This section describes how to authenticate into the SharePoint REST API using Azure AD Applications by delegating permissions from a service account.


How it works

Permission Delegation



  1. An Azure App is created with Configured Delegated Permissions (AllSites.FullControl & TermStore.Read.All)
  2. A service account with access to some SharePoint sites, either with Full Control Permissions or Customized permissions.
    1. See SharePoint Online - Crawl Account Access on how to configure the user or service account permissions.
  3. On the authentication process, the Azure Application will be used to be delegated with the User/Service Account's permissions.
  4. The session tokens will be stored safely to allow the connector to retrieve the contents from the SharePoint sites.
  5. If the session expires during crawl, it will automatically refresh it.
  6. If the session expires between crawls, the session should be refreshed from the Aspire Admin UI.





Authentication Flow


This approach uses Oauth2 auth code flow, which requires the user or service account being logged into Microsoft Azure system.

First, the user starts the initial authentication request with Aspire, which redirects the user to the Microsoft login page to consent to the permissions being requested.

If consented, Microsoft returns a redirection to the Aspire Admin UI with the authorization code as a parameter.

Aspire then uses this code to request a Refresh Token from Microsoft and stores it securely for it to be used in future crawls.

Aspire redirects the user back to the Aspire Admin UI.


Part 1: Create the Azure AD Application

  1. Log into the Azure Management Portal for your Office 365 tenant.
  2. Go to the Azure Active Directory tab and select App Registrations.
  3. Select "New Registration".
  4. On "Supported account types" select "Accounts in this organizational directory only ".
  5. On "Redirect URI" select Web.
  6. Enter the Aspire URI and click "Register".
    • The Aspire URI will look like this (this endpoint will be enabled in Part 2):
      • https://[aspire-manager-host]:[port]/aspire/_api/sharepoint/authenticate 
  7. Look for your new application on the Registered Applications list and click it.
  8. On the "Certificates & Secrets" create a new Client Secret, and safely store it (we will need this for the Aspire configuration)
  9. Go to API Permissions and click on "Add a permission".
  10. On the "Select an API" section, add the "SharePoint" application
  11. Select "Delegated Permissions" and check the following permissions:
    1. TermStore.Read.All: Read Managed Metadata.
    2. AllSites.FullControl: Have Full Control of all Site Collections. (will only grant access to those sites the service account has access to)
  12. Click on "Add permissions".
  13. After saving, you have to click "Grant admin consent" to apply the changes.

Part 2: Install SharePoint Delegated Permissions Endpoint in Aspire

  1. Open your settings.json file, and add the following JSON to the "autostart" section:
    1.     "autoStart": {
            "application": [
              {
                "@config": "com.accenture.aspire:app-sharepointonline-delegated-permissions"
              }
  2. Upload the settings.json file again to Elasticsearch by executing:
    1. bin/aspire.sh -us path/to/settings.json
  3. Restart the manager nodes

Part 3: Configure credential and Connection

  1. On the Aspire Admin UI, create a credential, and select type: Azure Delegated Permissions.
  2. Leave the refresh token field empty.
  3. Enter the tenant domain and client ID (the ID of the application created in part 1).
  4. Enter the client secret (created in part 1, step 8).
  5. Enter the same redirect URI as in part 1, step 6.
  6. Enter the URI of the SharePoint instance (just protocol and host),
    1. For example: https://[your_domain].sharepoint.com
  7. Save the credential, and go to the Connections section, create a new Connection if there isn't one yet.

  8. Select the credential previously added and save the connection.
  9. Select the DelegatedPermissions section, and click on the "Update" link
    1. This will initiate the authentication process with Microsoft Azure to retrieve the Refresh Token required for the connector to work
  10. Once the refresh token is obtained, you will be redirected back to the Connection section.
  11. You can check the refresh token was created from the Credentials section,


  • No labels