SharePoint Online Connector

Installation and Configuration

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2018.

All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

InstallationPermanent link for this heading

Before installing the SharePoint Online connector, make sure that the Mindbreeze server is installed and the SharePoint Online connector is included in the license. Use the Mindbreeze Management Center to install or update the connector.

Plugin installation via Mindbreeze Management CenterPermanent link for this heading

To install the plug-in, open the Mindbreeze Management Center. Select “Configuration” from the menu pane on the left-hand side. Then navigate to the “Plugins” tab. Under “Plugin Management,” select the appropriate zip file and upload it by clicking “Upload.” This automatically installs or updates the connector, as the case may be. In the process, the Mindbreeze services are restarted.

Configuring MindbreezePermanent link for this heading

Select the “Advanced” installation method for configuration.

Configuring the indexPermanent link for this heading

To create a new index, navigate to the “Indices” tab and click the “Add new index” icon in the upper right corner.


Enter the path to the index and change the display name as necessary.

Configuring the data sourcePermanent link for this heading

Add a new data source by clicking the “Add new custom source” icon at the top right. Select the category “Microsoft SharePoint Online” and configure the data source according to your needs.


In Sharepoint OnlinePermanent link for this heading

Under “Sharepoint Online,” you can define the Microsoft SharePoint Online installation that you want to index. “Server URL” and “Site Relative URL” define your Microsoft SharePoint Online installation and are mandatory.

Using “Included URL (regex)” and “Excluded Sites URL (regex),” you can define which subsites of your Microsoft SharePoint Online installation should be included in the index or excluded from indexing. If you do not enter any settings here, all subsites will be indexed.

By setting the “Crawl hidden lists” option, lists that are defined as hidden will also be indexed. The same applies to the option “Crawl lists with property ‘NoCrawl’.” If this option is set, the lists that have the “NoCrawl” property in Microsoft SharePoint Online will also be indexed.

In Azure EndpointsPermanent link for this heading

Only enter the URL for the Azure ACS endpoint in the “Azure ACS endpoint” field if your SharePoint environment is hosted in a special environment (such as Germany).

The following environments require special URLs:

Germany

https://login.microsoftonline.de

China

https://accounts.accesscontrol.chinacloudapi.cn

US Government

https://accesscontrol.windows.net

A complete list for Azure ACS endpoints can also be found at https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/extending-sharepoint-online-for-germany-china-usgovernment-environments.


In App-Only AuthenticationPermanent link for this heading

Configure the options as follows:

“Use App-Only authentication

When this option is selected, app-only authentication is used instead of username and password authentication. If this option is selected, “Client ID” and “Client secret” also need to be configured. In addition, you need to perform all the App Registration in Sharepoint” steps below.

“Client ID"

The client ID that is generated as described below.

“Client secret“

The client secret that is generated as described below.

App Registration in Sharepoint: Step 1

To generate a client ID and a client secret, enter the following URL in the browser:
<Server URL><Site Relative URL>/_layouts/15/appregnew.aspx
(e.g. https://mycompany.sharepoint.com/sites/mysite/_layouts/15/appregnew.aspx)

Click the two buttons "Generate" (for "client Id" and for "client secret") and enter the other information as follows:

Then click “Create."

Then enter the client id and the client secret into the Mindbreeze InSpire configuration. Otherwise you will not be able to access the client secret later.

App Registration in Sharepoint: Step 2

Now enter the following URL in the browser:
<Server URL><Site Relative URL>/_layouts/15/appinv.aspx
(e.g. https://mycompany.sharepoint.com/sites/mysite/_layouts/15/appinv.aspx)

Enter the client id in the “App Id” field and click “Lookup.” “Title,” “App Domain,” and “Redirect URL” will be filled in automatically. Then enter the following in the “Permission Request XML” field:

<AppPermissionRequests AllowAppOnlyPolicy="true">

    <AppPermissionRequest
        Scope="http://sharepoint/content/sitecollection/web"

        Right="FullControl"

    />

</AppPermissionRequests>

Note: "FullControl" is required so that Mindbreeze InSpire has access to the access rights of the SharePoint documents to be indexed in order to map the authorizations in Mindbreeze InSpire.

Then click “Create."


App Registration in Sharepoint: Step 3

If you have sub-sites in SharePoint, enter the following URL for all sub-sites in the browser and also perform step 2 for all sub-sites:
<Server URL><Site Relative URL>/<Subsite>/_layouts/15/appinv.aspx
(e.g. https://mycompany.sharepoint.com/sites/mysite/mysubsite/_layouts/15/appinv.aspx)

App Registration in Sharepoint: Step 4

Additional rights are required so that the ACL information about the users and groups required by the principal resolution service can also be downloaded from SharePoint Online.

Enter the following URL in the browser:
<Admin Site URL>/_layouts/15/appinv.aspx
(e.g. https://mycompany-admin.sharepoint.com/_layouts/15/appinv.aspx)

PLEASE NOTE: Make sure that you are on the admin page. For example, if the URL to the CRM is https://mycompany.sharepoint.com, then the admin page is normally  https://mycompany-admin.sharepoint.com.

Enter the client id in the “App Id” field and click “Lookup.” “Title,” “App Domain,” and “Redirect URL” will be filled in automatically. Then enter the following in the “Permission Request XML” field:

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest
        Scope="http://sharepoint/content/tenant"
        Right="FullControl" />
</AppPermissionRequests>

Then click “Create."


Configuring the principal resolution servicePermanent link for this heading

Select “Advanced Settings” to configure the following settings.

Enable the option “Enforce ACL Evaluation.”

Add a new service under “Services” by clicking on “Add new service.” Select “SharepointOnlinePrincipalCache” and assign a display name.

In Sharepoint OnlinePermanent link for this heading

Enter the information about your Microsoft SharePoint Online installation under “Sharepoint Settings.” “Server URL” and “Site Relative URL” must match the settings in the “Data Source” area. “Included URL (regex)” and “Excluded Sites URL (regex)” are not yet taken into account here. Under “Regex for your organization” you can enter a regular expression that defines whether or not a user belongs to your organization. The regular expression can refer to the e-mail address, the ObjectSID, or the ObjectGUID from LDAP.


In App-Only AuthenticationPermanent link for this heading

This is only necessary if you have also configured app-only authentication for the data source.

In Graph APIPermanent link for this heading

If you have not configured “AD Connect” in the Azure Active Directory, select “AD Connect is NOT configured” and fill in the fields “Tenant Context ID,” “Application ID,” “Generated Key,” and “Protected Resource Hostname.” You can find the corresponding values in the Azure Portal.  

If AD Connect is set up in your Azure Active Directory, do not enable the “AD Connect is NOT configured” option.

The following table lists the protected resource hostnames for different cloud environments:  

Global Service

graph.microsoft.com

Germany

graph.microsoft.de

China

microsoftgraph.chinacloudapi.cn

US Government

graph.microsoft.com


A complete list of protected resource hostnames can also be found at https://developer.microsoft.com/en-us/graph/docs/concepts/deployments

In LDAP SettingsPermanent link for this heading

An LDAP cache is required to remove users from the active directory. The following link describes how to set up a caching principal resolution service: https://help.mindbreeze.com/de/index.php?topic=doc/Installation--Konfiguration---Caching-Principal-Resolution-Service/index.htm

The following values should be entered in the LDAP cache under “User Alias Name LDAP Attributes” or “User Alias Name LDAP Attributes”:

mail

cn

objectGUID

objectSID

Enter the information about the LDAP cache under “LDAP Settings.” Enable the option “Use LDAP Principal Cache Service” and enter the corresponding port of your LDAP principal cache.

Under “Cache Settings,” configure where you want the database for the cache to be located and set the desired interval for the updates.

Under “Service Settings,” enter a free port to be used for the principal cache and enable the “Lowercase Principals” option so that the SharePoint groups can be resolved correctly.

In Azure EndpointsPermanent link for this heading

Only enter the URLs for Azure AD Endpoint and Azure ACS Endpoint in the “Azure AD Endpoint” and “Azure ACS endpoint” fields if your SharePoint environment is hosted in a special environment (such as Germany).

The following environments require special URLs for Azure AD Endpoint:

Germany

https://login.microsoftonline.de

China

https://accounts.accesscontrol.chinacloudapi.cn

US Government

https://accesscontrol.windows.net

The following environments require special URLs for Azure ACS Endpoint:

Germany

https://login.microsoftonline.de

China

https://login.chinacloudapi.cn

US Government

https://login-us.microsoftonline.com

A complete list for Azure ACS endpoints can also be found at https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/extending-sharepoint-online-for-germany-china-usgovernment-environments.

REST API for testingPermanent link for this heading

  1. To test the caching principal resolution service, you can use the Principal Resolution Service REST API.

Configuring credentials and endpointsPermanent link for this heading

If you are using app-only authentication, this section is NOT applicable to you. Otherwise, proceed as follows:

Navigate to the “Network” tab and add a new credential for Microsoft SharePoint Online under “Credentials” by clicking “Add Credential.”

Enter the credentials for the user you want to use for indexing and assign a name for the credential. Select a user with adequate permissions to read all relevant pages and authorizations.

Then add a new endpoint for the credential you just created by clicking on “Add Endpoint” under “Endpoints.” Enter the server URL of your Microsoft SharePoint Online installation as the location and select the credential you just created.