Sure, you can handle it. But should you?
Let our experts manage the tech maintenance while you focus on your business.
Let our experts manage the tech maintenance while you focus on your business.
Handbuch
Migration von Tenant-Wide Permissions in der Mindbreeze Azure Applikation für den Microsoft SharePoint Online Konnektor
Einleitung
Ab April 2026 wird Microsoft seinen Authentifizierungsdienst Azure ACS (Access Control Services) einstellen und auf Microsoft Entra ID umstellen. Dies betrifft alle Microsoft SharePoint Online Connectors, die derzeit von Mindbreeze Kunden verwendet werden. Weitere Informationen zur Einstellung von Azure ACS finden Sie unter https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs.
Um proaktiv auf diese Änderung zu reagieren und die weitere Funktionsfähigkeit des Microsoft SharePoint Online-Konnektors, des Principal Resolution Service und des Authorization Service sicherzustellen, wird die Authentifizierungsmethode auf zertifikatsbasierte Authentifizierung umgestellt. In den folgenden Kapiteln werden die erforderlichen Schritte beschrieben, um die vorhandene Azure Applikation vorzubereiten und die vorhandenen tenant-wide Berechtigungen für die zertifikatsbasierte Authentifizierung zu migrieren.
Requirements
Please check the following requirements:
- The Microsoft administrator has the appropriate permissions for the Azure application. One of the following two options must be met:
- Option 1: The Microsoft administrator has the role “Global Administrator”.
- Option 2: The Microsoft administrator has the roles “SharePoint Administrator” and “Application Administrator”.
- An Application Registration is created or already existent for the SharePoint Online Connector in Azure Portal/Microsoft Entra ID admin center.
- For more information about the registration of an application, see the Microsoft documentation: How to register an application.
Creation of the certificate
In order to migrate to certificate-based authentication, a certificate is needed that will be uploaded to the Azure application to connect with Mindbreeze InSpire. This certificate can be created and can either be a CA-signed certificate using a trusted certificate authority or a self-signed certificate (.cer, crt or .pem).
For more information about the creation of a self-signed certificate, see the Microsoft documentation: .
After the creation of the certificate, please make sure to save the certificate including the private key and to provide it to the Mindbreeze InSpire administrator.
Adding the certificate and updating the Azure application
Step 1: Adding the certificate to the Azure Application
To upload and add the certificate to an existing Azure application, sign in to the Azure Portal/Microsoft Entra ID admin center.
Then, go to “Microsoft Entra ID”, and in the “Overview”, go to “App registrations”. Choose the existing Azure application that you want to connect with Mindbreeze InSpire.
In the Azure application, go to the side navigation and open the menu item “Manage”. To upload the certificate, go to the sub menu item “Certificates & secrets”. Click on “Upload certificate” and select the public certificate file (.cer, crt or .pem). Then, click on “Add”.
For more information, please see the Microsoft documentation How to add credentials to an application.
Step 2: Migration of Tenant-Wide API Permissions
Due to the retirement of Azure ACS for SharePoint Online, tenant-scoped “FullControl” permissions can no longer be granted by using AppInv.aspx (before the retirement of Azure ACS, it was possible to upload a tenant-level scope with “FullControl” rights through the SharePoint AppInv.aspx page). Now, this capability must be configured through application permissions in Microsoft Entra ID. In the future, access to SharePoint will be managed via Azure application permissions.
To migrate the tenant-wide API permissions in Azure, go to the existing Azure application that you want to connect with Mindbreeze InSpire in the Azure Portal/Microsoft Entra ID admin center. Open the menu item “Manage” and click on “API permissions”.
Then “Add a permission” and make sure to choose “SharePoint”.
Choose “Application permissions” as permission type. Then expand the permission option “Sites” and choose the permission “Sites.FullControl.All”. Finally, click on “Add permissions”.
For more details see the Microsoft documentation: How to update application permissions
Now, with the API permissions migrated, the Azure application is again fully configured and ready to be used with the SharePoint Online Connector and certificate-based authorization.