Tally for SharePoint
Source documents, organized and accessible from anywhere.
Tally reads and writes files in per-client allowlisted SharePoint folders. Used for source-document storage, statement uploads, and workpaper management. Per-client folder paths prevent cross-client access.
What Tally does with SharePoint
Tally connects to SharePoint to automate the data flow into your accounting stack — with explicit safety rules at every step.
Document upload & download
Reads and writes files (PDF, Excel, Word, etc.) in pre-allowed folders. Source documents flow from email or upload into SharePoint and back into the AP pipeline.
Excel password decryption
Per-client encrypted Excel password (stored AES-256-GCM) auto-decrypts password-protected workbooks during read. Bank statements that arrive password-protected don't require manual unlock.
Folder organization
Reads folder structure within allowed paths. Tally can navigate into subfolders organized by year, vendor, statement type, etc.
Workpaper management
Stores and retrieves Excel workpapers used during the close. Modifications are saved as new versions so prior states are recoverable.
Per-client isolation
Each client config has an allowed_folder_paths list. Tally cannot read or write outside those paths — even within Ballast's own SharePoint tenant.
Audit trail
SharePoint's native version history captures every Tally write. Combined with Tally's audit logs, you have a complete record of what changed and when.
How it works
Setup is straightforward and auditable. No copy-pasted CSVs, no shared logins.
Authorize Tally in SharePoint
A Ballast accountant initiates the connection. Authorization happens through SharePoint's standard OAuth or API-key flow with the minimum required scopes.
Credentials encrypted at rest
Tokens are immediately encrypted with AES-256-GCM and stored in Tally's PostgreSQL database. Plaintext credentials never touch logs or error reports.
Tally pulls and normalizes data
Tally fetches data from SharePoint on a schedule, normalizes it, and ties it back to the corresponding records in QuickBooks Online.
Your accountant takes it from there
A Ballast accountant reviews exceptions, posts entries, and closes the books. You get monthly financials without lifting a finger.
Availability
This integration is provided to Ballast Consulting Group's accounting clients at no additional charge as part of their engagement. There is no per-seat fee, per-API-call fee, or per-integration fee billed to the client. The cost is included in your accounting fee.
Tally isn't sold separately. Access requires an active engagement with Ballast Consulting Group as your finance and accounting department. If you're interested in becoming a Ballast client, please reach out.
Security & compliance
Every Tally integration follows the same safety pattern. Here is how the SharePoint integration specifically is locked down.
Per-client folder allowlist
The primary isolation mechanism. Each client config has an allowed_folder_paths list. Every read and write is validated against this list before transmission. Outside-allowlist paths are rejected.
Single Azure AD app, app-only auth
Same auth model as Outlook — one Azure AD app on Ballast's tenant with app-only client credentials. Microsoft's RBAC for Applications restricts the app to specific SharePoint sites.
Encryption at rest
The Excel password (per-client, optional) is encrypted using AES-256-GCM in the agent.client_sharepoint_config table. Plaintext passwords never appear in logs.
No tenant-wide access
The Azure AD app is granted access only to specific SharePoint sites via Sites.Selected — not Sites.ReadWrite.All. There is no path through Tally to other team sites or other tenants.
No permission mutations
Tally cannot grant, revoke, or modify SharePoint permissions. The /permissions and /sharing paths are blocked at the path-allowlist layer.
Read-write separation
While read and write are both supported, every write operation is logged separately so audit reports can distinguish read-only operations from modifications.
Frequently asked questions
Can Tally access any SharePoint folder in my tenant?
No. Tally is restricted to specific folders configured per client (the allowed_folder_paths list), and the underlying Azure AD app is granted access only to specific SharePoint sites via Sites.Selected. There is no tenant-wide access.
Can Tally read password-protected Excel files?
Yes — if you configure the client's Excel password in Tally settings. The password is stored AES-256-GCM encrypted and is auto-applied when Tally reads encrypted .xlsx files.
Can Tally delete files in SharePoint?
Tally can write (create or update files) but not delete. The DELETE method is blocked. Files written by Tally can be modified or replaced but not removed.
How do I add a new folder to Tally's allowlist?
Tally settings → SharePoint → Allowed Folder Paths. Add the SharePoint folder path and save.
Can Tally share SharePoint files with external users?
No. /sharing and /permissions endpoints are blocked. Tally cannot generate sharing links, grant access, or modify file permissions.
Talk to Ballast about your books
Tally's SharePoint integration comes at no additional charge when Ballast runs finance and accounting for you. If you need a team that actually understands the systems your business runs on, get in touch.