Prerequisites for Connecting to Microsoft SharePoint Online

For Microsoft SharePoint Plugin, to successfully connect to Microsoft SharePoint Online:

  • Application must be registered on Microsoft Azure Portal
  • API access must be enabled for the application on Microsoft Azure Portal depending on Auth Type:
    • For Password/OAuth – Delegated Permissions
    • For Client credential – Application permissions

Additionally:

  • Client credential requires generating Client Secret
  • OAuth requires adding redirect URIs

Start by registering an application and proceed depending on the Auth Type to be used:

Multiple Auth Types are available starting 6.3.1.

1. Register an Application

Access Azure Portal's Home

  1. Select App registrations
  2. Proceed with New registration
  1. Input a descriptive phrase in Name
  2. Specify Supported account types as shown on the screen
  3. Setting the value for Redirect URI is required only for OAuth, but can be done later. See the OAuth section for instructions.

2. Proceed Depending on Your Auth Type

Each of the types requires a different set of parameters and API permissions.

2.1. Password Auth Type

Required parameters:

  • Client ID
  • Username and Password used for accessing the MS SharePoint account

2.1.1. Locate Client ID

Access the newly-created application > Overview Tab

  1. Find Client ID as shown on the screen above

2.1.2. Enable Delegated Permissions

  1. [+Add a permission]
  2. Choose Microsoft Graph
  3. Select Delegated permissions
  4. Under Sites, check Sites.Read.All
    • This permission allows the app to read documents and list items in all site collections.
    • NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
  5. [Add permissions]

2.2. OAuth Auth Type

Required parameters:

  • Client ID
  • Token

2.2.1. Locate Client ID

Access the newly-created application > Overview Tab

  1. Find Client ID as shown on the screen above

2.2.2. Enable Delegated Permissions

  1. [+Add a permission]
  2. Choose Microsoft Graph
  3. Select Delegated permissions
  4. Under Sites, check Sites.Read.All
    • This permission allows the app to read documents and list items in all site collections.
    • NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
  5. [Add permissions]

2.2.3. Add Redirect URI

Access App's Authentication

  1. [+Add a platform]
    • NOTE: If a platform has already been added, directly proceed to adding an URI via [+Add URI]. See the format below in Step 3
  2. Select Mobile and desktop applications
  3. Add the URI in the following format:
    • https://<hostname>/editor/service/validatepowerbioauth
  4. [Configure]

2.3. Client Credential Auth Type

Required parameters:

  • Client ID
  • Tenant
  • Client Secret

2.3.1. Locate Client ID and Tenant

Access the newly-created application > Overview Tab

  1. Find Client ID and Tenant to be used for MI Data Source creation as shown on the screen above

2.3.2. Generate Client Secret

Access App's Certificates & secrets

  1. [+New client secret]
  2. Enter Description
  3. Specify validity period
  4. [Add]
  5. Copy the Client secret Value
    • NOTE: the Value won't be available after you perform another operation or leave the tab

2.3.3. Enable Application Permissions

Access API permissions

  1. [+Add a permission]
  2. Choose Microsoft Graph
  3. Select Application permissions
  4. Under Sites, check Sites.Read.All
    • This permission allows the app to read documents and list items in all site collections
    • NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
  5. [Add permissions]

IMPORTANT:

In case the use of Sites.Read.All is not possible at your organization, you can use Sites.Selected; however, enabling this permission requires to additionally do the following:

  • specifying site(s) under the Site relative paths Optional Parameter in the SharePoint Data Source Editor in the following format: company.sharepoint.com:/sites/sitename;
  • enabling the SharePoint application to read the sites specified under this Optional Parameter. For those using PowerShell, the command is as follows:

Grant-PnPAzureADAppSitePermission -AppId 'applicationID' -DisplayName 'sitename' -Site 'siteURL' -Permissions Write

For more details, refer to Create Permissions for SharePoint Online via PowerShell

  1. [Grant admin consent for OneDrive Plugin]
  2. Confirm granting consent
2.3.4.1. [For SharePoint Group Membership Dataset] Certificate Auth

Collecting metadata into SharePoint Group Membership Dataset requires using Certificate Auth.

This type of authentication does not appear on the Auth Type drop-down, but requires you to use Client Credential and fulfill all the Client Credential prerequisites. The only difference is that the Sites.FullControl.All permission is required instead of Sites.Read.All.

The rest of the settings are configured on the Plugin Config Page at <hostname>/admin/plugin-config:

  • pathToPtx – requires specifying the location of the certificate;
  • ptxPassword – requires specifying the certificate's password.

2.4. Identity Profile Auth Type

Identity Profiles are configured on the Metric Insights side.

Find more information in Overview of Identity Profiles and Configuring CyberArk Authentication for Data Sources.