Technical Reference

This page is for technical evaluators. The product pages stay marketing-led; the integration specifics live here so they’re easy to update as Microsoft’s APIs evolve.

Metadata Bot integration

Microsoft surfaces

  • SharePoint Online REST + CSOM (read/write managed metadata, retrieve term sets)
  • Microsoft Graph (driveItem operations for files, taxonomy reads)
  • Webhooks (real-time tag/untag: 5-second response deadline)
  • Optional AI providers: OpenAI, OpenRouter, Azure Computer Vision OCR

Permissions

  • Sites.FullControl.All for record-classifying writes
  • Sites.Read.All for taxonomy reads
  • Tenant admin for cross-site discovery
  • AI provider keys are tenant-supplied

Cost considerations

Microsoft Graph metering: $0.00185 USD per call for SharePoint/OneDrive operations. AutoTag includes dry-run cost estimation, batching, backoff, and retry. AI provider costs are pass-through to your provider account.

Supported content

Every SharePoint column type. Any file format (Office, PDF, images via OCR, plain text). SharePoint Online + Server (Subscription Edition, 2019, 2016, 2013).

Governance Bot integration

File-level sensitivity & retention labels (now)

  • Microsoft Graph: driveItem.assignSensitivityLabel, driveItem.extractSensitivityLabels, driveItem.setRetentionLabel
  • PowerShell: Set-MgDriveItemSensitivityLabel, Get-FileSensitivityLabelInfo
  • CSOM: SetComplianceTagOnBulkItems, SetListComplianceTag
  • Permissions: Files.ReadWrite.All for write; Files.Read.All for read; Sites.FullControl.All for record-classifying retention labels
  • Cost: assignSensitivityLabel metered at $0.00185 USD per call (SharePoint/OneDrive)

Honest constraints:

  • Office clients don’t apply headers, footers, or watermarks from at-rest stored labels
  • Signed PDFs not supported
  • Get-FileSensitivityLabelInfo doesn’t work for files using custom permissions or DKE (Double Key Encryption)

Drift detection (now)

  • SharePoint search: managed property InformationProtectionLabelId
  • PowerShell: Get-FileSensitivityLabelInfo for spot checks; extractSensitivityLabels (Graph)
  • Reports: SharePoint Data Access Governance reports for finding overshared/sensitive sites; PowerShell support for running those reports at scale

Container governance (Phase 2)

  • PowerShell: Set-SPOSite -SensitivityLabel, Set-Label -AdvancedSettings for label-driven defaults (DefaultSharingScope, DefaultShareLinkPermission, DefaultShareLinkToExistingAccess, MembersCanShare)
  • Graph: group.assignedLabels. Delegated only. Microsoft application permissions are NOT supported for this property.
  • Permissions: SharePoint Online admin AND site collection admin for Set-SPOSite; supported admin role + Group.ReadWrite.All (delegated) for group label updates; Entra ID P1 license at minimum

Honest constraint: Microsoft routes Teams governance through the underlying group/site, NOT a Teams API. AutoTag includes a delegated-admin runner mode. Teams Graph APIs and Teams PowerShell cmdlets are explicitly NOT a target.

Channel sites & adjacent workloads (Phase 3)

  • Discovery: extends current Bot site/list/library discovery to recognise channel sites as a distinct site class
  • APIs: shared with the file-level and container pillars
  • Honest constraint: AutoTag does NOT promise independent container labelling for private/shared channels. Microsoft’s inheritance model overrides

Deployment & data residency

  • AutoTag deploys directly inside your Microsoft 365 tenancy
  • Your data does not leave your tenant
  • JFDI Consulting does not access your data at any point
  • Supported authentication: Entra-managed app registration with the permissions listed above

Works with every modern SharePoint

  • SharePoint Online (Microsoft 365)
  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016
  • SharePoint Server 2013
  • All SharePoint column types are supported

Ready to put metadata on autopilot?

Talk to JFDI about deploying AutoTag in your tenancy.

Get in touch