Connect your Microsoft 365 / SharePoint

Store your File Storage documents in your own Microsoft 365 tenant (SharePoint document libraries) instead of FullClarity-hosted cloud storage — under your own access controls, retention, eDiscovery and DLP.

Draft — feature in development

This connection feature is being built and is not yet available in your account. This page is an early preview of the setup so your IT / Microsoft 365 team can plan ahead. Steps may change before release.

How it works (and what FullClarity can and can't see)

This is a bring-your-own-tenant model. You register an application in your own Microsoft 365 directory and grant it access only to the specific SharePoint sites you choose. FullClarity never holds your sign-in credentials and never holds the application's private key — the key stays inside your NetSuite account and is used there to prove the application's identity to Microsoft.

FullClarity is granted Write to your chosen sites — nothing more

The application only ever needs the Write permission, on the specific sites you grant it. It cannot administer or manage your SharePoint, change tenant or site settings, alter sharing or permissions, or reach any site you haven't explicitly granted. Everything below — including adding the two columns — works with Write only.

You can connect more than one Microsoft 365 tenant, and multiple sites within a tenant.
You decide which records go to which site using routing rules; anything not routed to SharePoint stays in FullClarity-hosted cloud storage.
Access is per-site and revocable — the application can only see the sites you explicitly grant, and you can withdraw access at any time from Microsoft 365.

Prerequisites

A Microsoft 365 administrator who can register an application and grant admin consent (Global Administrator or Privileged Role / Application Administrator).
A SharePoint administrator to grant the application access to the chosen site(s).
A NetSuite administrator (or the FullClarity onboarding team) for the NetSuite side.
File Storage installed in your NetSuite account.
A certificate (a self-signed certificate is acceptable). Your IT team can create one, or use the example below.

Part 1 — In Microsoft 365 (your IT / M365 admin)

1.1 Create a certificate

A certificate has two halves: a public part that goes to Microsoft, and a private part (the key) that goes into your NetSuite account. If your team has its own certificate process, use it; otherwise this creates a self-signed certificate valid for two years:

# public certificate + private key
openssl req -x509 -newkey rsa:2048 -keyout m365.key.pem -out m365.cert.pem \
  -days 730 -nodes -subj "/CN=FullClarity File Storage"

# bundle both into a password-protected file for NetSuite
openssl pkcs12 -export -legacy -inkey m365.key.pem -in m365.cert.pem \
  -name "FullClarity File Storage" -out m365.p12

Keep m365.cert.pem (public — for Microsoft), m365.p12 (for NetSuite) and the password you set.

1.2 Register the application

In the Azure / Entra admin centre: Microsoft Entra ID → App registrations → New registration.

Name it something recognisable, e.g. FullClarity File Storage.
Account type: single tenant (this directory only).
Leave the redirect URI blank.

From the application's Overview, note the Directory (tenant) ID and the Application (client) ID.

1.3 Upload the public certificate

On the application: Certificates & secrets → Certificates → Upload certificate, and upload m365.cert.pem. Note the Thumbprint shown.

1.4 Grant the SharePoint permission

On the application: API permissions → Add a permission → Microsoft Graph → Application permissions, add Sites.Selected, then Grant admin consent.

Sites.Selected gives the application no access on its own — it can reach only the sites you grant in the next step.

1.5 Grant the application access to your chosen site(s)

Sites.Selected gives no access by itself — a SharePoint/Global admin must grant the application write access to each specific site you want to use. There is no button for this in the admin portal; the grant is made with a Microsoft Graph call. Do it once per site (your FullClarity onboarding contact can do this with you). Either method below works.

Repeat this step whenever you add another site later — no new application or certificate is needed within the same tenant.

Option A — Graph Explorer (in the browser)

Open Graph Explorer and sign in as a Global or SharePoint administrator in your tenant.
Give Graph Explorer permission to make the grant: profile icon → Consent to permissions → search Sites.FullControl.All → Consent. (This authorises Graph Explorer to act as you; it is not a permission for the FullClarity application.)

Find the site's ID — set the method to GET. The address depends on the kind of site:

A team or communication site (https://{tenant}.sharepoint.com/sites/{site}) — use the part after /sites/:

GET https://graph.microsoft.com/v1.0/sites/{your-tenant}.sharepoint.com:/sites/{your-site}

For example, for https://fullclarity.sharepoint.com/sites/Finance:

GET https://graph.microsoft.com/v1.0/sites/fullclarity.sharepoint.com:/sites/Finance

Your main (root) site (https://{tenant}.sharepoint.com, with nothing after the hostname) — drop the :/sites/… part and use the hostname on its own, or the keyword root:

GET https://graph.microsoft.com/v1.0/sites/fullclarity.sharepoint.com
# or equivalently
GET https://graph.microsoft.com/v1.0/sites/root

Run the query. The response looks like this (trimmed):

{
  "id": "fullclarity.sharepoint.com,11111111-2222-3333-4444-555555555555,66666666-7777-8888-9999-000000000000",
  "displayName": "Finance",
  "name": "Finance",
  "webUrl": "https://fullclarity.sharepoint.com/sites/Finance",
  "siteCollection": { "hostname": "fullclarity.sharepoint.com" }
}

Copy the id value — the whole hostname,<guid>,<guid> string. That is the site ID you paste into the next step.

Grant the application write access — set the method to POST. The URL is …/sites/{site-id}/permissions, where {site-id} is the whole id you copied in step 3. Using the Finance example above:
```
POST https://graph.microsoft.com/v1.0/sites/fullclarity.sharepoint.com,11111111-2222-3333-4444-555555555555,66666666-7777-8888-9999-000000000000/permissions
```
On the Request body tab, paste the following. You must replace PASTE-YOUR-APPLICATION-CLIENT-ID with your own Application (client) ID from step 1.2 — the same GUID shown on your app's Overview. (It's left as obvious placeholder text on purpose: if you send it unchanged the request fails, rather than silently granting access to the wrong identity.)
```
{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "PASTE-YOUR-APPLICATION-CLIENT-ID",
        "displayName": "FullClarity File Storage"
      }
    }
  ]
}
```
A 201 Created response confirms the grant. Keep "roles": ["write"] exactly — the app needs nothing higher.
(Optional) Verify with GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions — the application should be listed with the write role.

Option B — PnP PowerShell

If your organisation restricts Graph Explorer, an admin can run the PnP.PowerShell module instead:

# Example for the team site https://fullclarity.sharepoint.com/sites/Finance
# (for your main/root site, use https://fullclarity.sharepoint.com with no /sites/... suffix)
Connect-PnPOnline -Url https://fullclarity.sharepoint.com/sites/Finance -Interactive

Grant-PnPAzureADAppSitePermission `
  -AppId "<application (client) ID>" `
  -DisplayName "FullClarity File Storage" `
  -Site https://fullclarity.sharepoint.com/sites/Finance `
  -Permissions Write

Removing access later

To revoke the application's access to a site, delete the permission (DELETE …/sites/{site-id}/permissions/{permission-id} in Graph, or Revoke-PnPAzureADAppSitePermission in PnP PowerShell). The application immediately loses access to that site.

1.6 Add the two FullClarity columns to the library

File Storage uses two columns on the connected document library:

FullClarity Visible — marks which files appear in FullClarity. Files uploaded through FullClarity are set automatically; a file dropped straight into SharePoint is shown in FullClarity only once this is ticked.
FullClarity Category — holds the file's category.

You add these two columns yourself, in SharePoint — it needs no FullClarity permission beyond the Write already granted. One of your site owners/admins adds them once, at setup:

Open the SharePoint site and the document library the connection points at (e.g. Documents).
At the right end of the column headers, choose + Add column (or Settings ⚙ → Library settings → Create column).
Add the first column:
- Type: Yes/No
- Name: FullClarity Visible
- Default value: No
Add the second column:
- Type: Single line of text
- Name: FullClarity Category

That's it — the columns are library-wide, so they apply to every folder in the library. Run Validate on the FullClarity connection screen and it will confirm both columns are present.

Use these exact names

Name the columns exactly FullClarity Visible and FullClarity Category — FullClarity matches them by these display names.

Optional — would you rather FullClarity create the two columns for you?

This is completely optional and entirely under your control. FullClarity does not require it and does not keep any elevated access — adding the columns by hand (above) is the recommended path and needs only Write.

If you'd prefer not to add them manually, one of your admins can let the application create them, then immediately remove the extra access:

Temporarily change the application's grant on this one site from Write to Manage (the same per-site grant from step 1.5, with Manage).
On the FullClarity connection screen, click Provision columns — it creates the two columns.
Change the grant straight back to Write.

The application holds the higher permission only for the few seconds it takes to create the columns, only on the single site you chose, and never retains it. If granting Manage even briefly isn't acceptable to your security policy, simply add the columns by hand as above.

Part 2 — In NetSuite (admin or FullClarity onboarding team)

2.1 Add the certificate

Go to Setup → Company → Preferences → Certificates and add a new certificate: give it a clear name and ID, upload the m365.p12 file, and enter its password. This stores the private key securely inside your account.

2.2 Set up the connection and locations

Coming with the feature

The FullClarity storage setup screen — where you enter the tenant and application details, point at your certificate, add each SharePoint site as a Location, validate the connection, and define the routing rules that decide which records go to which site — ships with this feature. A step-by-step walkthrough will be added here at release.

What success looks like

The connection validates: NetSuite can reach your chosen SharePoint site using the certificate.
Two FullClarity columns appear on the connected document library (used to mark which files should show in FullClarity and their category).
New files uploaded against routed records land in your SharePoint site, and appear in the File Storage list on the record within a few seconds.

Gotchas

Certificate expiry. The certificate has an expiry date (two years in the example). Set a reminder to rotate it before it lapses, or uploads and downloads will stop until it's renewed. FullClarity will also surface an expiry warning in advance.
Per-site access. The application can only use sites you've explicitly granted. If a site isn't working, confirm the grant was made for that exact site.
Sandbox vs production. A sandbox refreshed from production can view production-origin files read-only; new sandbox uploads go to a separate sandbox location and never change production documents.
Keep files within the granted library. Moving or renaming files inside a connected library is fine. Moving a file out to a different library or site is flagged in FullClarity (the file is kept and marked, never silently lost).