Write data to SharePoint Online using SSIS (Import data)

In this section we will learn how to configure and use SharePoint Online Connector in the API Destination to write data to SharePoint Online.

Video tutorial

This video covers following and more so watch carefully. After watching this video follow the steps described in this article.

• How to download SSIS PowerPack for SharePoint Online integration in SSIS
• How to configure connection for SharePoint Online
• How to write or lookup data to SharePoint Online
• Features about SSIS API Destination
• Using SharePoint Online Connector in SSIS

Step-by-step instructions

In upper section we learned how to read data, now in this section we will learn how to configure SharePoint Online in the API Source to POST data to the SharePoint Online.

1. Read the data from the source, being any desired source component. In example we will use ZappySys Dummy Data Source component.

2. From the SSIS Toolbox drag and drop API Destination (Predefined Templates) on the Data Flow Designer surface and connect source component with it, and double click to edit it.
   

3. Select New Connection to create a new connection:
   

   API Destination - SharePoint Online

   SharePoint Connector can be used to read, write data in SharePoint Online List / Document Library, perform file operations such as upload, download, create, move, delete, rename in a few clicks!

   

4. Use a preinstalled SharePoint Online Connector from Popular Connector List or press Search Online radio button to download SharePoint Online Connector. Once downloaded simply use it in the configuration:
   

   SharePoint Online

   

5. Proceed with selecting the desired Authentication Type. Then select API Base URL (in most cases default one is the right one). Finally, fill in all the required parameters and set optional parameters if needed. You may press a link Steps to Configure which will help set certain parameters. More info is available in Authentication section.

    User Credentials [OAuth]

   Use delegated access (User Credentials) whenever you want to let a signed-in user work with their own resources or resources they can access. Whether it's an admin setting up policies for their entire organization or a user deleting an email in their inbox, all scenarios involving user actions should use delegated access. [API reference]

   Steps how to get and use SharePoint Online credentials
   

   Follow these simple steps below to create Microsoft Entra ID application with delegated access:

   WARNING: If you are planning to automate processes, we recommend that you use a Application Credentials authentication method. In case, you still need to use User Credentials, then make sure you use a system/generic account (e.g. automation@my-company.com). When you use a personal account which is tied to a specific employee profile and that employee leaves the company, the token may become invalid and any automated processes using that token will start to fail.

   1. Navigate to the Azure Portal and log in using your credentials.
   2. Access Microsoft Entra ID.

   3. Register a new application by going to App registrations and clicking on New registration button:

      
      INFO: Find more information on how to register an application in Graph API reference.

   4. When configuration window opens, configure these fields:

      • Supported account type
        • Use Accounts in this organizational directory only, if you need access to data in your organization only.
      • Redirect URI:
        • Set the type to Public client/native (mobile & desktop).
        • Use https://zappysys.com/oauth as the URL.
      

   5. After registering the app, copy the Application (client) ID for later:

      

   6. Copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs to use later in the configuration:

      

   7. Now go to SSIS package or ODBC data source and use the copied values in User Credentials authentication configuration:

      • In the Authorization URL field paste the OAuth authorization endpoint (v2) URL value you copied in the previous step.
      • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
      • In the Client ID field paste the Application (client) ID value you copied in the previous step.
      • In the Scope field use the default value or select individual scopes, e.g.:
        • email
        • offline_access
        • openid
        • profile
        • User.Read
        • Sites.Read.All
        • Sites.ReadWrite.All
        • Files.Read.All
        • Files.ReadWrite.All
   8. Press Generate Token button to generate Access and Refresh Tokens.
   9. Optional step. Choose Default Site Id from the drop down menu.
   10. Click Test Connection to confirm the connection is working.
   11. Done! Now you are ready to use the API Connector!

   Fill in all required parameters and set optional parameters if needed:

   SharepointOnlineDSN

   SharePoint Online

   User Credentials [OAuth]

   https://graph.microsoft.com/v1.0

   Required Parameters
   Authorization URL	Fill-in the parameter...
   Token URL	Fill-in the parameter...
   Client ID	Fill-in the parameter...
   Scope	Fill-in the parameter...
   Return URL	Fill-in the parameter...
   Default Site Id (select after pressing 'Generate Token')	Fill-in the parameter...
   Optional Parameters
   Client Secret
   Default Drive Id (select after pressing 'Generate Token')
   Login Prompt Option
   RetryMode	RetryWhenStatusCodeMatch
   RetryStatusCodeList	429|503|423
   RetryCountMax	5
   RetryMultiplyWaitTime	True
   Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)
   Extra Headers (e.g. Header1:AAA||Header2:BBB)
   IsAppCred	0

   

    Application Credentials [OAuth]

   Application-only access is broader and more powerful than delegated access (User Credentials), so you should only use app-only access where needed. Use it when: 1. The application needs to run in an automated way, without user input (for example, a daily script that checks emails from certain contacts and sends automated responses). 2. The application needs to access resources belonging to multiple different users (for example, a backup or data loss prevention app might need to retrieve messages from many different chat channels, each with different participants). 3. You find yourself tempted to store credentials locally and allow the app to sign in 'as' the user or admin. [API reference]

   Steps how to get and use SharePoint Online credentials
   

   Follow these simple steps to create Microsoft Entra ID application with application access permissions:

   • Create an OAuth app

   • Grant application SharePoint Online permissions (optional, for granular permissions)

     This step allows to grant OAuth application granular permissions, i.e. access configured specific Sites, Lists, and List Items.

   Step-1: Create OAuth app

   1. Navigate to the Azure Portal and log in using your credentials.
   2. Access Microsoft Entra ID.
   3. Register a new application by going to App registrations and clicking on New registration button:
      INFO: Find more information on how to register an application in Graph API reference.

   4. When configuration window opens, configure these fields:

      • Supported account type
        • e.g. select Accounts in this organizational directory only if you need access to data in your organization only.
      • Redirect URI:
        • Set the type to Public client/native (mobile & desktop).
        • Leave the URL field empty.
      

   5. After registering the app, copy the Application (client) ID for later:

      

   6. Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs:

      

   7. Continue and create Client secret:

      

   8. Then copy the Client secret for later steps:

      

   9. Continue by adding permissions for the app by going to the API permissions section, and clicking on Add a permission:

      

   10. Select Microsoft Graph:

       

   11. Then choose Application permissions option:

       

   12. Continue by adding these Sites permissions (search for site):

       
       INFO: If you want to access specific lists or list items (table-level vs row-level security) rather than the full site, then add Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permissions , just like in the previous step (search for list).
       WARNING: If you add any of these permissions - Sites.Selected, Lists.SelectedOperations.Selected, or ListItems.SelectedOperations.Selected - you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). Follow instructions in Grant SharePoint permissions to the OAuth app (optional) section on how to accomplish that.

   13. Finish by clicking Add permissions button:

       

   14. Now it's time to Grant admin consent for your application:

       

   15. Confirm all the permissions are granted:

       

   16. Now go to SSIS package or ODBC data source and use the copied values in Application Credentials authentication configuration:

       • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
       • In the Client ID field paste the Application (client) ID value you copied in the previous step.
       • In the Client Secret field paste the Client secret value you copied in the previous step.
       • Optional step. Choose Default Site Id from the drop down menu.
   17. Click Test Connection to confirm the connection is working.
   18. Done!

   Step-2 (optional): Grant SharePoint permissions to the OAuth app (optional)

   If you used Sites.Selected, Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permission in the previous section, you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). You can do it using PowerShell or SharePoint admin center (obsolete method).

   Granting SharePoint permissions using PowerShell

   Unfortunately, there is no user interface available to control these permissions yet. For now, granting permissions has to be accomplished via Microsoft Graph API [Microsoft reference]:

   You must be the owner of the resource to grant permissions (i.e. belong to SharePoint owners group or be the owner of the Site or List).

   1. Open PowerShell (run as admin).

   2. Call the following PowerShell code to grant read and write permission for the app we created earlier (assuming Application (client) ID is 89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e):

      ##### CONFIGURATION ############################################################################################
      
      # More info at:
      # - https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=powershell
      # - https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.sites/?view=graph-powershell-1.0
      
      # Find SharePoint Site Id by following these steps:
      # - Login into SharePoint Online
      # - Open this URL https://{your-company}.sharepoint.com/_api/site in the browser
      #   NOTE: For a subsite use https://{your-company}.sharepoint.com/sites/{your-subsite}/_api/site
      # - Find 'Id' element in the response (e.g. <d:Id m:type="Edm.Guid">efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3</d:Id>)
      # - Copy the Site Id, i.e.: efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3 
      # Set $siteId variable to the retrieved Site Id:
      
      $siteId="efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3"
      
      
      # Find your Application Id (i.e. Client Id) in the Azure Portal, in App Registrations page:
      # https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
      
      $applicationId="89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e"
      
      
      # Set one of app permissions: read, write, fullcontrol, owner ('write' includes 'read' permission)
      
      $appPermission="write"
      
      
      
      ##### SCRIPT ###################################################################################################
      
      # Step-1: Install 'Microsoft.Graph.Sites' module if it's not installed
      if (-not (Get-Module Microsoft.Graph.Sites -ListAvailable))
      {
          Install-Module Microsoft.Graph.Sites
      }
      
      # Step-2: Load module
      Import-Module Microsoft.Graph.Sites
      
      # Step-3: Login (use Azure admin or SharePoint owner account)
      DisConnect-MgGraph
      Connect-MgGraph
      
      # Step-4: Set parameters for API call (set permissions, Site ID and Application ID)
      
      $params = @{
      	roles = @($appPermission)
      	grantedTo = @{
      		application = @{id = $applicationId}
      	}
      }
      
      # Step-5: Grant permissions
      New-MgSitePermission -SiteId $siteId -BodyParameter $params
      
      # Done!
      Write-Host "Granted SharePoint permissions to application '$applicationId' for site '$siteId'."
      
      

   3. That's it! Now you can use the API Connector!

   Granting SharePoint permissions using SharePoint admin center (obsolete method)

   If you used Site.Selected permission you can link it SharePoint site in SharePoint admin center [SharePoint reference]. Follow these simple steps to accomplish that:

   1. Log in to SharePoint admin center using this URL: (replace YOURCOMPANY with your company name):

      https://YOURCOMPANY-admin.sharepoint.com/_layouts/15/appinv.aspx

      INFO: To view all the registered apps in SharePoint, visit this page: https://YOURCOMPANY-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.
   2. In the App Id field enter Application (client) ID you copied in the previous step.

   3. In the Permission Request XML field enter XML snippet which describes which SharePoint permissions you want to grant to the OAuth app, e.g.:

      <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
      </AppPermissionRequests>

      INFO: This example gives app FullControl, but you can also grant it Read or Write permissions.
   4. Click Create to grant the permission to your OAuth app.
   5. That's it! Now you can use the API Connector!

   Fill in all required parameters and set optional parameters if needed:

   SharepointOnlineDSN

   SharePoint Online

   Application Credentials [OAuth]

   https://graph.microsoft.com/v1.0

   Required Parameters
   Token URL	Fill-in the parameter...
   Client ID	Fill-in the parameter...
   Client Secret	Fill-in the parameter...
   Default Site Id	Fill-in the parameter...
   Optional Parameters
   Scope	https://graph.microsoft.com/.default
   Default Drive Id
   RetryMode	RetryWhenStatusCodeMatch
   RetryStatusCodeList	429|503|423
   RetryCountMax	5
   RetryMultiplyWaitTime	True
   Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)
   Extra Headers (e.g. Header1:AAA||Header2:BBB)
   IsAppCred	1

   

    Application Credentials with Certificate (Sign JWT with Private Key) [OAuth]

   Steps how to get and use SharePoint Online credentials
   To use Certificate-Based Authentication Setup please follow the steps listed in [Application Credentials] authentication and once done come back here to finish next stsps.

   This guide walks you through setting up a certificate-based authentication flow for Microsoft Graph or other Azure AD protected APIs using client credentials and a JWT.

   Step 1: Generate a Self-Signed Certificate

   You can use OpenSSL or any other way to generate Certificate file but make it simple below example uses PowerShell. Open PowerShell and execute code listed in below steps.

   
   # Run this in PowerShell
   #Change .AddYears(1) to desired number. By default it expires certificate in one year as per below code.
   
   $cert = New-SelfSignedCertificate `
     -Subject "CN=MyClientAppCert" `
     -KeySpec Signature `
     -KeyExportPolicy Exportable `
     -KeyLength 2048 `
     -CertStoreLocation "Cert:\CurrentUser\My" `
     -KeyAlgorithm RSA `
     -HashAlgorithm SHA256 `
     -NotAfter (Get-Date).AddYears(1) `
     -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
   
   # Export private key (.pfx)  - Keep this with you to make API calls (SECRET KEY - DONOT SHARE)
   $pfxPath = "$env:USERPROFILE\Desktop\private_key.pfx"
   $pwd = ConvertTo-SecureString -String "yourStrongPassword123" -Force -AsPlainText
   Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd
   
   # Export public certificate (.cer) - UPLOAD this to Azure Portal
   $cerPath = "$env:USERPROFILE\Desktop\public_key.cer"
   Export-Certificate -Cert $cert -FilePath $cerPath
   

   Step 2: Register or Configure an App in Azure AD

   1. Go to https://portal.azure.com
   2. Navigate to Azure Active Directory > App registrations
   3. Click + New registration or open an existing app
   4. Copy the Application (client) ID and Directory (tenant) ID

   Step 3: Upload the Certificate

   1. In your App Registration, go to Certificates & secrets
   2. Under Certificates, click Upload certificate
   3. Select the .cer file (public certificate)
   4. Click Add

   Step 4: Grant API Permissions

   1. Go to the API permissions tab
   2. Click Add a permission
   3. Select Microsoft Graph (or another API)
   4. Choose Application permissions
   5. Add scopes such as:
      • Sites.Read.All
      • Sites.ReadWrite.All
      • Files.Read.All
      • Files.ReadWrite.All
      • email
      • offline_access
      • openid
      • profile
      • User.Read
   6. Click Grant admin consent (requires admin)

   Step 5: Use PFX file

   Once both files generated perform the following steps to use PFX file., , Use the Certificate file (*.pfx) Now its time to use pfx file generated in the previous step. PFX file contains private key and public key both.

   1. On ZappySys Connection UI Go to Certificate Tab
   2. Change Storage Mode to Local PFX File (or you can Import PFX file in Certificate Storage - User Store / Machine Store and use that way)
   3. Supply the pfx file path or select certificate from Local Certificate Store if you imported that way in earlier step
   4. Supply the certificate password (same password used in earlier PowerShell script)
   5. Test connection see everything is good

   Fill in all required parameters and set optional parameters if needed:

   SharepointOnlineDSN

   SharePoint Online

   Application Credentials with Certificate (Sign JWT with Private Key) [OAuth]

   https://graph.microsoft.com/v1.0

   Required Parameters
   Token URL	Fill-in the parameter...
   Client ID	Fill-in the parameter...
   Certificate: *** Configure [Client Certificate] Tab ***	Fill-in the parameter...
   Default Site Id	Fill-in the parameter...
   Optional Parameters
   Default Drive Id
   RetryMode	RetryWhenStatusCodeMatch
   RetryStatusCodeList	429|503|423
   RetryCountMax	5
   RetryMultiplyWaitTime	True
   Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)
   Extra Headers (e.g. Header1:AAA||Header2:BBB)
   IsAppCred	1

   

6. Select the desired endpoint, change/pass the properties values, and go to the Mappings tab to map the columns.

   API Destination - SharePoint Online

   SharePoint Connector can be used to read, write data in SharePoint Online List / Document Library, perform file operations such as upload, download, create, move, delete, rename in a few clicks!

   

7. Finally, map the desired columns:

   API Destination - SharePoint Online

   SharePoint Connector can be used to read, write data in SharePoint Online List / Document Library, perform file operations such as upload, download, create, move, delete, rename in a few clicks!

   

8. That's it; we successfully configured the POST API Call. In a few clicks we configured the SharePoint Online API call using ZappySys SharePoint Online Connector