Username/Password-Based Authentication

The SharePoint Online connector registers as an Azure AD An identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments. application with user name authentication

Application Permissions

The Azure application must be granted the following SharePoint Delegated API permission (see the topic below):

• • AllSites.FullControl: This permission grants full control of all site collections. This permission is the minimum required as this is the only permission which lets the SharePoint API caller fetch security permissions set on sites.

The Azure application must be granted the following Microsoft Graph API Delegated permissions:

• • Member.Read.Hidden: Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to.
  • GroupMember.Read.All: Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
  • Directory.Read.All: Allows the app to read data in your organization's directory, such as users, groups and apps.

  • User.Read.All: Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

  • Sites.FullControl.All: Allows the application to have full control of all site collections on behalf of the signed-in user.

User Permissions

• Tenant admin permissions are needed for Autofetch.
  • Autofetch is used when a site collection filter is not specified or when a site collection filter containing the wildcard (*) symbol is specified.
• The user account must have Site admin permissions on the site collections that will be crawled. For more information, see Manage site admins in the Microsoft documentation.

Register the Azure Application

1. Go to https://portal.azure.com/ and login with Azure Global Admin user credentials.
   
2. Click Azure Active Directory An identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments. and click on the desired directory.
   
3. From the menu select App Registrations.
   
   
   
4. Click New registration to register a new app.
   
   
   
5. Name: Enter a name for your app.
   
6. Application type: Select Web app/API app.
   
   
   
7. Redirect URI: Enter a URI of your choosing. (The URI is not used in the SharePoint Online Authorization mechanism)
   
8. Click Register at the bottom of the page.
   
9. Go to Authentication.
   
10. Set "Allow Public Client Flows" to "Yes"
    
    
    
11. Within the app, go to API Permissions.
    
    
    
12. Under API Permissions >  Add a permission > Sharepoint
    
    
    
    
13. Delegated permission > "AllSites.FullControl"
    
    
    
14. Click the Add Permissions button at the bottom of the screen. Repeat steps 9 through 12 for allof the Microsoft Graph APIs Delegated permissions. See Application permissions above for the full list.
15. Back in the "Configured permissions" menu, select all permission and click the Grant admin consent.. button to grant the selected permissions (requires admin rights).

Grant Access to the Connector

The connector accesses the SharePoint Online API via the public client flow mechanism.

To enable this mechanism:

1. Go to the Authentication tab for the app registration you just created.
   
2. Under Advanced Settings, select Yes for the option "Enable the following mobile and desktop flows."
3. Click Save to apply your changes.