Credentials
You only need an access token. Pick whichever path fits.Option A: App-only (client credentials)
Best for scripted, automated, and CI runs. There is no signed-in user, and it works for SharePoint because the resource uses/sites and /sites/{id}/drives
(no /me context required).
- In the Microsoft Entra admin center, go to Identity -> Applications -> App registrations -> New registration.
- Under API permissions -> Microsoft Graph -> Application
permissions, add
Sites.Read.Allfor read-only, orSites.ReadWrite.All(plusFiles.ReadWrite.Allfor writes) for full access. Click Grant admin consent. - Under Certificates & secrets, create a client secret.
- Request a token with the client-credentials flow:
Option B: Delegated (Graph Explorer)
Fastest way to try it as yourself. The token lasts about an hour, which is plenty for a test run.- Open Graph Explorer and Sign in.
- Run any SharePoint query (for example
GET /sites?search=*) and consent when prompted. - Open the Access token tab and copy the token.
A static token is short-lived (about 60 minutes). For long-running mounts, pass
a
Callable[[], str] provider as access_token instead of a string. The
resource refreshes on 401, so the mount survives token expiry.Verify access
With your token exported asTOKEN:
Set environment variables
Snapshots and version pinning rely on SharePoint version history, which is
on by default. Older versions are only readable while the library retains them
(the version cap is configurable, and an admin can disable versioning).