Azure OAuth App and SharePoint

Creating OAuth App

Before you can configure the connector, you must create an OAuth App in the SharePoint Online platform.

The native connector will authenticate to SharePoint as the registered OAuth application/client.

You’ll need to provide values for

  • Client ID
  • Tenant ID
  • Client secret Id
  • Client secret value
  • Tenant name

To get started, first log in to SharePoint Online and access your administrative dashboard ensuring that you are logged in as at least an Azure Portal service account.

Follow these steps:

  1. Sign in to https://portal.azure.com/ and click on Azure Active Directory.
  2. Select App Registrations and click New Registration.
  3. Give the app a name. E.g. "Interact Workplace Search".
  4. Register the application.
  5. Make a note of the Application (client) ID and Directory (tenant) ID.
  6. Navigate to Client credentials: Certificates & Secrets.
  7. Select New client secret
  8. Pick a name for your client secret and select an expiration date.
    • note: after this expiration date, you will have to reconfigure your connector credentials by following these steps again
  9. Save the client secret Secret ID.
  10. Save the client secret Value (you must do this immediately before leaving the page).

Next, you will have to set up the permissions for the OAuth App.

  1. Navigate to API Permissions and click Add Permission.
  2. Add the following application permissions:
    • Graph API
      • Sites.Read.All
        • Is used to fetch the sites and their metadata
      • Files.Read.All
        • Is used to fetch the sites and their metadata
      • Group.Read.All
        • Is used to fetch groups for document-level permissions
      • User.Read.All
        • Is used to fetch user information for document-level permissions
    • Sharepoint
      • Sites.Read.All

Depending on how you want to use the native connector, its possible to synchronise Team Sites (Group Sites) without any additional OAuth App permissions by listing them individually within the config, as explicit sites that you want to synchronise.

But, if you want to configure the connector to automatically discover all team sites and synchronise them all (apart from an optional set of disallowed team sites), then you will also need to add the following permissions to the OAuth App:

  • Graph API
    • Team.ReadBasic.All
    • TeamSettings.Read.All
    • TeamSettings.ReadWriteAll

You will need to get someone with admin permissions to grant admin consent, using the Grant Admin Consent link from the permissions screen.

Save the tenant name (or Domain name) displayed from within Azure.

SharePoint Configuration

The Azure OAth App does not automatically have access to the SharePoint REST API, so the additional step is also required.

Refer to the following documentation for setting SharePoint permissions.

  • To set DisableCustomAppAuthentication to false, connect to SharePoint using PowerShell and run set-spotenant -DisableCustomAppAuthentication $false
  • To assign full permissions to the tenant in SharePoint Online, go to the tenant URL in your browser. The URL follows this pattern: https://<office_365_admin_tenant_URL>/_layouts/15/appinv.aspx. This loads the SharePoint admin center page.
    • In the App ID box, enter the application ID that you recorded earlier, and then click Lookup. The application name will appear in the Title box.
    • In the App Domain box, type <tenant_name>.onmicrosoft.com
    • In the App’s Permission Request XML box, type the following XML string:
<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />
</AppPermissionRequests>