feat(microsoft_sharepoint): Add Microsoft SharePoint retriever integration

[bogdankostic]

Related Issues

• part of https://github.com/deepset-ai/haystack-private/issues/346

Proposed Changes:

Adds a new integration, microsoft-sharepoint-haystack, providing the MSSharePointRetriever component.

Given a query, the retriever calls the Microsoft Graph Search API (POST /search/query) and returns matching SharePoint and OneDrive content as Haystack Documents. Each hit becomes a Document whose content is the search snippet (hit-highlight markup stripped, entities unescaped) and whose meta carries file_name, web_url, entity_type,
created_date_time, last_modified_date_time, created_by, last_modified_by, mime_type, and file_extension (keys with no value are omitted).

How did you test it?

• Unit tests covering: init validation, serialization round-trip, hit-to-Document mapping, request-body and auth-header construction, KQL/fields omission, pagination with offset/size, top_k handling, error handling (401/403/other 4xx, 429 retry-then-succeed, give-up after max retries), running inside a Pipeline, and the async path.
• Manual live verification against a real Microsoft 365 tenant, including a two-user per-user-scoping check: a user with access to a restricted site receives its content, while a user without access does not.

Notes for the reviewer

• The access_token is provided at run time. It can be obtained from the OAuthResolver, which ships in a separate PR: feat(oauth): Add OAuth integration #3419
• The component does not fetch the files themselves. It returns the summary provided by the Search API in the Document's content field, with the link to the file in the meta (web_url). Fetching the actual file contents requires additional downstream components.

Checklist

• I have read the contributors guidelines and the code of conduct
• I have updated the related issue with new insights and changes
• I added unit tests and updated the docstrings
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

[github-actions]

Coverage report (microsoft_sharepoint)

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
integrations/microsoft_sharepoint/src/haystack_integrations/components/retrievers/microsoft_sharepoint
errors.py
retriever.py					191, 227, 283-286, 301
Project Total

This report was generated by python-coverage-comment-action

[sjrl]

Minor suggestion: Would it also be worth supporting passing a Secret for access_token in addition here?

[bogdankostic]

Added support for Secret in e9ad7bc

[sjrl]

Minor comment: I feel like these status code values are pretty common. Do we need a global variable for them?

[sjrl]

Maybe we could update this example to not use another integration? Then in the docs page we make for this I think we can add a full example where we can explain that users also need to install the other haystack integration.

[sjrl]

For the entitu_types, fields and query_template are there microsoft docs links we could provide?

[sjrl]

I realize it's internal but if possible providing a microsoft docs link for how to see what are valid params to this endpoint would be great for future devs

[sjrl]

Maybe worth using tenacity instead of rolling our own retry mechanism?

We may even be able to reuse request_with_retry from haystack which uses tenacity and httpx under the hood.

[sjrl]

We also have an async version async_request_with_retry available in haystack in haystack/utils/request_utils.py

[sjrl]

Out of curiosity is there a concept of filters we could also add here? Just to make it work more like our doc store retrievers

[sjrl]

@bogdankostic one thing I noticed is that ideally we can use this new sharepoint retriever inside of the MultiRetriever since that is our recommended retriever to use in platform and allows for not needing to manually wire many retrievers all up to a document joiner.

To do this though we will need two sets of changes. The main one I want to propose for this integration (I think) is number 2 where we create a wrapper component to align with the TextRetriever protocol. WDYT?

1. MultiRetriever — add a per-retriever run-inputs map (haystack)

A new optional run param (run + run_async) that maps retriever name → extra kwargs, merged only into that retriever's call. Generic, explicit routing, no signature introspection, protocol-safe (the protocol allows extra optional params), and not serialized (it's a run input, not init).

def run(self, query, filters=None, top_k=None, *, active_retrievers=None,
        retriever_inputs: dict[str, dict[str, Any]] | None = None):
    retriever_inputs = retriever_inputs or {}
    unknown = set(retriever_inputs) - self.retrievers.keys()
    if unknown:
        raise ValueError(f"Unknown retriever name(s) in retriever_inputs: {sorted(unknown)}")
    ...
    executor.submit(
        retriever.run,
        query=query, filters=resolved_filters, top_k=resolved_top_k,
        **retriever_inputs.get(name, {}),   # only this retriever gets the extras
    )

2. Create a new SharePointTextRetriever adapter

Wraps an OAuthResolver + MSSharePointRetriever, conforms to our TextRetriever protocol, and resolves the token per run. If the resolver's token source needs a per-request subject_token, the adapter declares it as a mandatory input too — mirroring the resolver's contract.

@component
class SharePointTextRetriever:
    def __init__(self, *, retriever: MSSharePointRetriever, resolver: OAuthResolver):
        self.retriever = retriever
        self.resolver = resolver
        # public token-source attribute, not the resolver's private flag
        self._requires_subject_token = bool(getattr(resolver.token_source, "requires_subject_token", False))
        if self._requires_subject_token:
            component.set_input_type(self, "subject_token", str)  # no default => mandatory socket

    @component.output_types(documents=list[Document])
    def run(self, query: str, filters=None, top_k=None, **kwargs):
        if filters is not None:
            logger.warning("SharePoint retrieval ignores `filters`; scope via `query_template` instead.")
        access_token = self.resolver.run(**self._resolver_kwargs(kwargs))["access_token"]
        return self.retriever.run(query=query, access_token=access_token, top_k=top_k)

    @component.output_types(documents=list[Document])
    async def run_async(self, query: str, filters=None, top_k=None, **kwargs):
        # signature must match run() — enforced by @component
        if filters is not None:
            logger.warning("SharePoint retrieval ignores `filters`; scope via `query_template` instead.")
        result = await self.resolver.run_async(**self._resolver_kwargs(kwargs))
        return await self.retriever.run_async(query=query, access_token=result["access_token"], top_k=top_k)

    def _resolver_kwargs(self, kwargs):
        if not self._requires_subject_token:
            return {}
        return {"subject_token": kwargs.get("subject_token", "")}

    # also add to_dict / from_dict