Prerequisites

• Obtain the Client ID and Client Secret from Azure Active Directory by registering the application. For more information, refer to Registering an Application Using the SharePoint Online Portal.

  Note
  It is mandatory to use the Global Admin and Admin of all Sites User in SharePoint Online to create the application in Azure Active Directory.

• If the grant type is JWT:

  The Certificate (self-signed or CA signed) must be uploaded and registered at the Azure Active Directory portal. To register the certificate with the Microsoft Identity Platform, complete the following:

  1. Sign in to the Azure Portal.

  2. In the Azure app registrations for client application, select the client application.

  3. Select Certificates & secrets.

     Select Upload certificate and then select the certificate file that you want to upload.

  4. Select Add.

  5. Obtain the values for the following:

     • Private Key: The private key text file.

     • Private Key Password: The password for the private key.

     • Certificate: The text file of the same certificate that was uploaded to the Azure portal.

• If the grant type is Refresh Token/Auth Code, generate a refresh token. For more information, refer to Generating a Refresh Token.

Assign the following required permissions to the application:

1. In the Azure Active Directory console of the registered app, select API permissions.

2. Select Add a permission.

3. On the Request API permissions page, a list of supported APIs is displayed.

   • Microsoft Graph is under the commonly used Microsoft API.

   • Azure Active Directory Graph under supported Legacy API.

   • SharePoint is under Microsoft API.

4. Under What type of permissions does your application require?, select the permission type as Delegated or Application. See the following table for the type:

   Permission	Type	Purpose
   Microsoft GRAPH API
   Directory.ReadWrite.All	Delegated	Read, Update, and Delete Group Add membership
   Directory.AccessAsUser.All	Delegated	Change Password and Delete User
   User.ReadWrite.All	Delegated	Read and Update any User
   Group.ReadWrite.All	Delegated	Read and write all groups
   GroupMember.ReadWrite.All	Delegated	Read and write group memberships
   Sites.FullControl.All	Delegated	Have full control of all site collections
   SharePoint Online API
   AllSites.FullControl	Delegated	Have full control of all site collections
   AllSites.Manage	Delegated	Read and write items and lists in all site collections
   Sites.FullControl.All	Application	Have full control of all site collections
   Sites.Search.All	Delegated	Run search queries as a user
   User.ReadWrite.All	Delegated	Read and write user profiles
   User.ReadWrite.All	Application	Read and write user profiles

5. Under Select permissions, select the required permissions.

6. Select Add permissions.

7. In Grant consent, select Grant Admin Consent for your configuration and directory. Select Yes when prompted in the pop-up dialog box.

Prerequisite

• Obtain the Client ID and Client Secret from Azure Active Directory by registering the application. For more information, refer to Registering an Application Using the SharePoint Online Portal.

  Note
  It is mandatory to use the Global Admin and Admin of all Sites User in SharePoint Online to create the application in Azure Active Directory.

Note the following:

• The authentication user must be synchronized in Azure Active Directory.

• Assign the user the User Administrator permission role in Azure Active Directory.

  Note
  It is mandatory to use the Global Admin and Admin of all Sites User in SharePoint Online to create the application in Azure Active Directory.

• You must enable the ADFS endpoint required to authenticate the user.

• The ADFS machine time zone must be in sync with Azure time zone, that is, UTC.

Assign the following required permissions to the application:

1. In the Azure Active Directory console of the registered app, select API permissions.

2. Select Add a permission.

3. On the Request API permissions page, a list of supported APIs is displayed.

   • Microsoft Graph is under the commonly used Microsoft API.

   • Azure Active Directory Graph under supported Legacy API.

   • SharePoint is under Microsoft API.

4. Under What type of permissions does your application require?, select the permission type as Delegated or Application. See the following table for the type:

   Permission	Type	Purpose
   Microsoft GRAPH API
   Directory.ReadWrite.All	Delegated	Read and write directory data
   Group.Read.All	Delegated / Application	Read all groups
   Group.ReadWrite.All	Delegated / Application	Read and write all groups
   GroupMember.Read.All	Delegated / Application	Read group memberships
   GroupMember.ReadWrite.All	Delegated / Application	Read and write group memberships
   Sites.FullControl.All	Delegated / Application	Have full control of all site collections
   Site.Manage.All
   Site.Read.All	Delegated / Application	Read items in all site collections
   Site.ReadWrite.All	Delegated / Application	Edit or delete items in all site collections
   User.Invite.All	Application	Invite guest users to the organization
   User.Read	Delegated	Sign in and read user profile
   SharePoint Online API	SharePoint Online API	SharePoint Online API
   AllSites.FullControl	Delegated	Have full control of all site collections

5. Under Select permissions, select the required permissions.

6. Select Add permissions.

7. In Grant consent, select Grant Admin Consent for your configuration and directory. Select Yes when prompted in the pop-up dialog box.