Skip to content

Configuring Delegated Authentication for SharePoint Connector⚓︎

  1. Ensure you comply with the pre-requisites at Pre Requisites Virtual Networks and Pre Requisites (in that order) and that you have sufficient permissions to create new App Registrations in Microsoft Entra ID.
  2. In Azure Portal, navigate to Microsoft Entra ID.
  3. In the top-left corner of the Microsoft Entra ID page, click "Add -> App registration".
  4. In the next page, choose a name for your app. We recommend a memorable and unique name so you can easily reference this registration in the future.
  5. Choose which accounts can access your registration/app. We recommend setting "Accounts in this organizational directory only" (usually the default option), as this limits logins to users in your organization.
  6. Set your redirect URI: set platform to Web and the URI to something like https://my.domain.net/signin-sharepoint.
    1. If you have a Custom Domain set according to Adding A Custom Domain, set "my.domain.net" to that value.
    2. If you do not have a Custom Domain, use the default domain Azure assigned to the smart-documentor Container App. You can find this by navigating to the smart-documentor resource and copying the URL in the Overview page under Application Url.
    3. Your final registration will look something like this. Hit "Register" once done.
    4. In the App Registration page, head to "API permissions" and click "Add a permission" -> "Microsoft Graph" -> "Delegated permissions".
    5. Add the delegated permissions required by your SharePoint integration scenario.
      1. Typical sign-in related scopes include openid, profile, email, offline_access and User.Read.
      2. The main permissions required for SharePoint access are Files.ReadWrite.All and Sites.ReadWrite.All.
      3. Your final permissions list should look something like this.
    6. If required by your permissions, click "Grant admin consent" with an account that has the necessary privileges.
  7. In the App Registration page, head to "Certificates and Secrets", open the "Client secrets" tab and click "New client secret". Name your secret and assign it a suitable expiration according to your compliance and security requirements.
  8. Once created, copy the Value of the created secret to a secure temporary place. You won't be able to view this value after you leave this page.
  9. Navigate to the "Overview" tab of the app registration, and copy the Application (client) ID value.
  10. With these two values copied, navigate to the resource group and find the Key Vault resource with the name kv-app-config-xxxxxx , where the last 6 characters are unique to your deployment.
    1. Click the "Secrets" tab under "Objects" on the left.
    2. Add the following five secrets with the following parameters:
      1. Name: Authentication--SharePointConnector--Active, with value true.
      2. Name: Authentication--SharePointConnector--Settings--ClientId, with the value set to the Client ID you copied in the previous step.
      3. Name: Authentication--SharePointConnector--Settings--ClientSecret, with the value set to the Secret Value you copied in the previous step.
      4. Name: Authentication--SharePointConnector--Settings--CallbackPath, with the callback path configured in the redirect URI, such as /signin-sharepoint.
      5. Name: Authentication--SharePointConnector--Settings--Scopes, with the value set to the same scopes configured previously in the API permissions step above.
    3. Optionally, if you need to restrict which origins can use this authentication flow, add the AllowedOrigins values as separate array entries.
      1. For the first value, use Authentication--SharePointConnector--AllowedOrigins--0.
      2. For a second value, use Authentication--SharePointConnector--AllowedOrigins--1, and so on.
      3. Set each secret value to one allowed origin, such as https://my.domain.net.
  11. Navigate to the smart-documentor Container App and click the "Containers" tab under "Application". In this page, click "Save as a new revision" and wait until the revision is applied. If "Save as a new revision" is not available, simply disable and re-enable the container in the "Overview" tab.
  12. If you open SmartDocumentor and start the delegated authentication flow for a SharePoint connector, the application should now use the App Registration you configured.

Info

"Save as a new revision" is equivalent to an application restart. For configuration secrets to be applied, a restart is always necessary.