Search

How to Create a SharePoint Online Single Tenant Web Connection

Matt Meeboer
Matt Meeboer
  • Updated

Introduction

This article will walk through configuring a SharePoint Online web connection in FME Form using a single tenant Azure app registration with delegated permissions. Delegated permissions allow a user to authorize a connection with their Microsoft credentials.

To know if this is the right approach for you, and for a full list of all SharePoint connection articles, please first read Getting Started with Microsoft SharePoint

Please note that Microsoft Azure is subject to change at any time, so the instructions and screenshots in this article may be slightly different, but the concepts remain the same.

This article is written for FME Form using Personal (default) or Shared Connection Storage.

If you have enabled FME Flow Connection Storage in FME Form, then in Part 1, Step 3, you will instead need to configure the web platform with a redirect URI of http://<yourFMEFlowURL>/fmeoauth and create a client secret in your Azure app registration, as described in Part 1 of How to Create a SharePoint Single Tenant Web Connection for FME Flow. The same redirect URI and client secret must also be used when creating the web service in Part 2. There is no need to upload the connection to FME Flow afterwards, as it will be created from FME Form. Again, this is only required if you have enabled FME Flow Connection Storage.

Requirements

 

Step-by-step Instructions

Part 1: Create the Azure App Registration

Before creating a SharePoint Online Web Connection in FME Form, you must create an app registration in Microsoft Azure.


1. Register an App in the Azure Portal

Log in to the Azure portal and go to App Registrations.
App Registration

Add a new registration.
New App Registration

Choose ‘Accounts in this organizational directory only (Single tenant)’. Leave the Redirect URI blank for now, we will update this in a later step. Click Register.
Single Tenant Registration

2. Obtain the Client ID and Tenant ID

On the new app’s Overview page, take note of the Application (client) ID and the Directory (tenant) ID - these will be used to configure the web service later.

You can confirm that your app is a single tenant app if the value of ‘Supported account types’ is ‘My organization only’.



3. Add the Platform and Redirect URI

Click Authentication and then 'Add Redirect URI'

 

For the Platform, Choose Mobile and desktop applications.

 

For the redirect URI, enter http://localhost


Click Configure.


You should now see Mobile and desktop applications with the redirect URI added in the previous step.


4. Add Delegated API Permissions

Click API permissions and then 'Add a permission'.
Add API Permission

Choose Microsoft Graph from Request API permissions.
Graph API Permissions

Click Delegated permissions. Search for and then check off Sites.ReadWrite.All. Click Add Permissions.
Configure Graph API Permissions

Once added, you should see the Sites.ReadWrite.All permission in the list of Configured permissions.

Your single tenant Azure app registration is complete.

If you wish to assign more restrictive permissions, and do not need to write to SharePoint lists, you can use a combination of Sites.Read.All and Files.ReadWrite.All instead of Sites.ReadWrite.All. Other permissions may also work, but you may be required to perform additional configuration and testing outside the scope of this article.

 

Part 2: Configure the Connection in FME Form

A SharePoint Online web service must be configured before the web connection can be created. Follow these steps:

1. Open Web Services

In FME Form, go to Tools > FME Options > Web Connections > Manage Services.


2. Create a New Web Service

On the Manage Web Services screen, click the plus sign below the list of web services and then Create From > Microsoft SharePoint Online (safe.microsoft-sharepoint). 

Do not choose Microsoft SharePoint Online (Template). It is for the Legacy SharePoint List Reader/Writer and will not work with the SharePointOnlineConnector or SharePoint Online List Reader/Writer.

3. Populate the Web Service

Single Tenant applications cannot use the /common/ endpoints. The ‘/common/’ endpoints are for multitenant Azure app registrations. Replace all instances of /common/ with your Tenant ID. 

  1. Web Service Name: provide a unique name. It’s recommended to include the Azure app registration name, so that you can cross-reference it.
  2. Client ID: the Application (client) ID from the Azure single tenant app 
  3. Not Required: leave this checked - the client secret should only be added in FME Flow
  4. Redirect Strategy: Choose 'Loopback Interface Redirect'. If you are using a version of FME before 2025.2, this option is not available, and the internal FME browser will be used. To learn more, please read External Browser Authentication
  5. Redirect URI: http://localhost to match what was entered in the Azure single tenant app. 
  6. Authorization Parameters URL: replace common with your Tenant ID
  7. Retrieve Token Parameters URL: Replace common with your Tenant ID
  8. Refresh Token Parameters URL: Replace common with your Tenant ID

It’s important to ensure that the web service’s Redirect URI value matches the custom redirect URI that was applied to the Azure registered application in Create the Azure App Registration step 3. If these two values do not match, the web service will not function properly.

Click Apply.

 

Note: If you assigned more restrictive API permissions when creating your Azure app registration in the previous section, then you will need to modify the Authorization Parameters URL to match those permissions. For example, if you granted the Sites.Read.All and Files.ReadWrite.All Graph API permissions to your Azure app registration, it would look like this:


4. Test the Web Service

Scroll down to the bottom of the web service and click Test. 

This will open your browser to authorize the web service. When prompted, enter your Microsoft credentials. If Microsoft prompts you to grant permissions to the Azure app, click Accept. 

Once the web service test is successful, you can create a web connection. Close the Manage Web Services dialog to return to the Web Connections menu.

Depending on your organization's Azure consent configuration, you may receive a message that administrator approval is required. Contact your Azure administrator and ask them to grant admin consent to the app registration's API permissions, and then retry the test in FME. If you still experience issues, please see Troubleshooting SharePoint Web Connections and Services - Admin Consent Required


5. Create the Web Connection

From Web Connections, click the plus (+) button to add a new connection.


Choose the web service you created and give the connection a unique name. Click OK.


You will be prompted again to authorize with Microsoft. 

After successful authorization, your web connection and service are ready to use in FME Form. 

Note that the Microsoft account you authenticate with must have access to the SharePoint resources you want to connect to in FME. 

 

If you encounter issues authorizing your SharePoint connection, please see Troubleshooting SharePoint Web Connections and Services.

If you want to use your connection in FME Flow, please see How to Create a SharePoint Single Tenant Web Connection for FME Flow

 

 

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.