Skip to main content
This is the full, end-to-end setup for connecting Microsoft to Rivvi — written for the Microsoft 365 / Azure administrator who provisions access. If you just want to connect the tool from the workspace, start with Microsoft 365; come here when you need the IT-side detail. One Microsoft connection covers the whole suite — Power BI, SharePoint, OneDrive, Excel, and Teams — from a single Azure AD app. You never wire those services separately.
There are two ways to connect. Pick one:
  • One-click admin consent — fastest. An admin approves Rivvi’s app for your tenant once. Best for most organizations.
  • Bring your own Azure app — you register your own app and paste its credentials. Choose this if your security policy requires a first-party app, or one-click isn’t offered in your workspace.
Either way, Power BI needs one extra tenant setting that consent alone can’t set — see Enable Power BI access.
If your workspace shows a Connect with Microsoft button on the Microsoft 365 connector, this is the path.
1

Open the Microsoft 365 connector

In the Rivvi workspace: Settings → Connectors → Microsoft 365 → Connect.
2

Click “Connect with Microsoft”

You’re sent to Microsoft’s consent screen. You must be signed in as a Microsoft 365 / Entra admin who can grant consent for your organization.
3

Review and accept

Microsoft shows the exact permissions Rivvi requests (read-only access to SharePoint sites, files, and Teams messages). Click Accept to grant them for your whole organization.
4

You're returned to Rivvi

Rivvi confirms the connection. No app registration, no secrets to copy — Rivvi only records which tenant granted access.
5

Enable Power BI (if you'll use it)

Consent covers SharePoint, OneDrive, Excel, and Teams instantly. Power BI needs one more step — see Enable Power BI access.
One-click grants read-only Microsoft Graph access at the organization level. You still control, inside Rivvi, which specific capabilities the agent may use — see Permissions.

Option B — Bring your own Azure app

Register your own Entra (Azure AD) application and paste three values into Rivvi. This uses the OAuth 2.0 client-credentials (service principal) flow — an app identity, not a user login.

1. Register the app

1

Create the app registration

In the Microsoft Entra admin centerApp registrations → New registration. Give it a name (e.g. Rivvi Connector). Account type Single tenant is fine. No redirect URI is needed for the client-credentials flow.
2

Copy the IDs

On the app’s Overview, copy the Directory (tenant) ID and the Application (client) ID.
3

Create a client secret

Certificates & secrets → New client secret. Copy the secret Value immediately — it’s shown only once.

2. Grant Microsoft Graph permissions

For SharePoint, OneDrive, Excel, and Teams, add Application permissions (not Delegated) under API permissions → Add a permission → Microsoft Graph → Application permissions:
PermissionEnables
Sites.Read.AllSharePoint sites and lists
Files.Read.AllOneDrive files and Excel workbook ranges
Team.ReadBasic.AllListing Teams
Channel.ReadBasic.AllListing channels
ChannelMessage.Read.AllReading channel messages
Group.Read.AllResolving Teams and groups
Then click Grant admin consent for <your org>. Each permission should show a green “Granted” state.
Only add the permissions for the services you’ll actually use. If you’re not using Teams, skip the Teams/Channel permissions. Rivvi asks for read-only access — it never requests write permissions to Graph.

3. Paste into Rivvi

1

Open the connector

Settings → Connectors → Microsoft 365 (or Power BI for Power BI only) → Connect.
2

Enter your three values

FieldWhat to paste
Tenant IDDirectory (tenant) ID
Client IDApplication (client) ID
Client secretThe secret’s Value
Default Power BI workspace ID(Optional) Leave blank to use every workspace, or pin one default
3

Connect

Rivvi verifies the app can reach Microsoft before marking it connected — so a wrong secret or missing permission fails now, not on the first question.

Enable Power BI access

Power BI is the one exception to the “one click and you’re done” story. Microsoft gates the Power BI REST API behind a separate tenant setting that neither admin consent nor Graph permissions can turn on. This is a one-time, tenant-wide step done by a Power BI administrator.
1

Turn on service-principal API access

In the Power BI admin portalTenant settings → Developer settings → “Allow service principals to use Power BI APIs.” Enable it — for the whole organization, or for a security group that contains Rivvi’s app (its service principal).
2

Add the app to your workspaces

A service principal can’t see a workspace until it’s a member. In each Power BI workspace Rivvi should read: Workspace → Manage access → Add the app (or its security group) as a Member or Admin.Granting the tenant setting org-wide exposes every workspace automatically; adding per-workspace gives you tighter control.
If Rivvi says it can’t see any Power BI workspaces even though the connection succeeded, this setting is almost always the cause — the app authenticates fine but has no Power BI API access yet. Enable “Allow service principals to use Power BI APIs” and confirm the app is a member of at least one workspace.

Multiple Power BI workspaces

Rivvi works across every workspace your app can access — not just one. Different workspaces often carry different sensitivity levels (a clinical workspace vs. a marketing one), and Rivvi treats each independently.
  • Discover them — Rivvi can list every workspace the app is a member of.
  • Read across all of them — asking for “my reports” spans all your workspaces; each report is tagged with the workspace it came from.
  • Target one — you (or the agent) can scope a question to a specific workspace by name.
  • Pin a default (optional) — set a Default workspace ID when connecting so ambiguous questions land on your primary workspace. Leave it blank to always work across all of them.
Add Rivvi’s app to a new Power BI workspace at any time — it shows up automatically the next time Rivvi lists workspaces. No reconnecting needed.

Row-level security (RLS) and SSO

A Power BI dataset with row-level security or single sign-on (SSO) can’t be queried by an app identity — that’s a Microsoft platform limit, not a Rivvi one. If the agent hits one, it tells you plainly instead of returning a partial, filtered result. Query a dataset without RLS/SSO, or point Rivvi at the underlying data source.

Troubleshooting

Usually a mistyped client secret (copy the Value, not the Secret ID), a wrong tenant ID, or admin consent not yet granted on the Graph permissions. Re-check API permissions show a green “Granted” state.
The tenant setting “Allow service principals to use Power BI APIs” isn’t enabled, or the app isn’t a member of any workspace. See Enable Power BI access.
The app isn’t a member of that workspace. Add it under Workspace → Manage access as a Member or Admin.
That dataset has RLS or SSO enabled, which an app identity can’t query. Use a dataset without RLS/SSO, or query the underlying source.
Confirm the matching Graph Application permission is added and admin-consented (Sites.Read.All, Files.Read.All, or the Teams permissions). Delegated permissions won’t work for this app-identity flow.

Security notes

  • Rivvi requests read-only access to Microsoft Graph. It never asks to modify SharePoint, OneDrive, Teams, or files.
  • The only Power BI actions that change anything — refreshing a dataset, exporting a report — are write capabilities that ask for your approval every time. See Permissions.
  • With bring-your-own, your app’s secret is stored securely for your organization and never shown back to you. Disconnecting removes it.
  • You can revoke Rivvi’s access any time: disconnect in Rivvi, and (for one-click) remove the app under Enterprise applications in Entra.

Next

Connect Microsoft 365

The connect page for the full suite.

Power BI only

Grant just Power BI, without the rest.

Tool permissions

Control what the agent may do with each capability.

Using connectors in chat

See a connected tool at work.