Document version history
Version number | Modified by | Modifications made | Date modified | Status |
1.0 | Shelf | Initial release of the document. | 05 Oct 2023 | Expired |
1.1 | Shelf | The document has been updated to include the description of providing Read access to specific collections on SharePoint. New imagery and text descriptions have been added. The existing figure numbering has been updated. | 23 Aug 2024 | Expired |
1.2 | Shelf | The document has been updated to reflect the change in the configuration flow on the side of Microsoft (Azure and SharePoint) as well as the introduction of the new option - PEM Certificate - on the Shelf side. | 18 Mar 2024 | Expired |
1.3 | Shelf | The document has been completely reworked to reflect the change in configurations on the Microsoft side. | 21 Mar 2025 | Expired |
1.4 | Shelf | The document has been updated with explanations on the role of the Manage Permissions app and about the operation of certain permissions in the Manage Permissions app and in the Connector app. | 15 Aug 2025 | Expired |
1.5 | Shelf | The document has been updated with the detailed section on the filters users can apply when configuring sync flows. The updated version also includes an explanatory chapter on the correlation between SharePoint’s and Shelf’s content entities. | 10 Nov 2025 | Expired |
1.6 | Shelf | The document has been updated to help readers understand how SharePoint custom columns and their types translate into Shelf’s CIL and CI custom fields. | 18 Dec 2025 | Expired |
1.7 | Shelf | The document has been updated to include the description of Shelf’s support of Microsoft SharePoint’s Pages entities in the Shelf SharePoint Connector. | 20 Feb 2026 | Active |
Document purpose
This document has been developed for those customers’ end users who are using Shelf Knowledge Management System (Shelf KMS) with the Content Integration Layer feature to manage and handle various content both stored in Shelf KMS and in external platforms integrated via CIL. The document’s goal is to answer the following questions:
What is the Shelf Content Integration Layer?
What purposes does this feature serve?
- What is a Microsoft SharePoint Connector?
How is it configured?
- How is it used in practice?
If you require further assistance, feel free to contact us at support@shelf.io or from the in-app chat support within the Shelf platform.
Glossary
Prior to starting to learn about the SharePoint connector and its configuration and usage, you need to learn the terminology used by Shelf.
Shelf KMS (Next Generation Knowledge Management System) is a knowledge management platform that employs AI capabilities to create, edit, process, store, export/import, and otherwise handle various content. The platform sports multiple AI-enabled features such as Search Copilot, Analytics Copilot, Semantic Search, Content Intelligence etc., all of which are intended to optimize and centralize customer organizations’ knowledge and provide fast, accurate, and consistent answers.
A connector is an entity that defines which external Content Management System Shelf KMS needs to connect to via Content Integration Layer (e.g. the SharePoint connector is a set of API parameters to define how to connect Shelf to Microsoft SharePoint). Shelf KMS has a set of preconfigured connectors (SharePoint, Contentful, Zendesk, Confluence connectors, etc.) but also allows for creating the custom ones.
A Pull connector is a connector that uses a prebuilt set of API parameters (for connecting with external CMSs and content storages like Google Drive, Notion, SharePoint, Zendesk, etc.) to pull content from a specific external platform into Shelf's CIL. All Shelf’s prebuilt connectors, including the SharePoint connector, are of the Pull type.
A connection profile is a feature that allows users to establish a connection to various external applications or sources. It enables seamless integration and collaboration between Shelf KMS and other platforms such as external content repositories. Using Shelf’s connection profiles, users can import and synchronize various content and generally streamline workflows between Shelf KMS and external systems. This feature enhances the overall efficiency and effectiveness of knowledge management processes by enabling easy access to relevant information from different sources within the Shelf platform.
A sync flow is a feature that is responsible for the synchronization of content from external sources to Shelf KMS. Shelf’s sync flows can work on schedule or on demand, making it a versatile tool for content synchronization and prompt knowledge delivery.
A PEM file is a file format used to store cryptographic information. PEM stands for "Privacy-Enhanced Mail," though its usage has extended far beyond email security. These files are widely used in security contexts, such as managing certificates and keys.
PEM files typically contain:
Certificates: Such as X.509 certificates.
Public or private keys: Used for encryption or decryption.
Certificate signing requests (CSRs): Requests for certificates to be issued by a certificate authority.
Prerequisites
For proper operation of your SharePoint connector and successful synchronization of your content from the Microsoft SharePoint platform into Shelf KMS, the following preconditions must be met:
OpenSSL should be installed to perform CLI operations
Azure Portal Access should be granted to the user under which you are going to perform configurations
Azure Active Directory Administrator (or Azure Global Administrator) permissions should be granted to the user under which you are going to perform configurations; this level is required for registering applications and granting API permissions in Azure Active Directory
Admin panel must be accessible on your Shelf KMS account
Content items (articles, documents, etc.) must be available on your SharePoint account.
Constraints and restrictions
Before proceeding to learn how you can configure and use the Shelf integration with your SharePoint resources, you need to be aware of the following content-related constraint(s) coming from the Microsoft side.
When syncing content items from your SharePoint site to Shelf, the sync job may fail with the display of the error message shown on the figure below:
This failure to sync your content occurs when the number of items in your SharePoint library or list exceeds 5,000. Shelf Content Integration Layer and its connectors are not in control of this limitation, which is caused by Microsoft’s List View Threshold (LVT) threshold that is in place to help get consistent performance across all users with queries to the back-end database.
You can read more about the LVT limit and possible solution methods in the dedicated articles created by Microsoft:
If you need additional information or support on this matter, feel free to contact Shelf Support.
Mapping SharePoint content entities to Shelf
Before you proceed to read about the Shelf Content Integration Layer, Shelf's SharePoint Connector, connector-specific configurations on the SharePoint side, and configurations on the Shelf side, you need to understand how content entities at various levels correspond between SharePoint and Shelf. This mapping clarifies which SharePoint "top-level" items appear as Shelf Collections and how their internal structure and items are represented.
At a glance: entity mapping
SharePoint Site → SP's Site is mapped to Shelf's Instance URL value in Connection profile > Runtime Settings.
SharePoint Page (Site Page) → Shelf Gem (one Gem per published page)
SharePoint Document library → Shelf Collection
SharePoint List → Shelf Collection
SharePoint Folder (including nested folders) → Shelf Folder
SharePoint Content item (file in a document library, or item in a list) → Shelf Gem
SharePoint Images and Documents libraries → Each file is synced as a separate, standalone Gem.
SharePoint Pages sync
Shelf CIL supports syncing content from SharePoint Pages (Site Pages). Each published Page is extracted, converted to structured HTML, and stored as a searchable Gem in Shelf — bringing page-based knowledge (onboarding guides, announcements, process docs, etc.) into your Shelf library alongside files and list items.
How Pages map to Shelf
SharePoint | Shelf |
|---|---|
Published Page | One Gem containing extracted page content (title, text, images, links) |
File embedded on a Page (via "File and Media" or "Hero" web part) | A link within the page Gem (not a copy of the file) |
File in the Images & Documents library | A separate standalone Gem (independently searchable) |
 | Embedded files appear in two places by design. A PDF referenced on a Page shows up as a link inside the page Gem and as its own standalone Gem from the library sync. This preserves context on the page while keeping the file independently searchable — it is not a duplicate. |
Supported web parts
Web part | What Shelf captures |
|---|---|
Title Area | Page title as primary heading (H1) |
Banner | Banner title and author info as secondary heading (H2) |
Text | Rich-text content (paragraphs, headings, bold/italic) with formatting preserved |
Image | Image reference with source URL and alt text |
Hero | Links to referenced documents/images (visual tile layout is not replicated) |
File and Media | Link to the original file in SharePoint |
Requirements and constraints
Published Pages only — Draft and checked-out pages are excluded from sync.
Standard layouts only — Single-column, two-column, three-column, one-third/two-thirds split, and full-width layouts are supported. Content in "Flexible" layout sections is skipped entirely.
Structure preserved, styling not — Section/column structure and content hierarchy are maintained. Visual styling (colors, fonts, backgrounds, spacing) is not replicated.
SharePoint content entities hierarchy
What "top-level" means
SharePoint Site, being the root of Document libraries, Lists, and Pages, is the container of the highest level and is indirectly mapped at the stage of configuring SharePoint connection profile in Shelf (the Instance URL parameter/value in the RUNTIME SETTINGS block).
In SharePoint, the top-level containers that hold content are Document libraries, Lists, and Site Pages.
In Shelf, the top-level container is a Collection. Each connected SharePoint Document library or List appears as a Collection in Shelf. SharePoint Pages are synced as individual Gems (one Gem per published page).
How hierarchy is preserved
Folders: Any folder structure inside a connected library (and inside a List where folders are enabled) is preserved as nested Folders within the corresponding Shelf Collection. This includes folders at any depth.
- Content Items:
- Files stored in a Document library become Gems inside the corresponding Shelf Collection (and within its folders, if applicable).
Content Items stored in a SharePoint List become Gems inside the corresponding Shelf Collection for that List.
- Pages: SharePoint Pages are stored in the Site Pages library on each SharePoint site. Each published Page becomes an individual Gem. Pages do not follow the Collection → Folder → Gem hierarchy. Files referenced on Pages appear as links within the Gem; the underlying files are synced separately as standalone Gems from the Images & Documents libraries.
 | To work with synced Pages in KMS and for Content Intelligence to process them, you must grant permissions to the Site Pages collection in User Groups > [your user group] > Collection permissions. |
Practical examples
Document library example
SharePoint: Site A / "Policies" (Document library) / HR / 2024 / Code-of-Conduct.pdf
Shelf: Collection "Policies" → Folder "HR" → "2024" → Gem "Code-of-Conduct.pdf"
List example
SharePoint: Site A / "FAQs" (List) with an item "How do I reset my password?"
Shelf: Collection "FAQs" → Gem "How do I reset my password?"
Page example
SharePoint: Site A / Site Pages / "Company Holiday Policy" (published Page with text, a banner, and an embedded PDF)
Shelf: Gem "Company Holiday Policy" (extracted page content with a link to the PDF) + Gem "Holiday-Calendar-2025.pdf" (synced separately from the Images & Documents library)
Notes for setup and configuration
Selection scope: Each library and each list you select in the SharePoint Connector is created as a separate Collection in Shelf.
Folder depth: Nested folders in SharePoint remain nested folders in Shelf without changes to depth.
Content parity: Each SharePoint file or list item maps to a single Gem in Shelf, placed according to the original SharePoint hierarchy (Collection → Folder(s) → Gem).
Naming: Shelf Collections typically mirror the names of their source libraries/lists. Folder names and item titles/file names are also preserved.
Pages — published only: Only Pages in the "Published" state are synced. Draft or checked-out Pages are excluded.
Pages — web part coverage: 6 web part types are currently supported (see the supported web parts table above). Unsupported types appear as blank areas. Additional web part types will be supported in future updates.
Pages — embedded files as links: Files on a Page appear as links in the page Gem. The files themselves are synced separately from the Images & Documents library. This is by design.
Pages — Flexible layouts excluded: Content in "Flexible" section layouts is not synced. Use standard layouts to ensure content is captured.
Microsoft references
SharePoint Document library:
https://support.microsoft.com/en-us/office/create-a-document-library-in-sharepoint-306728fe-0325-4b28-b60d-f902e1d75939
SharePoint Folder (in a Document library):
https://support.microsoft.com/en-us/office/create-a-folder-in-a-document-library-3d6a8c11-2490-4d6b-8837-f25649a69c56
SharePoint List:
https://support.microsoft.com/en-us/office/create-a-list-0d397414-d95f-41eb-addd-5e6eff41b083
SharePoint Pages (Site Pages):
https://support.microsoft.com/en-us/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec
Understanding this mapping up front makes configuration choices and the downstream behavior of the Shelf Content Integration Layer more predictable when integrating with SharePoint.
Content Integration Layer and its purpose
The Content Integration Layer feature makes it possible to integrate various content types and formats into a single platform, Shelf KMS, from where users can further derive useful information to deliver accurate and relevant answers to their clients.
The Content Integration Layer ensures that content is indexed, tagged, and categorized appropriately, making it easily searchable and accessible to users within the knowledge management system. It provides capabilities for content mapping, transformation, and synchronization, enabling the consolidation and synchronization of data from multiple sources.
CIL also ensures that the latest version of content is always available to users and facilitates efficient content updating and maintenance.
Overall, the Content Integration Layer plays a crucial role in providing a centralized repository of relevant and up-to-date information, making it easier for users to find and access the knowledge they need.
The detailed information about the CIL feature can be found in the relevant chapters of the Shelf Content Integration Layer Feature User Guide available upon request.
Understanding the Content Integration Layer workflow
In-depth configurations and use cases of the Shelf Content Integration Layer are described in the dedicated Shelf Content Integration Layer Feature User Guide mentioned above, but the short example of the CIL workflow is as follows:
You access the Content Integration Layer feature in your Shelf KMS (Admin panel).
You select one of Shelf-preconfigured connectors or create your custom one (based on the external content repository from which you need to sync content)
You create a connection profile that uses the selected or created connector, and configure it: indicate credentials (username/password/API key/token/etc.) to access your external repository. All these credentials and access details can be taken from that external platform, and in the respective section below we will show you how to get them on Microsoft SharePoint.
You create a sync flow that uses the created connection profile and configure this sync flow to run either on some specific schedule or on demand. It is here where you can apply filters to tell CIL which exactly content needs to be synced.
You run the created sync flow manually (if set to run on demand) or wait for the scheduled run, and get your content from the needed external source right in Shelf KMS.
For the proper operation of the SharePoint connector to sync your content from Microsoft SharePoint into Shelf KMS, you need to do certain actions in Microsoft SharePoint, Azure and in Shelf. Read the chapters below to learn what exactly you need to do.
Configurations on the Microsoft SharePoint side
Specifically for the Shelf SharePoint connector and for bypassing the existing limitations of Microsoft SharePoint UI (certain features can be used only via API), the two-app setup has been implemented:
(1) The Connector app for extracting content, and
(2) The Manage Permissions app for infrastructure and ad-hoc configuration.
The Connector app shares its credentials with Shelf to enable content extraction. The Manage Permissions app is used to configure the Connector app with granular permissions for specific SharePoint sites, and does not share any credentials or other sensitive information with Shelf.
 | Before you start configuring your integration on the Microsoft SharePoint end, you need to understand the following:
|
Figure 1. Verifying SharePoint Admin permissionsGenerating self-signed certificate
Before proceeding to creating the dedicated apps on Azure, you first need to generate a self-signed certificate that is needed to authorize your Azure apps to access Shelf and vice versa.
To generate your certificate, complete the following steps.
Make sure you have OpenSSL of the latest released version installed on your computer. To do so, open a terminal or a command prompt utility and run the following command
Shell
openssl versionIf OpenSSL is installed on your computer, the command will return the version of the installed OpenSSL.
Shell
C:\Windows\system32>openssl version
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)Run the following command in your OS-specific terminal
Shell
openssl req -x509 -newkey rsa:2048 -keyout private.key -out cert.crt -days 365 -nodes -subj "/CN=ShelfConnectors"
Legend
Parameter | Explanation |
-x509 | Generates a self-signed certificate. |
-newkey rsa:2048 | Creates a 2048-bit RSA private key. |
-keyout private.key | Saves the private key to private.key. |
-out cert.crt | Saves the certificate to cert.crt. |
-days 365 | Sets the certificate validity period to 365 days. |
-nodes | Ensures the private key is not encrypted with a passphrase. |
-subj "/CN=ShelfConnectors" | Specifies the subject name. |
As a result, this command shall generate two files for you:
private.key, which is the private key for the certificate
cert.crt, the self-signed certificate itself.
Location to which these files are saved depends on your platform. For example, on Windows OS computers, they are saved to C:\Windows\System32
Creating certificate’s PEM file
At this step, you need to create a single PEM file by combining the previously generated self-signed certificate and its private key. To do that, run the following command in your terminal
| Shell cat cert.crt private.key > azure-cert.pem |
The output should be a file named azure-cert.pem that contains both the certificate and private key. The PEM file, logically, is saved to the same location where the certificate and private key are stored.
Creating Connector app in Azure
At this stage of configurations, you need to create the Connector app in Azure. To do so, follow the below steps.
Log in to your account on Azure Portal using the Admin credentials.
In the search field on top of the page look for and navigate to App registrations.
Figure 2. Finding and selecting the App registrations menu in Azure- On the App registrations page, find and select + New registration.
Figure 3. Initiating new registration on Azure
In the form that appears, enter the name for the new app registration - Connector app, and click Register. No other selections/configurations are needed in this form.
Figure 4. Registering Connector app on AzureOnce Connector app is registered, you are redirected to its page.
Uploading certificate
When on the Connector app page, under the Manage menu (1) in the navigation panel, find and select the Certificates & secrets option (2).
Then select the Certificates tab (3) and press Upload certificate (4).
Figure 5. Accessing Connector app’s certificates and secrets menu and initiating certificate uploadIn the panel that opens in the right part of the page, upload the previously generated cert.crt file and add some description for it. Press Add once done.
Figure 6. Uploading certificate
Granting API permissions to Connector app
Granting SharePoint permissions
After the certificate is added to Connector app, open the API permissions option (1) in the menu, and on the Connector app’s permissions page, select + Add a permission (2).
Figure 7. Accessing Connector app’s API permissions settings- In the pane that appears, select the SharePoint option (3).
Figure 8. Selecting SharePoint for Connector app’s API permissions
In the window that appears in the right pane, select the Application permissions option (4) and then select the Sites.Selected checkbox (5). Click Add permissions (6) to save changes.
Figure 9. Adding Sharepoint Sites.Selected permissions to Connector appPermission
Description
Sites.Selected
This permission is used specifically to assign a specific SharePoint site in the next step via API (using the Manage Permissions app). It neither provides access to ALL your SharePoints sites nor grants any other permissions to the apps.
- Now you need to get admin consent for Your Tenant on these permissions. If you have the admin level, you can do it yourself by clicking the respective button as shown below. Otherwise, contact your organization’s Azure admin and ask them to do that.
Figure 10. Granting admin consent for Your TenantGranting Microsoft Graph permissions
Repeat Step 1 from the procedure above.
In the pane that appears, select the Microsoft Graph option (2).
Figure 11. Selecting Microsoft Graph for Connector app’s API permissions- In the window that appears in the right pane, select the Application permissions option (3), in the search field (4) below look for Sites.Selected, and then expand the Sites section (5) and select the Sites.Selected checkbox (6). Click Add permissions (7) to save changes.
Figure 12. Viewing added Microsoft Graph permission for Connector app Now you need to get admin consent for Your Tenant on these permissions. If you have the admin level, you can do it yourself by clicking the respective button as shown below. Otherwise, contact your organization’s Azure admin and ask them to do that.
Figure 13. Granting admin consent for Your Tenant for Microsoft Graph permission
Creating Manage Permissions app
 | The Manage Permissions app you are about to create does not share any credentials you may enter here with Shelf. The Manage Permissions app is simply sharing the connector that will be created. See more in Configurations on Microsoft SharePoint side section |
On Azure Portal, navigate again to App registrations and add a new registration as shown in Figures 2 and 3 above.
In the new app registration form, enter the needed name - Manage Permissions app - and click Register. Leave other fields and checkboxes unchanged.
Figure 14. Initiating Manage Permissions app registration
Once the app is registered, you are redirected to its page and see the respective notification on top of the page.
Figure 15. Viewing Manage Permissions app pageGranting permissions to Manage Permissions app
Now, you need to add specific permissions to the app you have just registered, and then grant admin consent for Your Tenant for it. Follow the below steps.
When on the Manage Permissions app page, find and select the API permissions option in the navigation panel as shown in Figure 15 above.
On the page that opens, find and select + Add a permission.
Figure 16. Initiating permissions granting to Manage Permissions app
- In the pane that appears, select the Microsoft Graph option and then select the Application permission option.
Figure 17. Selecting Microsoft Graph
In the permissions list that expands below, find and select the following permissions by checking the relevant boxes as listed below. Then confirm changes by clicking Add permissions.
Application:
Application.Read.All
AppRoleAssignment
AppRoleAssignment.ReadWrite.All
Sites
Sites.FullControl.All
Figure 18. Granting Microsoft Graph permissions
Explaining permissions
Permission | Description |
Application.Read.All | This permission is required because the Manage Permissions app must be able to read other applications, in our case the Connector app, for providing granular permissions to SharePoint site(s). |
AppRoleAssignment.ReadWrite.All | This permission is specifically required to assign new roles/access to other applications, such as the Connector app. |
Sites.FullControl.All | This permission is necessary because the Manage Permissions app must have control over sites to assign a selected site to a specific app (in our case the Connector app). |
Figure 19. Selecting SharePoint for granting permissions for Manage Permissions app
Figure 20. Adding specific SharePoint permissions 7. Once done, all the selected permissions are added. However, to allow Manage Permissions app to make use of them, you need to grant admin consent on these permissions for Your Tenant. If you have the admin level, you can do it yourself by clicking the respective button as shown below. Otherwise, contact your organization’s Azure admin and ask them to do that.
Figure 21. Viewing added permissions and adding admin consent on them for Your Tenant