Prerequisites for Connecting to Microsoft SharePoint Online
For Microsoft SharePoint Plugin, to successfully connect to Microsoft SharePoint Online:
- Application must be registered on Microsoft Azure Portal
- API access must be enabled for the application on Microsoft Azure Portal depending on Auth Type:
- For Password/OAuth – Delegated Permissions
- For Client credential – Application permissions
Additionally:
- Client credential requires generating Client Secret
- OAuth requires adding redirect URIs
Start by registering an application and proceed depending on the Auth Type to be used:
- Password
- OAuth
-
Client Credential
- [Only for retrieving SharePoint Group Membership Dataset] Certificate Auth
- Identity Profile
Multiple Auth Types are available starting 6.3.1.
1. Register an Application
Access Azure Portal's Home
- Select App registrations
- Proceed with New registration
- Input a descriptive phrase in Name
- Specify Supported account types as shown on the screen
- Setting the value for Redirect URI is required only for OAuth, but can be done later. See the OAuth section for instructions.
2. Proceed Depending on Your Auth Type
Each of the types requires a different set of parameters and API permissions.
2.1. Password Auth Type
Required parameters:
- Client ID
- Username and Password used for accessing the MS SharePoint account
2.1.1. Locate Client ID
Access the newly-created application > Overview Tab
- Find Client ID as shown on the screen above
2.1.2. Enable Delegated Permissions
- [+Add a permission]
- Choose Microsoft Graph
- Select Delegated permissions
- Under Sites, check Sites.Read.All
- This permission allows the app to read documents and list items in all site collections.
- NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
- [Add permissions]
2.2. OAuth Auth Type
Required parameters:
- Client ID
- Token
2.2.1. Locate Client ID
Access the newly-created application > Overview Tab
- Find Client ID as shown on the screen above
2.2.2. Enable Delegated Permissions
- [+Add a permission]
- Choose Microsoft Graph
- Select Delegated permissions
- Under Sites, check Sites.Read.All
- This permission allows the app to read documents and list items in all site collections.
- NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
- [Add permissions]
2.2.3. Add Redirect URI
Access App's Authentication
-
[+Add a platform]
- NOTE: If a platform has already been added, directly proceed to adding an URI via [+Add URI]. See the format below in Step 3
- Select Mobile and desktop applications
- Add the URI in the following format:
- https://<hostname>/editor/service/validatepowerbioauth
- [Configure]
2.3. Client Credential Auth Type
Required parameters:
- Client ID
- Tenant
- Client Secret
2.3.1. Locate Client ID and Tenant
Access the newly-created application > Overview Tab
- Find Client ID and Tenant to be used for MI Data Source creation as shown on the screen above
2.3.2. Generate Client Secret
Access App's Certificates & secrets
- [+New client secret]
- Enter Description
- Specify validity period
- [Add]
- Copy the Client secret Value
- NOTE: the Value won't be available after you perform another operation or leave the tab
2.3.3. Enable Application Permissions
Access API permissions
- [+Add a permission]
- Choose Microsoft Graph
- Select Application permissions
- Under Sites, check Sites.Read.All
- This permission allows the app to read documents and list items in all site collections
- NOTE: The User.Read permission is added by default upon the app creation, but is not required for Plugin operation.
- [Add permissions]
IMPORTANT:
In case the use of Sites.Read.All is not possible at your organization, you can use Sites.Selected; however, enabling this permission requires to additionally do the following:
- specifying site(s) under the Site relative paths Optional Parameter in the SharePoint Data Source Editor in the following format: company.sharepoint.com:/sites/sitename;
- enabling the SharePoint application to read the sites specified under this Optional Parameter. For those using PowerShell, the command is as follows:
Grant-PnPAzureADAppSitePermission -AppId 'applicationID' -DisplayName 'sitename' -Site 'siteURL' -Permissions Write
For more details, refer to Create Permissions for SharePoint Online via PowerShell
2.3.4. Grant Admin Consent for OneDrive Plugin
- [Grant admin consent for OneDrive Plugin]
- Confirm granting consent
2.3.4.1. [For SharePoint Group Membership Dataset] Certificate Auth
Collecting metadata into SharePoint Group Membership Dataset requires using Certificate Auth.
This type of authentication does not appear on the Auth Type drop-down, but requires you to use Client Credential and fulfill all the Client Credential prerequisites. The only difference is that the Sites.FullControl.All permission is required instead of Sites.Read.All.
The rest of the settings are configured on the Plugin Config Page at <hostname>/admin/plugin-config:
- pathToPtx – requires specifying the location of the certificate;
- ptxPassword – requires specifying the certificate's password.
2.4. Identity Profile Auth Type
Identity Profiles are configured on the Metric Insights side.
Find more information in Overview of Identity Profiles and Configuring CyberArk Authentication for Data Sources.