Configuring the SharePoint Integration


You can integrate Workfront with SharePoint Online, providing users with the ability to navigate to, link, and add SharePoint documents within Workfront. The functionality provided is similar to that of other Workfront integrations, such as Google Drive, Box, and Dropbox.

This integration is compatible only with SharePoint Online. On-premise instances of SharePoint are not supported.

SharePoint Licensing Changes

Beginning August 1, 2014, Microsoft removed version-specific licensing requirements for the ability to connect provider-hosted apps to SharePoint Online.  Prior to this change, SharePoint Online restricted provider-hosted access to Midsize Business or Enterprise versions of Office 365. Existing SharePoint customers on the old Office 365 licensing models might need to switch to the new model for this to take effect.

For more information, see:

Configuring OAuth

Workfront connects to SharePoint Online using OAuth 2.0, a standard used by most web-based integrations for the authentication and authorization of users.

To configure OAuth, you need to create a Site Collection and a Site App within SharePoint. This process is described in the following sections.

For more information about OAuth, see

Creating a Master Site Collection

In order for Workfront to authenticate with SharePoint, Workfront needs a master site collection where users have the Full Control permission level or specific Manage permissions.  This master site collection acts as an Authentication Entry Point for Workfront, and it should be empty. Documents should be contained within folders in other site collections, each of which having specific permissions set to allow only certain users to perform certain actions.

NOTE You cannot move an asset from Workfront directly to a site collection folder in Sharepoint. Instead, you need to move the asset to a sub-folder within the site collection folder.

To create a master site collection:

  1. Create a site collection in SharePoint.  For instructions, visit Microsoft’s site at
    NOTE The Master Site Collection will only be used for OAuth.  As such, documents will not be stored in this site collection.  Because of this, the size of this site collection can be small.
  2. Grant users Full Control to all users for the site collection.  Set these permissions by navigating to the Site Collection > Site Contents > Settings (small gear icon) > Site Permissions.
  3. For each group, click the checkbox next to the Group Name, then click the Edit User Permissions button. Select the Full Control, then save your changes. Repeat for each group.
    If you choose not to grant Full Control, you must grant the following permissions:
    Design Can view, add, update, delete, approve, and customize
    Edit Can add, edit, and delete lists; can view, add, update, and delete list items and documents
    Contribute Can view, add, update, and delete list items and documents
    View only Can view pages, list items, and documents (Document types with server-side file handlers can be viewed in the browser but not downloaded
  4. Continue with "Creating a Site App and Configuring Workfront."

Creating a Site App and Configuring Workfront

You need to create a Site App in SharePoint, and then copy information from this site app into Workfront. The Site App is an app principal and acts as the conduit through which OAuth requests are made to access documents within site collections. This Site App must have Write permission to any site collections for which users need to access through Workfront.

Note: Because you need to copy and paste information between Workfront and SharePoint, we recommend keeping both applications open in separate tabs.

Begin by creating a Workfront SharePoint Integration instance, then grant Write permissions to the Site App.

Creating A Workfront - SharePoint Integration Instance

  1. In Workfront, navigate to Setup > Documents > SharePoint Integration.
  2. Click the Add SharePoint button.
  3. Specify a name for this SharePoint instance.
  4. Specify your SharePoint host instance (e.g.
  5. Specify the Azure Access Domain (e.g. This field is the <sub_domain> domain created when you sign up on the Office 365 site.
  6. Specify the Site Collections Authentication.  This is the URL stem for the site collection that you created in the section above.
    Before you can create this SharePoint Integration instance in Workfront, you need a SharePoint Client ID and a SharePoint Client Secret. The following steps create a Site App in SharePoint and finish the creation of the SharePoint Integration instance.
  7. In a new browser window, navigate to your company's SharePoint site. For example,
    Note: Keep the Workfront’s SharePoint Integration window open from the previous steps.  You will copy information from SharePoint to this form later.
  8. Log in to SharePoint as a user with administrator access.
  9. Navigate to the URL: https://<sharepoint_yourCompanyDomain>/_layouts/15/appregnew.aspx.
    Replace <sharepoint_domain> with your company’s SharePoint domain.
  10. Generate a Client ID and Client Secret by clicking on the generate buttons.
  11. Copy the Client ID and Client Secret to the corresponding fields in Workfront.
    NOTE Client secrets expire in 1 year and must be renewed. See How to: Replace an expiring client secret in an app for SharePoint.
  12. Specify a title, such as Workfront Site App
  13. Specify the App Domain.  This value comes from Workfront and is displayed under Workfront SharePoint AppDomain in the SharePoint Integration window. This value is likely, ''
  14. Specify the Redirect URL. This value also comes from Workfront and is displayed under Workfront SharePoint Redirect URL.
    This value is likely:
  15. Click the Create button in SharePoint.
  16. In Workfront, under Visible Site Collections, add each of the site collections that you want to access within Workfront.
    For example, /sites/documents, /sites/supersecretproject, /teams/genericteam.
  17. Click Save.
  18. Continue with "Granting Write Permissions to the Site App."

Granting Write Permissions To The Site App

At this point, you have successfully created a Site App and registered it within Workfront.  This site app is also known as an an app principal in SharePoint. It resides within your tenant.  New site apps do not automatically have access to site collections within the tenant.  Permissions must be granted explicitly, for each site collection.  The steps below will show you how to grant Write permission to the new Site App a site collection.  Repeat these steps for each of the site collections you added under Visible SiteCollections in the steps above.

  1. Navigate to the following URL:
    is the path of your site collection. For example,
  2. In Workfront, copy the SharePoint Client ID that you previously created; paste it into the App ID field in SharePoint; click the Lookup button.
  3. Copy the following text and paste it into the Permission Request XML field (the text must be entered exactly as it appears below):
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web"  Right="Write"/>
  4. Click Create.
  5. Click Trust It.
  6. Verify that the site app has access to the site collection by clicking the Site app permissions link in Site Settings.
  7. Repeat the steps above for the remaining site collections, then continue with "Configuring SharePoint within Workfront."

Configuring SharePoint Within Workfront

To finalize the integration, configure SharePoint from within Workfront, as described in "Configuring Document Integrations."

 Verifying Your Setup

Now that Workfront and SharePoint are setup, Workfront users should be able to connect their individual SharePoint accounts and manage SharePoint documents from within Workfront.  This process is similar to Box, Dropbox, and Google Drive.  You can verify that things are setup correctly by connecting SharePoint to your user account.

Additional Information about Working with SharePoint

For additional information about working with SharePoint, see "Use an Office 365 SharePoint site to authorize provider-hosted add-ins on an on-premises SharePoint site." 

This information came form the FAQ - not sure if this should be live: Also check out this page about Creating SharePoint 2013 with Provided Hosted Apps:


Problem: As a Workfront user, I am unable to provision a new SharePoint instance.  When I attempt to do I see an error.

Solutions.  This can be caused by a number of things, originating in either Workfront or SharePoint’s configuration.  Verify that:

  1. The Client ID, Client Secret, return URL and other configuration fields are correctly mapped between the Workfront SharePoint Integration instance and the SharePoint Site App.
  2. The user has Full Control permission to the Site Collection used for authentication.
  3. The Site App is listed under Site App Permissions for the Site Collection used for authentication.

Problem: When attempting to browse SharePoint files in Workfront, I do not see any or all of my site collections.

Solutions: To see a site collection in Workfront, the following conditions must be met:

  • The site collection must be registered in the Workfront SharePoint Integration instance.
    To verify this in Workfront:
    1. Go to Setup > Documents > SharePoint Integration.
    2. Edit the SharePoint Integration instance information.
    3. Verify that the site collection is listed under Visible Site Collections.
  • The user must have view access to the site collection in SharePoint.
    To verify this in SharePoint:
    1. Go to SharePoint, and open the site collection > Settings > Site permissions.
  • The SharePoint Site App must have access to the site collection.
    To verify this in SharePoint:
    1. Go to the site collection > Settings > Site app permissions.
    2. Ensure that the Site App used by Workfront is listed here.
    3. (Conditional) If the Site App is not listed, add to the site collection using _layouts/15/appinv.aspx.  For information about adding the site collection, see "Granting Write Permissions To The Site App."



This article last updated on 2019-02-28 18:36:06 UTC