search
AiimiUser Guides

Read Grant Path for Sites.Selected

Complete the common setup before continuing here. This runbook covers the remaining steps for the Read site grant path only.

Note: If you are only granting the Crawling Application Read access to the site, the SharePoint connector cannot retrieve file permissions via CSOM alone. This path uses Use Graph API for permissions and the SharePoint Security plugin to manage permissions, and Use Graph API for site discovery for discovering sites.

hashtag
Azure Portal – Certificates & Secrets (Crawling Application)

A client secret is required on the Crawling Application in addition to the certificate. The certificate covers SharePoint CSOM; the client secret is required for Microsoft Graph.

  1. In Azure Portal, select Certificates & Secrets for the Crawling Application.

  2. Ensure you are on the Client Secrets tab.

  3. Select New Client Secret.

  4. Description – Add a description to the secret of what it will be used for.

  5. Expires – Give the secret an appropriate expiry date.

  6. Select Add.

  7. Be sure to save your secret to a secure vault such as LastPass as you will not be able to view it again.

This secret is now associated with the registered application in Azure.

hashtag
Azure Portal – API permissions (Crawling Application)

hashtag
SharePoint API – Sites.Selected

  1. In Azure Portal, navigate to your Crawling Application.

  2. Under Manage, select API Permissions.

    • There will always be Microsoft Graph, User.Read permissions. This is required and should remain in place.

  3. Select Add a permission.

  4. Under Microsoft APIs, select SharePoint.

  5. Select Application permissions.

    • This ensures user credentials aren't required for authentication and the context is not scoped to one user.

  6. From the available permissions, select Sites.Selected.

  7. Select Add permission.

  8. You must grant admin consent for any permission applied.

    • This allows silent authentication for APIs. Without this the application needs a user invoked authentication flow.

  9. Select Grant admin consent for <organisation>.

  10. Select Yes to confirm this selection.

hashtag
Microsoft Graph API – Sites.Selected

  1. Select Add permission again.

  2. Select Microsoft Graph.

  3. Select Application permissions.

  4. From the available permissions, select Sites.Selected.

  5. Select Add permission.

  6. Grant admin consent for <organisation>.

hashtag
Granting the Crawling Application on each site (Grant Site Permissions Application)

When using Sites.Selected you must grant access to the Crawling Application for each selected site.

You must do this on a per site basis.

hashtag
Using PowerShell

  1. Connect using PowerShell with the Grant Site Permissions Application (replace placeholders).

  1. Grant access to the Crawling Application (replace placeholders).

hashtag
Control Hub – Credentials (Crawling Application secret)

hashtag
Create a Client ID Secret Credential

  1. Within Control Hub select Credentials.

  2. On the Credentials page, select New Credential.

  3. Credential Type – Select Client ID and Secret.

  4. Credential ID – Enter an ID for this credential.

    • It must be lowercase, with no spaces and no special characters.

  5. Credential Name – Enter a user friendly name for this credential.

  6. Secret – Enter the secret associated with the Crawling Application in Azure.

  7. Expiry Date (DD-MM-YYYY) – Enter the expiry date.

    • It must not be in the past or after the secret's expiry date.

  8. Select Create.

Your new secret credential is now in the Workplace AI Credential Store.

hashtag
Control Hub – Security Configuration

circle-info

For permission trimming in Workplace AI, we must know the SharePoint groups a user belongs to.

Members of a SharePoint group are exploded onto an item during crawl time when using Sites.FullControl.All. With the Read grant path and Graph API for permissions, only the SharePoint group names are accessible—not who is in them. The SharePoint Security plugin provides a secondary security sync that maps SharePoint group membership to users in Workplace AI.

circle-info

If you're running a permissionless crawl, a SharePoint Security plugin isn't needed. You can skip this section.

hashtag
Creating a SharePoint Security configuration

  1. Within Control Hub select New Configuration.

  2. Select Security.

  3. Configuration ID – Enter an ID for this configuration.

    • It must be lowercase, with no spaces or special characters.

  4. Configuration Description – Add a description of what the configuration will be used for.

  5. Source System - Select SharePointSecurity from the dropdown.

Primary Connection

  1. Client ID – Enter the Application (client) ID of the Crawling Application.

    • You can find this in the Overview on the Azure Portal.

  2. Directory (Tenant) ID – Enter the Directory (tenant) ID for the Crawling Application.

    • You can find this in the Overview on the Azure Portal.

  3. Select Credential – Select the certificate credential associated with the Crawling Application .pfx file.

Secondary Connection

  1. Select Credential – Select the secret associated with the Crawling Application in Azure.

The SharePoint security configuration is designed to run with Read-Only API permissions where applicable.

hashtag
Control Hub – Source Configuration

This configuration corresponds to the Selected Sites - Read Access scenario in the API Permissions Quick Reference.

  1. Within Control Hub select New Configuration.

    • If you're applying this to an existing source, find the configuration and select edit.

  2. On the Source tab, select SharePoint from the Source System dropdown.

hashtag
Primary Connection (Crawling Application)

  1. Client ID – Enter the Application (client) ID of the Crawling Application.

    • You can find this in the Overview on the Azure Portal.

  2. Directory (Tenant) ID – Enter the Directory (tenant) ID for the Crawling Application.

    • You can find this in the Overview on the Azure Portal.

  3. Select Credential – Select the certificate credential associated with the Crawling Application's .pfx file.

hashtag
Secondary Connection

  1. Check "Use Graph API for site discovery".

  2. Check "Use Graph API for permissions".

    • Only enable this if permissions on files are needed. Otherwise run the crawl as permissionless under the Advanced tab.

  3. Directory (Tenant) ID – Enter the Directory (tenant) ID for the Crawling Application.

    • You can find this in the Overview on the Azure Portal.

  4. Select Credential – Select the Client ID and Secret credential for the Crawling Application.

hashtag
Permissions tab

Security Configuration – Enter the configuration ID of the SharePoint Security configuration you made earlier. This is very important for permission trimming in Workplace AI. It is validated when saving the source configuration.

  • This is not required if you are running a permissionless crawl.

hashtag
Advanced tab

Disable Build Site Caches when using Read site grants with this pattern.

hashtag
Save

  1. Select Save.

You are now ready to run a crawl using Sites.Selected with Read site grants.

circle-info

hashtag
Implementation note (validator behaviour)

When Use Graph API for permissions or Use Graph API for site discovery is enabled, the SharePoint source expects Graph connection settings to be complete (including a Client Secret credential reference on the Graph authentication configuration). When Use Graph API for permissions is enabled, a valid SharePoint Security secondary security configuration ID is also required.

PreviousCommon Setup for Sites.SelectedNextFullControl Grant Path for Sites.Selected

Last updated