Setup
To set up the Novorender SharePoint integration, an Entra ID administrator must install and authorize the Novorender SharePoint Link enterprise application.
Once installed, the application requires the following permissions:
User.Read- Used by the front-end application to sign in the Novorender project administrator managing the integration.Sites.Selected(Delegated) - Used by the front-end application to list files and folders the signed-in user can access.Sites.Selected(Application) - Used by the back-end synchronization job to detect new file revisions and download files to Novorender for processing.
The application has the client ID 5ba0e1e9-7c72-4c82-9e62-74c817b576f6. It can be installed and authorized by following the instructions at this link:
Additionally, an administrator needs to grant the application access to specific SharePoint sites. This process is detailed in the following Microsoft blog post:
Alternatively, to grant read access to all SharePoint sites, you can assign the following SharePoint permissions to the enterprise application:
AllSites.Read(Delegated) - Used by the front-end application to list files and folders the signed-in user can access across all sites.Sites.Read.All(Application) - Used by the back-end synchronization job to detect new file revisions and download files from any site to Novorender for processing.
Linking Files in Novorender
Once the integration is successfully set up, a Novorender project administrator can link SharePoint files and folders for synchronization and processing within a Novorender project.
This is accomplished by clicking the Link files from SharePoint button:
The project administrator will first be prompted for the SharePoint site URL, followed by sign-in using their Microsoft account:
After successful sign-in, the application displays a list of sites, files, and folders accessible to that user. The administrator can then select the desired items for synchronization and click "Save":
This dialog operates within a user authorization context. Consequently, it only displays sites, files, and folders that the logged-in user has explicit access to, regardless of the broader permissions granted to the Novorender SharePoint Link application itself.
After the selections are saved, the platform initiates the synchronization job (detailed in the next section) to download and process the files into the Novorender scene.
Synchronization
Once files and folders are mapped in Novorender, they are regularly synchronized to reflect new files and/or revisions from SharePoint. This synchronization typically occurs on a nightly basis but can also be manually triggered by selecting the "Sync" option from the project context menu within Novorender:
This synchronization job operates under an application authorization context. This means it can access all data within the SharePoint sites for which the Novorender SharePoint Link application has been granted permissions by an Entra ID administrator, as detailed in the Setup section.
NEW FEATURE
Advanced Authentication (Project-Scoped)
By default, the SharePoint integration uses the shared Novorender SharePoint Link enterprise application. With Advanced Authentication, you can instead use your own Azure AD (Entra ID) app registration with Sites.Selected permissions, restricting access to only the SharePoint sites you explicitly authorize.
This is useful when you want tighter control over which sites the Novorender sync engine can access, rather than relying on the permissions granted to the shared application.
Prerequisites
Before configuring Advanced Authentication in Novorender, you need an Azure AD app registration with the following:
- Application (client) ID -- found under Azure Portal > App registrations > your app > Overview
- Tenant (directory) ID -- found under Azure Portal > Microsoft Entra ID > Overview
- The Sites.Selected application permission granted to the app registration (under API permissions > Microsoft Graph > Application permissions)
- Admin consent granted for the Sites.Selected permission
- The specific SharePoint sites authorized for the app via the SharePoint admin or Microsoft Graph API: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Configuration Steps
In the Novorender Project Portal, open the SharePoint integration for your project and click Advanced Authentication. The setup is divided into three steps:
Step 1: App Registration
Enter the Tenant ID and Client ID from your Azure AD app registration, then click Save. This registers the app registration with your Novorender project.
Step 2: Certificate
Novorender uses certificate-based authentication to access SharePoint on behalf of your app registration.
1. Click Generate Certificate -- Novorender generates a certificate key pair and securely stores the private key.
2. Download the public key PEM file.
3. Upload the PEM file to your app registration in Azure Portal: navigate to App registrations > your app > Certificates & secrets > Certificates > Upload certificate.
Once uploaded, the Novorender sync engine can authenticate as your app registration using the certificate.
Step 3: Granted Sites
Add the SharePoint sites your app registration has been authorized to access. For each site, provide:
- Site URL -- the full SharePoint site URL (e.g. https://contoso.sharepoint.com/sites/ProjectX)
- Display Name -- the name that will appear in the SharePoint resource tree
The sites listed here will appear in the SharePoint resource tree when browsing and selecting files for synchronization.
Click Save to persist the site list.
Removing Advanced Authentication
To revert to the shared Novorender SharePoint Link application, open the Advanced Authentication dialog and click Remove Configuration.