Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section describes how to authenticate into the SharePoint REST API using Azure AD Applications by delegating permissions from a service account.


How it works

Permission Delegation



  1. An Azure App is created with Configured Delegated Permissions (AllSites.FullControl & TermStore.Read.All)
  2. A service account with access to some SharePoint sites, either with Full Control Permissions or Customized permissions.
    1. See SharePoint Online - Crawl Account Access on how to configure the user or service account permissions.
  3. On the authentication process, the Azure Application will be used to be delegated with the User/Sevice Service Account's permissions.
  4. The session tokens will be stored safely to allow the connector to retrieve the contents from the SharePoint sites.
  5. If the session expires during crawl, it will automatically refresh it.
  6. If the session expires between crawls, the session should be refreshed from the Aspire Admin UI.





Authentication Flow


This approach uses Oauth2 auth code flow, which requires the user or service account being logged in into Microsoft Azure system.

First, the user initiates starts the initial authentication request with Aspire, which redirects the user to the Microsoft login page to consent to the permissions being requested.

If consented, Microsoft returns a redirection back to the Aspire Admin UI with the authorization code as a parameter.

Aspire then uses this code to request a Refresh Token from Microsoft and stores it securely for it to be used in future crawls.

Aspire redirects the user back to the Aspire Admin UI.


Part 1: Create the Azure AD Application

  1. Log into the Azure Management Portal for your Office 365 tenant.
  2. Go to the Azure Active Directory tab and select App Registrations.
  3. Select "New Registration".
  4. On "Supported account types" select "Accounts in this organizational directory only ".
  5. On "Redirect URI" select Web.
  6. Enter a the Aspire URI and click "Register".
    • The Aspire URI will look like this (this endpoint will be enabled on in Part 2):
      • https://[aspire-manager-host]:[port]/aspire/_api/sharepoint/authenticate 
  7. Look for your new application on the Registered Applications list and click it.
  8. On the "Certificates & Secrets" create a new Client Secret, and safely store it (we will need this for the Aspire configuration)
  9. Go to API Permissions and click on "Add a permission".
  10. On the "Select an API" section, add the "SharePoint" application
  11. Select "Delegated Permissions" and check the following permissions:
    1. TermStore.Read.All: Read Managed Metadata.
    2. AllSites.FullControl: Have Full Control of all Site Collections. (will only grant access to those sites the service account has access to)
  12. Click on "Add permissions".
  13. After saving, you have to click "Grant admin consent" to apply the changes.

Part 2: Install SharePoint Delegated Permissions Endpoint in Aspire

  1. Open your settings.json file, and add the following json JSON to the "autostart" section:
    1. Code Block
      languagejs
      firstline129
      linenumberstrue
          "autoStart": {
            "application": [
              {
                "@config": "com.accenture.aspire:app-sharepointonline-delegated-permissions"
              }
  2. Upload the settings.json file again to elasticsearch Elasticsearch by executing:
    1. bin/aspire.sh -us path/to/settings.json
  3. Restart the manager nodes

Part 3: Configure credential and Connection

  1. On the Aspire Admin UI, create a credential, and select type: Azure Delegated Permissions.
  2. Leave the refresh token field empty.
  3. Enter the tenant domain and client id ID (the id ID of the application created in part 1).
  4. Enter the client secret (created in part 1, step 8).
  5. Enter the exact same redirect uri URI as in part 1, setp step 6.
  6. Enter the URI of the sharepoint SharePoint instance (just protocol and host),
    1. for For example: https://[your_domain].sharepoint.com
  7. Save the credential, and go to the Connections section, create a new Connection if there isn't one yet.

  8. Select the credential previously added and save the connection.
  9. Select the DelegatedPermissions section, and click on the "Update" link
    1. This will initiate the authentication process with Microsoft Azure to retrieve the Refresh Token required for the connector to work
  10. Once the refresh token is obtainobtained, you will be redirected back to the Connection section.
  11. You can check the refresh token was created from the Credentials section,