With release 4.14.0, Discovery Center has an updated SharePoint connector. The new connector will bring faster performance when scanning documents and better protection against SharePoint Online throttling.
The upgraded connector is generally recommended, but there are cases where that does not apply. Do not proceed with configuring Azure AD for SharePoint Online without first reading our article for more information about the new connector.
A pre-requisite to the use the new SharePoint connector with SharePoint Online is to authenticate using an Azure AD registered application and certificate. The following article provides details on how to set up an application in Azure AD to support this authentication method and details of how to use a credential in Discovery Center.
Note that for on-premise SharePoint locations you will continue to use username and password credentials as before.
Registering an Azure Application for a SharePoint Online tenant
Discovery Center makes use of a Certificate credential type for authentication with the registered Azure App. As a prerequisite to this, the public key (.cer) element of a certificate must be uploaded to the Azure app with the private key (.pfx) element being uploaded to the Discovery Center application. The steps below assume a certificate has already been created for this purpose.
- Log in to Azure AD as user with permissions to add and update App Registrations and navigate to App Registrations.
2. Choose New Registration.
3. Enter the name of the app, choose Accounts in this organizational directory only as the Supported account types, leave the Redirect URL blank and select Register.
4. Select API permissions and choose Add a permission, under Microsoft APIs select SharePoint. Select Application permissions and select the Sites.FullControl.All checkbox before selecting Add Permissions.
Note - The Sites.FullControl.All permission level is required to guarantee the SharePoint connector functions fully within the Discovery Center application. However, it may be possible to use a different permission level here if certain features are not required. The permission requirements relate to the interaction between the connector and Microsoft's APIs so are subject to change, but at the time of writing the following permission levels would impact the behaviour as follows:
| Permission Level | Impact |
|---|---|
| Sites.FullControl.All | Full functionality available |
| Sites.Manage.All | No ability to set file level date properties when moving files into SharePoint Online |
| Sites.ReadWrite.All | No ability to create Document Library containers when moving files into SharePoint Online |
| Sites.Read.All | No ability to discover child sites during discovery |
If the action being taken in the Discovery Center application will result in values being added to the Term Store then it is also necessary to add the TermStore.ReadWrite.All application permission. Please contact Active Nav Support for any issues or specific queries in relation to the permissions required here.
5. Select Grant admin consent for the domain for the chosen permissions.
6. Select Certificates & secrets and then Upload certificate before browsing to select the public key portion of the certificate to use for authentication with the app (.cer, .pem or .crt file types are accepted).
The steps above include screenshots that were correct at the time of writing but which may be outdated following any changes to the Azure AD cloud interface.
For the latest instructions on how to register applications in Azure AD see https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
Discovery Center Configuration
Once the above steps have been completed, credential records can be created in the Discovery Center application to use for authentication to SharePoint Online using this registered app. These credential records should make use of the private key portion of the certificate that has been uploaded to the app.
- Navigate to System Settings > Credential Management.
- Create a new credential using the Azure App Certificate type.
- Fill in the relevant information using the Application and Tenant information from the app created above.
- The password will be the password of the certificate file.
Note: The permissions required for the Azure AD registered app as detailed above are explicit requirements of the APIs used to interact with SharePoint Online. If these permissions are not granted to the app then Discovery Center application will not be able to function as required when attempting any connection with SharePoint Online.