There are two ways to connect. Pick one:
- One-click admin consent — fastest. An admin approves Rivvi’s app for your tenant once. Best for most organizations.
- Bring your own Azure app — you register your own app and paste its credentials. Choose this if your security policy requires a first-party app, or one-click isn’t offered in your workspace.
Option A — One-click admin consent (fastest)
If your workspace shows a Connect with Microsoft button on the Microsoft 365 connector, this is the path.Open the Microsoft 365 connector
In the Rivvi workspace: Settings → Connectors → Microsoft 365 → Connect.
Click “Connect with Microsoft”
You’re sent to Microsoft’s consent screen. You must be signed in as a Microsoft 365 / Entra admin who can grant consent for your organization.
Review and accept
Microsoft shows the exact permissions Rivvi requests (read-only access to SharePoint sites, files, and Teams messages). Click Accept to grant them for your whole organization.
You're returned to Rivvi
Rivvi confirms the connection. No app registration, no secrets to copy — Rivvi only records which tenant granted access.
Enable Power BI (if you'll use it)
Consent covers SharePoint, OneDrive, Excel, and Teams instantly. Power BI needs one more step — see Enable Power BI access.
One-click grants read-only Microsoft Graph access at the organization level. You still control, inside Rivvi, which specific capabilities the agent may use — see Permissions.
Option B — Bring your own Azure app
Register your own Entra (Azure AD) application and paste three values into Rivvi. This uses the OAuth 2.0 client-credentials (service principal) flow — an app identity, not a user login.1. Register the app
Create the app registration
In the Microsoft Entra admin center → App registrations → New registration. Give it a name (e.g. Rivvi Connector). Account type Single tenant is fine. No redirect URI is needed for the client-credentials flow.
2. Grant Microsoft Graph permissions
For SharePoint, OneDrive, Excel, and Teams, add Application permissions (not Delegated) under API permissions → Add a permission → Microsoft Graph → Application permissions:| Permission | Enables |
|---|---|
Sites.Read.All | SharePoint sites and lists |
Files.Read.All | OneDrive files and Excel workbook ranges |
Team.ReadBasic.All | Listing Teams |
Channel.ReadBasic.All | Listing channels |
ChannelMessage.Read.All | Reading channel messages |
Group.Read.All | Resolving Teams and groups |
3. Paste into Rivvi
Enter your three values
| Field | What to paste |
|---|---|
| Tenant ID | Directory (tenant) ID |
| Client ID | Application (client) ID |
| Client secret | The secret’s Value |
| Default Power BI workspace ID | (Optional) Leave blank to use every workspace, or pin one default |
Enable Power BI access
Power BI is the one exception to the “one click and you’re done” story. Microsoft gates the Power BI REST API behind a separate tenant setting that neither admin consent nor Graph permissions can turn on. This is a one-time, tenant-wide step done by a Power BI administrator.Turn on service-principal API access
In the Power BI admin portal → Tenant settings → Developer settings → “Allow service principals to use Power BI APIs.” Enable it — for the whole organization, or for a security group that contains Rivvi’s app (its service principal).
Add the app to your workspaces
A service principal can’t see a workspace until it’s a member. In each Power BI workspace Rivvi should read: Workspace → Manage access → Add the app (or its security group) as a Member or Admin.Granting the tenant setting org-wide exposes every workspace automatically; adding per-workspace gives you tighter control.
Multiple Power BI workspaces
Rivvi works across every workspace your app can access — not just one. Different workspaces often carry different sensitivity levels (a clinical workspace vs. a marketing one), and Rivvi treats each independently.- Discover them — Rivvi can list every workspace the app is a member of.
- Read across all of them — asking for “my reports” spans all your workspaces; each report is tagged with the workspace it came from.
- Target one — you (or the agent) can scope a question to a specific workspace by name.
- Pin a default (optional) — set a Default workspace ID when connecting so ambiguous questions land on your primary workspace. Leave it blank to always work across all of them.
Row-level security (RLS) and SSO
A Power BI dataset with row-level security or single sign-on (SSO) can’t be queried by an app identity — that’s a Microsoft platform limit, not a Rivvi one. If the agent hits one, it tells you plainly instead of returning a partial, filtered result. Query a dataset without RLS/SSO, or point Rivvi at the underlying data source.Troubleshooting
“Couldn't verify credentials” when connecting (bring-your-own)
“Couldn't verify credentials” when connecting (bring-your-own)
Usually a mistyped client secret (copy the Value, not the Secret ID), a wrong tenant ID, or admin consent not yet granted on the Graph permissions. Re-check API permissions show a green “Granted” state.
Connected, but no Power BI workspaces show up
Connected, but no Power BI workspaces show up
The tenant setting “Allow service principals to use Power BI APIs” isn’t enabled, or the app isn’t a member of any workspace. See Enable Power BI access.
A specific Power BI workspace is missing
A specific Power BI workspace is missing
The app isn’t a member of that workspace. Add it under Workspace → Manage access as a Member or Admin.
A dataset query fails with a row-level security message
A dataset query fails with a row-level security message
That dataset has RLS or SSO enabled, which an app identity can’t query. Use a dataset without RLS/SSO, or query the underlying source.
Security notes
- Rivvi requests read-only access to Microsoft Graph. It never asks to modify SharePoint, OneDrive, Teams, or files.
- The only Power BI actions that change anything — refreshing a dataset, exporting a report — are write capabilities that ask for your approval every time. See Permissions.
- With bring-your-own, your app’s secret is stored securely for your organization and never shown back to you. Disconnecting removes it.
- You can revoke Rivvi’s access any time: disconnect in Rivvi, and (for one-click) remove the app under Enterprise applications in Entra.
Next
Connect Microsoft 365
The connect page for the full suite.
Power BI only
Grant just Power BI, without the rest.
Tool permissions
Control what the agent may do with each capability.
Using connectors in chat
See a connected tool at work.