External Content Connector Crawl Fails Due to Insufficient SharePoint Site Permissions with Sites.Selected ConfigurationIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The External Content Connector failed to start or complete crawls for SharePoint content sources. During crawl execution, the connector reported that certain SharePoint site collections could not be accessed and were ignored. The crawl logs showed 403 Forbidden errors during site permission verification, causing the connector initialization and traversal process to fail. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } N/A Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The issue was caused by insufficient SharePoint site level permissions granted to the connector application. The environment was configured using the Sites.Selected permission model in Microsoft Entra ID. Under this model, the application is granted access only to explicitly approved SharePoint site collections instead of receiving tenant wide access through Sites.FullControl.All. A common point of confusion is that there are two separate permission layers involved when using SharePoint connectors: 1. Tenant Level Application Permission This controls how broadly the Entra ID application can access SharePoint resources across the tenant. Examples: • Sites.FullControl.AllProvides tenant wide access to all SharePoint site collections. • Sites.SelectedRestricts the application to only specifically approved site collections. 2. Site Level Permission Assignment When using the Sites.Selected model, each individual SharePoint site collection must additionally grant a permission level to the application. Supported permission levels include: • Read• Write• FullControl In this case, the connector application had been granted access to the SharePoint site collection using the Sites.Selected model, but the site itself was configured with only Read permission. The External Content Connector requires FullControl at the site level in order to traverse the full site structure, read list metadata, resolve permissions, and index content correctly. With only read access, the connector hits a 403 Forbidden when attempting site permission verification, which is exactly what we see in the crawl logs. Log Snippet: Site collection 'https://sharepoint_tenant.sharepoint.com/xxxx' could not be accessed and will be ignored!Reason: The connector does not have sufficient permission.Resolution (Sites.FullControl.All): In case Sites.FullControl.All is set in the Entra ID application: Verify that the site collection is not locked.Resolution (Sites.Selected): In case Sites.Selected is set in the Entra ID application: Set FullControl permission on the given site collection via PowerShell or the Microsoft Graph API. See the connector documentation for further details.Staus Code: 403.Reason: Forbidden, response message: Attempted to perform an unauthorized operation.. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } If the environment uses the Sites.Selected permission model, verify that the connector application has been granted FullControl permission on the target SharePoint site collection. Steps: Identify the SharePoint site collection configured for crawlingVerify the permission currently assigned to the connector applicationUpdate the site level permission from Read to FullControlTrigger a new crawl after updating permissions No changes to tenant wide Entra ID permissions are required if the Sites.Selected model is intentionally being used. Once FullControl permission is granted on the target SharePoint site collection, the connector should successfully verify permissions, traverse the site structure, and complete the crawl process without 403 Forbidden errors.