SharePoint is where enterprise knowledge lives: sites, document libraries, pages, lists, and embedded Microsoft 365 content. If you let AI agents read and write there without machine-enforced constraints, you risk silent data exfiltration, unauthorized edits, and cross-site privilege drift.
Claw EA runs OpenClaw as the baseline agent runtime and wraps SharePoint access in permissioned execution. Access is defined in policy-as-code using a WPC, enforced with CST, and audited with gateway receipts and proof bundles.
Step-by-step runbook
1. Define the Work Policy Contract. Create a WPC that names specific SharePoint site IDs, document libraries, and allowed actions such as read-only search or controlled write. Pin Microsoft Graph permissions to least privilege and record the policy hash.
2. Register the app in Entra ID. Configure application or delegated permissions in Microsoft Graph. Apply Conditional Access and, where appropriate, Privileged Identity Management for approval workflows.
3. Issue a CST. Mint a CST with scope hash tied to the WPC. Optionally pin the policy hash so the token cannot be reused against a different policy.
4. Connect via official API. Integrate SharePoint through Microsoft Graph via official API with enterprise buildout controls. This is not a native connector and requires environment-specific configuration.
5. Run inside OpenClaw with sandbox and tool policy. Enable sandboxing and strict tool allowlists. Keep elevated tools off unless explicitly approved for the job.
6. Route model calls through clawproxy. All model calls produce gateway receipts. At job end, assemble a proof bundle and optionally publish a Trust Pulse artifact for audit viewing.
Threat model
| Threat | What happens | Control and Action | Evidence |
|---|---|---|---|
| Overbroad Graph scopes | Agent can read or modify sites beyond intent. | WPC restricts site IDs and actions. CST scope hash binds token to that WPC. | WPC hash, CST claims, proof bundle metadata. |
| Prompt injection in document | Malicious content instructs agent to fetch secrets or write to another site. | OpenClaw tool allowlist plus sandbox. WPC denies cross-site calls. | Gateway receipts showing blocked or absent calls. |
| Plugin misconfiguration | Agent runs with elevated exec on host and pivots to local files. | Sandbox mode set to all or non-main as appropriate. Elevated tools gated. | OpenClaw sandbox explain output and job config in proof bundle. |
| Token replay | CST reused in another job or context. | Marketplace anti-replay binding with job-scoped CST binding. | CST claims and job binding in proof bundle. |
| Unauthorized write | Agent edits or deletes documents without approval. | WPC approval gates for write and admin actions. Conditional Access and PIM on Entra ID role. | WPC approval record, gateway receipts for write calls. |
Policy-as-code example
Below is a simplified WPC fragment for a read-only research agent over two sites. Write actions require a separate WPC with approval gates.
{
"resource": "m365:sharepoint",
"sites": [
"contoso.sharepoint.com/sites/Finance",
"contoso.sharepoint.com/sites/HR-Policies"
],
"actions": ["read", "search"],
"graph_permissions": ["Sites.Read.All"],
"write_requires_approval": true,
"max_pages_per_run": 200
}
This WPC is signed and hash-addressed in the registry. The CST carries the scope hash and can optionally pin the policy hash.
What proof do you get?
Every model call routed through clawproxy emits gateway receipts. These receipts bind request, response metadata, and policy context.
At the end of a job, Claw EA produces a proof bundle that includes receipts, CST claims, WPC hash, and run metadata. You can submit the bundle to clawverify for independent verification and store a Trust Pulse artifact for reviewers.
This gives you replay resistance, scope verification, and a concrete audit trail for each SharePoint read or write operation initiated by the agent.
Rollback posture
| Scenario | Immediate action | Safe rollback | Evidence retained |
|---|---|---|---|
| Suspected data overreach | Revoke CST in clawscope. | Disable Entra ID app or remove Graph permission. | Revocation record plus proof bundle. |
| Policy error in WPC | Publish corrected WPC and stop issuing new CST. | Rotate to new policy hash and invalidate old tokens. | Old and new WPC hashes for comparison. |
| Agent misbehavior | Disable agent in OpenClaw and tighten tool policy. | Rerun with sandbox mode all and reduced allowlist. | Gateway receipts from both runs. |
Planned controls such as automatic cost budget enforcement and egress allowlists outside clawproxy can be implemented if your environment requires stricter controls.
FAQ
Is this a native SharePoint connector?
No. SharePoint can be connected via official API with enterprise buildout controls. Integration requires Entra ID app registration and Microsoft Graph configuration.
Why is prompt-only control not enough?
Prompt instructions can be ignored or subverted by document content. Permissioned execution with WPC and CST enforces least privilege at the execution layer, not just in text.
How do Microsoft 365 controls fit in?
SharePoint agents operate under existing permissions, Conditional Access, and PIM. Claw EA adds an execution boundary so the agent cannot exceed what the WPC and CST allow, even if Graph permissions are broad.
What about compliance and data protection?
Microsoft Purview and enterprise data protection features apply to content and user interactions. Claw EA complements this with proof bundles and verifiable receipts for agent-initiated actions.
Can we limit writes to specific libraries?
Yes. Define library-level constraints in the WPC and require approval gates for write and admin actions. Only issue CST for the exact scope needed per job.