Sharepoint

SharePoint Online #

Authentication #

In SharePoint Online, the best practise for authenticating is using a service principal or Azure AD App-Only. This is an application that is defined in your Azure AD and can be granted permissions to SharePoint (and other services in Office 365, but this is not neccessary).

Authentication with a user is also supported, but is not recommended. At the bottom of this page, you will find a small section regarding this method.

Required scopes #

  • https://graph.microsoft.com/Sites.Read.All
    • What can we do with it? Read SharePoint sites and subsites
    • Why do we need it? To browse the environment for files and folders
  • https://graph.microsoft.com/Files.Read.All
    • What can we do with it? Read and download files
    • Why do we need it? To index files in uman
  • https://graph.microsoft.com/User.Read.All
    • What can we do with it? Read users
    • Why do we need it? To retrieve file metadata and permissions
  • https://graph.microsoft.com/Group.Read.All
    • What can we do with it? Read groups and its memberships
    • Why do we need it? To support permission mirroring

Azure AD App-Only setup #

Note: permission to create a new app registration is required to set this method up.

Please follow the steps below:

  1. In the Azure portal, navigate to the Azure Active Directory and then go to App registrations.
  2. Click on New registration and fill in the name for the application (i.e. uman)
  3. Click Register at the bottom of the screen, the other settings can be the defaults
  4. If that is successful, note down the Application (client) ID and Directory (tenant) ID that are displayed in the overview
  5. Navigate to Certificates & secrets in the navigation bar on the left
  6. Create a new client secret and save the value
  7. Hand over the application (client) ID, directory (tenant) ID and client secret in a very secure manner to the uman person you are in contact with
  8. Navigate to API permissions in the navigation bar on the left
  9. Click Add a permission and then select Microsoft Graph followed by Application permissions
  10. Search for the 4 above mentioned scopes (i.e. Sites.Read.All) and selected them
  11. After adding the permissions, click Grant admin consent for <application name> and confirm
  12. If the statusses of the granted permissions turn green, you’re set :rocket:!

User setup #

Note: your user will need admin permissions or receive consent of an admin

To complete this method successfully, you’ll first need an account and enter the workspace of your organisation. If you do not have an account yet, please request an invite with admin permissions and follow the account creation steps. Once that is done, navigate to app.uman.ai, and more specifically, to your workspace. Then, please follow the steps below:

  1. At the top-left corner of the application, left-click on the chevron on the right of the workspace name.
  2. Left-click on Connected Apps
  3. Left-click the Connect button to the right of the SharePoint integration
  4. Follow the OAuth flow and accept the admin consent
  5. Validate you can see sites after left-clicking on Sync folders in the Connected Apps window