Creating an Azure Application for SharePoint Online
A new Azure Active Directory application must be created and configured to support the File Access Manager SharePoint Online functionality.
This configuration can be performed either by running the automated PowerShell script supplied with the SailPoint distribution pack, or by creating and configuring the application through the Azure portal.
Creating and Configuring the Application Automatically
There is a PowerShell script named CreateSharePointOnlineAndOneDriveApp.ps1 provided in the Collectors.zip under the extracted scripts sub-folder. This script will perform all the Azure application creation and configuration steps required for SharePoint Online.
To run this script, the Azure AD PowerShell module must be installed.
Install-Module -Name AzureAD
Before running the script, open the file in a text editor to review the default parameters. The parameters can be edited in the file or passed as parameters when running the script.
To run the script with the default parameters:
.\CreateSharePointOnlineAndOneDriveApp.ps1
To run the script while overriding some of the default parameters:
.\CreateSharePointOnlineAndOneDriveApp.ps1 -AppName "SharePoint Online FAM App" -CertDnsName "contoso.com" -CertYearsValid 15
When prompted, log in with administrator credentials to create and configure Azure applications. The last step of the script will launch a URL to grant admin consent for the application. After granting consent, the page will redirect to a missing localhost URL. The operation is successful if the URL for that page contains admin_consent=True.
Note: If you experience an access denied error or other error in the web browser when granting admin consent, this might be a timing issue. This can be resolved by either manually granting admin consent through the Azure portal (see section Grant admin consent manually), or by copying and pasting the consent URL (represented in the line from the script output that starts in "Consent URL: ") into your browser.
The following output should be gathered or noted when running the script. This information will be used to configure the SharePoint Online application in File Access Manager:
1. The App ID value in the console output.
2. The created certificate file <AppName>.pfx located in your working directory.
3. The certificate password that was entered when prompted.
Creating and Configuring the Application Manually
The following steps will create and configure an Azure application for SharePoint Online authentication through the Azure portal.
These steps are adapted from the following online Microsoft documentation:
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
Step 1: Register the Application in Azure AD
-
Open the Azure AD portal at https://portal.azure.com
-
Under Manage Azure Active Directory, select View.
-
On the Overview page that opens, under Manage, select App registrations.
-
On the App registrations page that opens, select New registration.
-
On the Register an application page that opens, configure the following settings:
Name
Enter something descriptive. For example, SharePoint Online FAM App
Supported account types
Verify that Accounts in this organizational directory only (<YourOrganizationName> only - Single tenant) is selected.
Redirect URI (optional)
Leave empty
-
When you're finished, click Register.
Note: Leave the app page open. You'll use it in the next step.
Step 2: Assign API Permissions to the Application
-
On the app page under Manage, select Manifest.
-
On the Manifest page that opens, find the requiredResourceAccess entry.
-
Replace the entire requiredResourceAccess entry with the following:
"requiredResourceAccess": [
{
"resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2",
"resourceAccess": [
{
"id": "594c1fb6-4f81-4475-ae41-0c394909246c",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
}
],-
Click Save.
-
On the Manifest page, under Manage, select API permissions.
-
On the API permissions page that opens, verify that both Sites.FullControl.All and ActivityFeed.Read appear on the list.
-
Select Grant admin consent for <Organization>, read the confirmation dialog that opens.
-
Click Yes. The Status value should now be Granted for <Organization> on both entries.
-
Close the current API permissions page (not the browser tab) to return to the App registrations page. You will use it in an upcoming step.
Step 3: Generate a Self-Signed Certificate
Create a self-signed x.509 certificate using the following PowerShell commands.
Edit parameters such as DnsName, Certificate expiration, and password as appropriate:
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(15) -KeySpec KeyExchange
# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)
# Export certificate to .cer file
$mycert | Export-Certificate -FilePath mycert.cer
Step 4: Assign the Certificate to the Azure Active Directory Application
After you register the certificate with your application, you can use the private key (.pfx file) for authentication.
-
If you need to get back to the Apps registration page:
-
Open the Azure AD portal at https://portal.azure.com/
-
Under Manage Azure Active Directory, select View.
-
On the Overview page that opens, under Manage, select App registrations.
-
-
On the Apps registration page from the end of Step 2, select your application.
-
On the application page that opens, under Manage, select Certificates & secrets.
-
Click Upload Certificate.
-
Browse to the self-signed certificate (.cer file) that you created in Step 3.
-
Click Add. The certificate is now shown in the Certificates section.
-
Close the current Certificates & secrets page, and then the App registrations page to return to the main https://portal.azure.com page. You'll use it in the next step.