Configuring Azure AD for SharePoint Online(📺)

How To Video:

To use the SharePoint collector, you must first authenticate the application using an Azure AD registered application. The following article provides details on setting up an application in Azure AD to support this authentication method.

Required Permissions for SharePoint Online

To retrieve information via Graph API requires authentication; this is achieved via an Azure Registered Application. Using the Client Credentials flow (communicating with the Graph API), we are seen as an application rather than a user. Currently, the Collector only supports Client Secrets with no support for certificates at this time.

All the M365 Collectors use the same API and authentication mechanism; therefore, a single registered application can be configured for all the specific Collectors (SharePoint, Teams, and OneDrive) for that M365 subscription.

The Azure registered application's access to the target repository is controlled via the API permissions assigned to the application in the Azure portal.

The following permission is required:

• Sites.Read.All

To be able to set the specified Site Collections when using Sites.Selected requires the following PowerShell to be run:

# connect to SharePoint
# replace mytenant with correct value
Connect-PnpOnline https://mytenant.sharepoint.com -Interactive    

# Assign Permission
# replace APP ID HERE with the Azure registered app id to be used for this collection
# replace URL HERE with appropriate site collection URL
Grant-PnPAzureADAppSitePermission -AppId "APP ID HERE" -DisplayName "ActiveNavSharePointCollector" -Site "URL HERE" -Permissions Read

It is important to remember that these permissions must be added as Application permissions (not delegated permissions) and as a Graph permission (as some legacy APIs use the same naming convention).

When adding or modifying the permissions on an Azure registered application, it is important to remember to Grant Admin Consent.

Registering an Azure Application for a SharePoint Online Tenant

ActiveNav Cloud uses an Azure AD Registered Application and only supports Client Secrets at this time. 

1. Log in to Azure AD as a user with permissions to add and update App Registrations and navigate to App Registrations. (Searching for "App Registration" also works)
   
2. Choose New Registration.
   
   
   
3. Enter the name of the app, choose Accounts in this organizational directory only as the Supported account types, leave the Redirect URL blank and click Register
   
   
4. Select API permissions, then select Add a permission. Under Microsoft APIs, select Microsoft Graph and select Application Permissions. Next, select Read.All in Sites section permission.  Click Add Permissions.
   
   

   EX:  Select Microsoft Graph

   

    

   EX: Select Application Permissions

   

   EX: Select Sites.Read.All

   

   
   
5. Select Grant admin consent for the domain for the chosen permissions.
   
   
   
6. Select Certificates & secrets, then Client Secrets. Click New Client Secret, give a brief description and select a time for the expiration of Client Secret.  Click Add.

Credentials

When creating a Data Source against a new Host for an M365 collector, three pieces of information will be needed to set up the credential:

1. Tenant Id (Directory Id) - this is the Azure tenant Id and can be found in the Azure portal on the overview screen of the registered application
2. Client Id (Application Id) - can be found on the overview screen of the registered application
3. Client Secret (This is the Value ID, not Secret)- this is only available for copying when the secret is first created; the Secret Value is the field that should be copied.

The first two items are located on the App Registration Overview screen, and the Secret Value is found on the Certificates and Secrets screen.