Versions Compared

Old Version 2

changes.mady.by.user Andres Aguilar

Saved on

compared with

New Version 3

changes.mady.by.user Andres Aguilar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section describes how to authenticate into SharePoint REST API using Azure AD Applications by delegating permissions from a service account.

How it works

Permission Delegation

Image Added



  1. An Azure App is created with Configured Delegated Permissions (AllSites.FullControl & TermStore.Read.All)
  2. A service account with access to some SharePoint sites, either with Full Control Permissions or Customized permissions.
    1. See SharePoint Online - Crawl Account Access on how to configure the user or service account permissions.
  3. On the authentication process, the Azure Application will be used to be delegated with the User/Sevice Account's permissions.
  4. The session tokens will be stored safely to allow the connector to retrieve the contents from the SharePoint sites.
  5. If the session expires during crawl, it will automatically refresh it.
  6. If the session expires between crawls, the session should be refreshed from the Aspire Admin UI.





Authentication Flow

Image Added


This approach uses Oauth2 auth code flow, which requires the user or service account being logged in Microsoft Azure system.

First the user initiates the initial authentication request with Aspire, which redirects the user to Microsoft login page to consent the permissions being requested.

If consented, Microsoft returns a redirection back to the Aspire Admin UI with the authorization code as a parameter.

Aspire then uses this code to request a Refresh Token from Microsoft and stores it securely for it to be used in future crawls.

Aspire redirects the user back to the Aspire Admin UI.


Part 1: Create the Azure AD Application

  1. Log into the Azure Management Portal for your Office 365 tenant.
  2. Go to the Azure Active Directory tab and select App Registrations.
  3. Select "New Registration".
  4. On "Supported account types" select "Accounts in this organizational directory only ".
  5. On "Redirect URI" select Web.
  6. Enter a the Aspire URI and click "Register".
  7. Look for your new application on the Registered Applications list and click it.
  8. On the "Certificates & Secrets" create a new Client Secret, and safely store it (we will need this for the Aspire configuration)
  9. Go to API Permissions and click on "Add a permission".
  10. On the "Select an API" section, add the "SharePoint" application
  11. Select "Delegated Permissions" and check the following permissions:
    1. TermStore.Read.All: Read Managed Metadata.
    2. AllSites.FullControl: Have Full Control of all Site Collections. (will only grant access to those sites the service account has access to)
  12. Click on "Add permissions".
  13. After saving, you have to click "Grant admin consent" to apply the changes.