Aiimi Insight Engine
User GuidesAiimi
  • Introducing Aiimi Insight Engine
  • Architecture
    • Overview and Key Concepts
    • Search Flows
      • Search Flow Types
      • Smart Filtering
      • Query and Prompt Classification
      • Search Algorithms
      • Extractive and Generative Models
    • Hosting Options
    • Architecture and How It Works
      • Agent Servers
        • Security Agent
        • Source Agent
        • Content Agent
        • Enrichment Agent
        • Job Agent
        • OCR Agent
        • Migration Agent
        • Tika Agent
      • Repository
        • Data Node
        • Proxy Node
        • Kibana Node
      • Gateway and User Interface
      • Document and Data Sources
    • Deployment Options
    • Security
      • User Security
      • Data and Document Security
      • Source System Security
      • Firewalling
      • Agent Servers
      • Repository
      • Gateway (Web Server)
      • Tools & Utilities
  • Installation
    • Elastic and Kibana Install (Windows)
    • Aiimi Insight Engine Installation (Windows)
      • Installation Security
      • Certificates in a Key Vault
      • SAR Configuration
      • CSOM Bridge Set Up
      • AI Studio
    • AI Services
      • Prerequisites
      • AI Enrichment Service
        • Installation and Setup
        • Enabling Enrichment Steps
        • Using AI Enrichment Steps
        • Performance and Concurrency
      • AI Model Service
        • Installation and Setup
        • Enabling Providers
        • Private Generative AI
        • Azure Open AI
        • Enabling AI History
        • HTML Cleaner Service
      • Configuration of Logging
      • Offline Set-up of Models
      • Using SSL
      • Running as a Service (Windows)
      • Using GPUs
      • AI and Semantic Search Set Up
        • Open & Closed Book AI
        • Semantic Search
          • Vectors for Semantic Search
          • Source Configuration
          • Sentence Transformer Models
          • Enrichment
          • Kibana
          • Final Search Flow
    • Email Threading Upgrade
  • Run Books
    • SharePoint Online Connector
  • Control Hub
    • Configurations
      • Config Management
      • Security Configurations
        • Security - General
        • Security - Source
          • Active Directory
          • Atlassian
          • Azure Active Directory
          • Builtin Security
          • Miro Security
          • Google Directory
          • Slack Security
        • Security - Sync
        • Security - Agents
        • Security - Scheduling
      • Source Configurations
        • Source - General
        • Source - Source
          • Alfresco Kafka
          • Azure Blob Storage
          • BBC Monitoring
          • Big Query Cataloguer
          • BIM360
          • CSV Data Loader
          • Confluence
          • Content Server
          • Data File Cataloguer
          • Document Store
          • DocuSign
          • Dropbox
          • Exchange 365
          • Filesystem
          • Google Bucket
          • Google Drive
          • Google Vault
          • Jira
          • JSON Data Loader
          • Livelink
          • MFiles
          • Microsoft Teams
          • Mimecast
          • Miro
          • ODBC Data Loader
          • PowerBi Cataloguer
          • Reuters Connect
          • ShareFile
          • SharePoint
            • Azure Portal and Azure AD Authentication
            • Sensitivity Labels
          • SharePoint Legacy
          • SQL Server Cataloguer
          • Slack
          • Versioned Document Store
          • Websites
          • XML Data Loader
        • Source - Crawl
        • Source - Agents
        • Source - Schedule
        • Source - Advanced
      • Enrichment Configurations
        • Creating a Pipeline
          • General
          • Steps
            • AccessMiner
            • AI Classification
            • Anonymiser
            • CAD Extractor
            • Checksum
            • Content Retrieval
            • Copy
            • Data Rule Processor
            • Delete
            • Email Extractor
            • Entity Rule Processor
            • External Links
            • Geotag
            • Google NLP Extractor
            • Google Vision Extractor
            • Metrics Calculation
            • Microsoft Vision Extractor
            • OcrRest
            • Office Metadata
            • PCI Extractor
            • REST
            • Set Document Risk
            • Text Cleaner
            • Tika Text Extraction
            • Trie Entity Extractor
            • Update Metadata
          • Filters
          • Agents
          • Schedule
          • Advanced
      • OCR Engine
      • Job Configurations
        • General
        • Job
          • AutomatedSearchJob
          • Command Job
          • ElasticJob
          • Extended Metrics Job
          • File Extractor
          • GoogleVaultSAR
          • Google Drive Last Access Date
          • Nightly Events Processor Job
          • Notifications Processor Job
          • Portal Sync Job
          • Purge Job
          • Text Content Merge Job
        • Output
        • Agents
        • Scheduling
      • Migration Configuration
        • General
        • Filter
        • Metadata Mappings
        • Agents
        • Scheduling
        • Advanced
    • Credentials
    • Mappings
      • Entities
        • Manage Entity Groups
        • Create an Entity
        • Manage an Entity
      • Models
        • Create a New Model
        • Find a Model
        • Enable or Disable a Model
      • Vectors
      • Rank Features
    • Featured Links
    • AI Settings
      • Classifications
      • Class
      • Class Rules
      • AI Classification
    • User Settings
    • Stats
      • Data Views
    • Global Settings
      • General
      • Authentication
      • App Settings
      • Application Access
      • Thumbnails
      • Presets
      • Code of Conduct
      • Metrics
      • Viewer
      • SAR
        • Importing Data For A SAR
        • SAR Disclosure Document Storage
        • Getting SAR data from Google Vault
        • SAR Access
        • SAR File Status
      • Disclosure Portal
        • Disclosure Portal Set Up
        • SARs From The Portal
        • Email Delivery Settings
          • Delivery Settings
          • Brand Settings
          • Customise Emails
        • SMS Delivery Settings
        • Requestor Message Limit
        • Attachment Configuration
        • Password Configuration
        • File Scanner Configurator
      • Collections
      • Visualisations
        • Related Result Connections Diagram
        • Event Timeline
        • Timeline Lens Activity Chart
        • Relationship Map
      • Notifications
      • Map Lens
      • Theming
      • User Avatar
      • OData API
      • Uploads
      • Security
    • Search Settings
      • Search Relevancy
        • Core Settings
        • Makers Algorithm
        • Filename Boost Layer
        • Minimum Matching Terms Filter
        • Field Boost
        • Modified Date Boosting
        • Hit Highlighting
        • Why My Search Matched
        • Data Search Strategy
      • Bulk Search
        • Managing a Bulk Search
      • Search Flows
        • Create a Search Flow
          • General
          • Query Classification Step
          • Search Steps
          • Model Steps
      • Filtering
      • Search Performance
      • Related Results
  • AI Studio
    • Classifications
      • Classifications
      • Classification Rules
    • Jobs
  • Labels
  • API Guides
    • Insight API Guide
      • Swagger Documentation
      • Trying Some Endpoints
      • Search Filter
      • Hits / Items
      • Inspecting REST Calls
    • Data Science API Guide
      • REST Interface
        • Login
        • Datasets
        • Fields
        • Field Statistics
        • Search
        • Scroll
        • Update
      • Python Wrapper
        • Login
        • Datasets
        • Fields
        • Field Statistics
        • Search
        • Query Builders
        • Scroll
        • Scroll Search
        • Update Single Document
        • Bulk Update
    • Creating a Native Enrichment Step
      • Creating an Enrichment Step
        • Creating the Core Classes
        • Extending our Enrichment Step
        • Adding a Configuration Template
        • Adding the Enrichment Step
        • Creating an Enrichment Pipeline
      • Other Tasks
        • Entities, Metadata and Data
        • Accessing the Repository
      • Example Code
      • Troubleshooting
    • Creating a Python Enrichment Step
      • Creating an Enrichment Step
        • Running the Example from Command Line
        • Running the Example
      • Creating Your Own Step
      • Adding or Changing Entities, Metadata
  • Whitepapers and Explainers
    • From a Billion To One – Mastering Relevancy
    • Methods for Text Summarization
      • Application
      • Technology Methods
      • Commercial Tools
      • Key Research Centres
      • Productionisation
      • Related Areas of Text Analytics
      • Conclusion
      • References
Powered by GitBook
On this page
  • Prerequisites
  • Available SharePoint API Application permissions:
  • Certificate and Credential
  1. Control Hub
  2. Configurations
  3. Source Configurations
  4. Source - Source
  5. SharePoint

Azure Portal and Azure AD Authentication

PreviousSharePointNextSensitivity Labels

Last updated 1 month ago

Azure Communication Services (ACS) are being deprecated. Authentication via Azure Portal and Azure AD is the modern way to manage app registration, communication and authentication.

You can use an Azure Registered Application with a certificate to connect to SharePoint Online. This allows for modern API Permission management scopes such as Sites.Selected via the SharePoint API in Azure.

Prerequisites

  1. Ensure you have an Azure Registered Application in Azure Portal.

  2. Grant the desired Application API Permissions for SharePoint in the Azure Portal.

  3. Ensure you grant admin consent for your organisation.

  4. Your Azure Registered Application Client ID and Tenant ID.

You can follow Microsoft's guide for help .


Available SharePoint API Application permissions:

  • Sites.FullControl.All - Allows the app full control of all site collections without a signed in user.

    • This allows for add, edit and delete operations on ALL site objects.

    • This has the ability to add, edit, delete entire site collections and document libraries.

  • Sites.Selected - Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online or via the Graph API.

    • This will only work if you grant Sites.Selected for the Registered Application used to connect to SharePoint Online. (Application A).

    • You must then use another Azure Registered Application with Graph API Application permissions of Sites.FullContrl.All to add the SharePoint application to each sites granted identities. (Application B)

    • This requires the highest level of permissions to change.

This can be achieved with PowerShell cmdlets or by calling the Graph API directly.

Site.Selected Grant Site Granular Level Permissions

If you are using Sites.Selected you must grant access to the Azure registered application responsible for crawling SharePoint for each selected site.

You must do this on a per site basis.

Using PowerShell

  1. Connect to the site using PowerShell.

    • Connect-PnPOnline -ClientId "<Application-B-Client-ID>" -CertificatePath ".\pnp.pfx" -CertificatePassword (ConvertTo-SecureString -AsPlainText "changeme" -Force) -Url "<SITE-URL>" -Tenant "aiimiqa.onmicrosoft.com"
  2. Grant access to the application, by adding it to the sites grantedToIdentities.

    • Grant-PnPAzureADAppSitePermission -AppId "<Application-A-Client-ID>" -DisplayName "SharePoint Connector CSOM AD" -Permissions Read -Site "<SITE-URL>"

Using GraphAPI

  1. Alternatively the Graph API can also be used to achieve this with the following endpoint:

    1. POST https://graph.microsoft.com/v1.0/sites/<Graph-API-Site-ID>/permissions
  2. And following body:

    • {
        "roles": ["read"],
        "grantedToIdentities": [
          {
            "application": {
              "id": "Application-A-Client-ID",
              "displayName": "SharePoint GRAPH API App"
            }
          }
        ]
      }
Sites.Selected Permissions Limitation

If you're using SharePoint API Application Permissions Sites.Selected and only granting the application the "Read" only role, the SharePoint connector cannot retrieve file permissions. It must be run in permissionless mode.

  • Within the Source to to Advanced and check Permissionless Crawl.

  • To retrieve an item permissions you must run the SharePoint connector with Sites.FullControl.All or Sites.Selected with a role of "FullControl" granted at the site level.

Recycle Bin Access

Another limitation of using Sites.Selected with Read access is we cannot track folders which have been deleted and any deleted children. This requires access to the Recycle Bin which requires FullControl.

Because of this, we recommend you don't run delta token crawls while using Sites.Selected with anything less than FullControl.


Certificate and Credential

A signed certificate is needed to authenticate and connect between the two systems.

  1. Create a signed certificate for your application. This may be self signed depending on company policies.

    • You can use a PnP cmdlet to help.

      • New-PnPAzureCertificate -OutPfx pnp.pfx -OutCert pnp.cer -CertificatePassword (ConvertTo-SecureString -String "<Your Certificate Password>" -AsPlainText -Force)
  2. Ensure you have uploaded the generated certificate to the Registered Azure Application in Azure Portal.

  3. Create a Certificate Credential within Aiimi Insight Engine using the .pfx certificate file.

For support setting up credentials use

Granting access via Azure AD
our guide on managing credentials.