Admin-managed setup (service credentials)

Administrator access to the Amazon Quick admin console.

Administrator access to Microsoft Entra ID to register an application and grant API permissions.

A Microsoft 365 tenant with OneDrive content to index.

OneNote files are not crawled in admin-managed setup. Microsoft retired app-only tokens for the OneNote APIs on March 31, 2025. To index OneNote content, use User-managed setup.

Shared folders are not crawled. Folders shared with a user are stored in SharePoint and cannot be accessed with the application credentials used for admin-managed setup. To sync shared content, we recommend creating a Microsoft SharePoint knowledge base integration.

Unable to access KMS key – Verify the KMS key ARN and Region. Confirm the KMS key has been added in the Amazon Quick admin console under Manage account, AWS resources, AWS Key Management Service. Confirm the key is enabled and has not been scheduled for deletion. Multi-Region keys are not currently supported.

Certificate validation failed – Verify the thumbprint using the base64url-encoded SHA-1 value from the certificate generation step. Ensure the certificate uploaded to Entra has not expired.

ACL not enforced – Confirm the Entra app has Files.Read.All, Sites.Read.All, User.Read.All, Group.Read.All, and GroupMember.Read.All on Microsoft Graph. Re-run a full sync after fixing permissions. For more information about verifying document access, see Check document access (ACL verification).

Zero items crawled – The sync completed but no documents were indexed. This typically indicates a permissions issue. Verify the Entra app has the correct API permissions, including Sites.Read.All so that Amazon Quick can enumerate the OneDrive drives hosted on SharePoint. Also verify that users have OneDrive content and that admin consent has been granted.

Syncs failing after certificate expiry – If syncs fail across multiple knowledge bases that share the same data source connection, the certificate uploaded to Entra might have expired. Generate a new certificate (see Step 2: Generate a self-signed certificate), upload it to the Entra app registration, and update the connection details. An Amazon Quick administrator can reassign data source ownership through Manage assets if the original creator is unavailable. For more information, see Sharing data source connections.

No results from ACL-enabled knowledge base – If users receive no results from an admin-managed knowledge base, admin consent for the real-time ACL application might not have been granted. Your tenant might also block user consent. Grant admin consent using the link provided in the Amazon Quick console, or see Admin consent.