Azure Portal and Azure AD Authentication
Azure Communication Services (ACS) are being deprecated. Authentication via Azure Portal and Azure AD is the modern way to manage app registration, communication and authentication.
You can use an Azure Registered Application with a certificate to connect to SharePoint Online. This allows for modern API Permission management scopes such as Sites.Selected via the SharePoint API in Azure.
Prerequisites
Ensure you have an Azure Registered Application in Azure Portal.
Grant the desired Application API Permissions for SharePoint in the Azure Portal.
Ensure you grant admin consent for your organisation.
Your Azure Registered Application Client ID and Tenant ID.
You must grant access to the IPs listed under the SharePoint section of Microsofts URLs and IP Address Ranges document.
You can follow Microsoft's guide for help Granting access via Azure AD.
PowerShell 7 and PnP PowerShell module must be installed.
Available SharePoint API Application permissions:
Sites.FullControl.All - Allows the app full control of all site collections without a signed in user.
This allows for add, edit and delete operations on ALL site objects.
This has the ability to add, edit, delete entire site collections and document libraries
Sites.Read.All - Allows the app read only access of all site collections without a signed in user.
This allows for read only operations on ALL site objects.
Sites.Selected - Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online or via the Graph API.
This will only work if you grant Sites.Selected for the Registered Application used to connect to SharePoint Online. (Application A).
You must then use another Azure Registered Application with Graph API Application permissions of Sites.FullControl.All to add the SharePoint application to each sites granted identities. (Application B)
This requires the highest level of permissions to change.
This can be achieved with PowerShell cmdlets or by calling the Graph API directly.
Certificate and Credential
A signed certificate is needed to authenticate and connect between the two systems.
Create a signed certificate for your application. This may be self signed depending on company policies.
You can use a PnP cmdlet to help.
Ensure you have uploaded the generated certificate to the Registered Azure Application in Azure Portal.
Create a Certificate Credential within Workplace AI using the .pfx certificate file.
For support setting up credentials use our guide on managing credentials.
Troubleshooting
Certificates are validated at the point of creation. Validation checks things like passwords, expiry dates and user profile capabilities.
Applying the certificate to the Credential Store
If you get an error about the expiry date or network password, check they are correct in the credential.
An error stating “The file cannot be found”
Open Internet Information Services (IIS) on the web server running AIE Control Hub.
Open Internet Information Services (IIS) on the web server running AIE Control Hub.
Confirm which AppPool used for the admin API.
Navigate to Sites -> Default Web Site -> admin -> api.
Open Basic Settings for the api and observe the AppPool used.
Navigate to the AppPool - Application Pools -> <YouAdminAppPool>
Open Advanced Settings for the Admin AppPool.
Under Process Model, ensure “Load User Profile” is set to True.
Restart IIS, this will also recycle your Application Pools too.
You should now be able to your certificate to the Credential Store in the Control Hub.
Last updated