppPrincipalAppRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -BodyParameter $appRoleAssignment | Format-List And this pnp command: Connect-PnPOnline -Url "https://YOUR_SHAREPOINT_TENANT_PREFIX.sharepoint.com/sites/YOUR_SHAREPOINT_SITE_NAME" -Interactive -ClientId "YOUR_PNP_APP_CLIENT_ID"` Grant-PnPAzureADAppSitePermission -AppId "3150363e-afbe-421f-9785-9d5404c5ae34" -DisplayName "YOUR_FUNC_APP_NAME" -Permissions Manage Here is the code for the Azure Function, which uses the login user credential if I am inside development machine and uses the Azure Function managed identity on the hosted app: if (Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development")` { var credential = new InteractiveBrowserCredential(); // or AzureCliCredential graphClient = new GraphServiceClient(credential); } else { var credential = new DefaultAzureCredential(); // Managed Identity graphClient = new GraphServiceClient(credential); var token = await new DefaultAzureCredential().GetTokenAsync( new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }) ); _logger.LogInformation("Token acquired: " + token.Token.Substring(0, 20) + "..."); } //Call to get the "Call Transfer Log Data" sharepoint list data` try { var sitePath = "e**87"; var listId = "6*`*`*`*`"; var allItems = new List<ListItem>(); // Initial page request with Expand = fields var page = await graphClient .Sites[sitePath] .Lists[listId] .Items .GetAsync(config => { config.QueryParameters.Top = 100; config.QueryParameters.Expand = new string[]{ "fields($select=*)" }; }); allItems.AddRange(page?.Value ?? []); // code goes here... } Then I verified the setting, but running this command: Get-PnPAzureADAppSitePermission -Site "<Site URL>" I get this result: Id : ***...-.... Roles : {Manage} App : Microsoft.Azure.Functions – 3150363e-afbe-421f-9785-9d5404c5ae34 In the development environment, the code is working fine, while in the hosted Azure Function, the code raised an exception: Access Denied Any advice? It seems I use all the needed settings.Re: Only allow the creator of the item and the user direct manager to view the submitted item
DJ_JambaNot sure how this is working for you,,, but if you do not have full control on the list you will not be able to see any item if the item-level is set to only see and edit your own items... even if you have full control on the item.. are you sure this is working for you? an i agree with you that "Item level permissions supercede" .. that why your scenario will not workRe: Only allow the creator of the item and the user direct manager to view the submitted item
DJ_JambaAre you sure this will work? as if you have this settings:- and you granted the Approver's Approve permission, then Read permission, then the Approver user will not be able to see the item... the above settings for the Item-Level Permissions, will only allow the creator of the item + the user with full control ON THE LIST to see the items.. so how come an Approver user (who did not create the item) will be able to see the item??? are you sure this is working for you?Re: Only allow the creator of the item and the user direct manager to view the submitted item
DJ_JambaI think you are referring to the same approach i am talking about which does not work for me.. now if we will depend on the workflow to set the permissions, then this mean the item will be exposed till the workflow run which can take u to 1-2 minutes. also setting that the user can only view their items.. then how the manager will be able to see this item? to be able to apporve/reject it?.. in this case if we want the manager to view the user items, then we will need to grant the manager full control on the llist which we do not want to have.. can you re-read my question, and you will see that what you proposed is exactly what did not work for me, and that why i asked this question.. thanksRe: Read-Only permission is able to create new list item using the list forms shared with them
Just_Being_Manik first this issue will not happen with power app, as power apps interact with the SharePoint using the login users credential, so if the user does not have access to the list or has read-only to the list, then the user will never be able to add a new item through power apps, even if the app is shared with the user.. the issue is happening specifically to list forms.. Also not sure what the list settings such as "Item-level Permissions" has to do with this, as it target different scenario , where it allow users to only view items created by them, or only edit items created by them.. it does not have to do with the issue i am referring to..Read-Only permission is able to create new list item using the list forms shared with them
I have 2 users; Admin & Test User. Now i created a new custom list >> and i granted the Test User Read permission on the list. as follow:- So when the Test user accesses the list >> they can not add/edit items which is logical.. Now using the admin user, i created a new list form >> and i copied the form link and send it to the test user :- then the test user was able to add a new list item through the form:- so how come a user with Read-Only permission, is able to do so??? i need a fix to this please? as this can break our business logic and security constraints. ThanksRe: Only allow the creator of the item and the user direct manager to view the submitted item
grant_jenkins i am not sure how this is supposed to work.. as if you do not have permission to add items inside the list, then you will not be able to add the item even using the list forms.. keeping in mind that the workflow will only run after physically adding the item inside sharepoint!! can you elaborate more?Re: Copilot Agent inside SharePoint site is not able to answer questions regarding the custom columns
Kelly_EdingerThanks for the reply. not sure what you mean by "try to add metadata as document properties"? are not SharePoint custom columns mapped automatically inside office documents? i were able to fix this by creating a power automate flow to get those custom metadata, but i am open to other suggestions..
