Managing Repository Credentials
      Back to home
      1. Help Center
      2. Cloud
      3. Managing Repository Credentials

      Configuring Azure AD for OneDrive

      To use the OneDrive Collector, you must first authenticate the application using an Azure AD registered application. The following article provides details on setting up an application in Azure AD to support this authentication method.

      Required Permissions for OneDrive

      To retrieve information via Graph API requires authentication; this is achieved via an Azure Registered Application. Using the Client Credentials flow (communicating with the Graph API), we are seen as an application rather than a user. Currently, the Collector only supports Client Secrets with no support for certificates at this time.

      All the M365 Collectors use the same API and authentication mechanism; therefore, a single registered application can be configured for all the specific Collectors (SharePoint, Teams, and OneDrive) for that M365 subscription.

      The Azure registered application's access to the target repository is controlled via the API permissions assigned to the application in the Azure portal.

      The following permission is required:

      • Sites.Read.All

      NOTE:  For OneDrive, Graph also provides a permission that can restrict the Site Collections that the registered application can discover. This works by assigning the registered application the Sites.Selected Graph permission instead of Sites.Read.All. However, using this will require the registered application's client id to be added to each Site Collection that it needs access to.

      To be able to set the specified Site Collections when using Sites.Selected requires the following PowerShell to be run:

      # connect to SharePoint
      # replace mytenant with correct value
      Connect-PnpOnline https://mytenant.sharepoint.com -Interactive

      # Assign Permission
      # replace APP ID HERE with the Azure registered app id to be used for this collection
      # replace URL HERE with appropriate site collection URL
      Grant-PnPAzureADAppSitePermission -AppId "APP ID HERE" -DisplayName "ActiveNavSharePointCollector" -Site "URL HERE" -Permissions Read

      It is important to remember that these permissions must be added as Application permissions (not delegated permissions) and as a Graph permission (as some legacy APIs use the same naming convention).

      When adding or modifying the permissions on an Azure registered application, it is important to remember to Grant Admin Consent.

      NOTE: Without this process, the permissions will be listed as assigned to the application but will not be applied to the application.

      Registering an Azure Application for a OneDrive Tenant

      ActiveNav Cloud uses an Azure AD Registered Application and only supports Client Secrets at this time. 

      NOTE: To proceed you will need to log into Azure AD with an account that has permission to add and update App Registrations.

      1. Log in to Azure AD as a user with permission to add and update App Registrations. On the Overview page, open the +Add menu and choose the App Registration option.
        Configure_Azure_Application_Add
      2. Enter the app's name.
      3. Under Supported account types, select Accounts in this organizational directory only. Leave the Redirect URL blank.
      4. Select Register.
        Configure_Azure_Application_Register4
      5. Select API permissions.
      6. Select Add a permission.
        Configure_Azure_Application_API_Permissions
      7. On the Select an API screen, under Microsoft APIs, select Microsoft Graph.
        Configure_Azure_Application_MS_Graph_API
      8. On the Microsoft Graph screen, select Application Permissions.
      9. Then search for Sites.Read.All permission.
      10. Select the permission in the list and click Add Permissions.Configure_Azure_Application_MS_Graph_API_Site.Read.All
      11. On the API Permissions screen, select Grant admin consent for the domain for the chosen permissions.Configure_Azure_Application_API_Grant_Consent2
      12. In the Application navigation panel, choose Certificates & secrets.
      13. Select the middle tab, Client secrets.
      14. Click the + New client secret button.Configure_Azure_Application_New_Client_Secret

      15. Provide a description for the secret and set the expiry time.
      16. Click the Add button.Configure_Azure_Application_Add_Client_Secret

      NoteClient secret values can only be viewed immediately after creation! Be sure to save the Value before leaving the page.

      Configure_Azure_Application_Client_Secret

      Credentials

      When creating a Data Source against a new Host for an M365 Collector, the following three pieces of information will be needed to set up the credential:

      • Tenant Id (Directory Id) - this is the Azure tenant Id and can be found in the Azure portal on the overview screen of the registered application.
      • Client Id (Application Id) - can be found on the overview screen of the registered application.
      • Client Secret - this is only available for copying when the secret is first created; the Secret Value is the field that should be copied.

      The first two items are located on the App Registration Overview screen, and the Secret Value is found on the Certificates and Secrets screen.