SharePoint Online Connector

Installation and Configuration

Mindbreeze GmbH, A-4020 Linz, 2021.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

Installation

Before installing the SharePoint Online connector, make sure that the Mindbreeze server is installed and the SharePoint Online connector is included in the license. Use the Mindbreeze Management Center to install or update the connector.

Plugin installation via Mindbreeze Management Center

To install the plug-in, open the Mindbreeze Management Center. Select “Configuration” from the menu pane on the left-hand side. Then navigate to the “Plugins” tab. Under “Plugin Management,” select the appropriate zip file and upload it by clicking “Upload.” This automatically installs or updates the connector, as the case may be. In the process, the Mindbreeze services are restarted.

Configuring Mindbreeze

Select the “Advanced” installation method for configuration.

Configuring the index

To create a new index, navigate to the “Indices” tab and click the “Add new index” icon in the upper right corner.

Enter the path to the index and change the display name as necessary.

Configuring the data source

Add a new data source by clicking the “Add new custom source” icon at the top right. Select the category “Microsoft SharePoint Online” and configure the data source according to your needs.

Section “Sharepoint Online”

In the "Sharepoint Online" area you can define your Microsoft SharePoint Online installation that is to be indexed. The following options are available:

"Server URL"	The URL of the Sharepoint Online instance, e.g.: https://mycompany.sharepoint.com
“Admin Server URL“	The admin URL of the SharePoint Online instance. Often this is just the server URL with the suffix -admin. e.g: https://mycompany-admin.sharepoint.com
"Site Relative URL.	The relative paths to the sites to be crawled, starting with a slash, e.g.: /sites/mysite. Each line can contain a path. If this is left empty all detected sites are crawled. If Sites are specified here only this sites and their subsites are crawled
„Site Discovery Schedule“	A Cron Expression that specifies when to run Site Discovery. The results are then used in the next crawl runs. This means that the potentially time-consuming site discovery does not have to be repeated with each crawl run. The official documentation for Cron Expressions can be found here, a generator for creating simple Cron Expressions can be found here.
“Background Site Discovery Parallel Request Count” (Advanced Settings)	Limits the number of parallel HTTP requests sent by the Site Discovery.
“Site Discovery Strategy” (Advanced Settings)	The strategy by which the site discovery is to be performed. Auto: The authentication method is used to determine automatically which strategy to use. Admin API: The SharePoint Admin API is used for site discovery. This will find ALL pages of the SharePoint Online instance. Either App-Only Authentication or User-Based Authentication with an Admin User must be used. Search: The SharePoint Online search is used for site discovery. This automatically finds only pages that the crawl user has access to. For User Based Authentication without an Admin User, only this strategy can be used.
“Do Not Crawl Root Site”	If this option is activated, the root page of the Sharepoint Online instance (e.g. mycompany.sharepoint.com) and its subpages will not be crawled.
"Included Sites URL (regex)"	Regular expression that can be used to specify which subsites are to be crawled. If this option is left empty, all subsites will be crawled. The regex matches relative URLs. e.g /sites/mysite
"Excluded Sites URL (regex)"	Regular expression that can be used to specify which subsites are to be excluded. The regex matches relative URLs. e.g /sites/mysite
"Included Lists/Files/Folders URL (regex)"	Regular Expression, which can be used to specify which lists, files and folders should be included. The metadata "url" (absolute url) is compared. If this option is left empty, everything is included. Note: If you want to include/exclude complete subsites, please use the option "Included Sites URL (regex)" or "Excluded Sites URL (regex)"
"Excluded Lists/Files/Folders URL (regex)"	Regular Expression, which can be used to specify which lists, files and folders should be excluded. The metadata "url" (absolute url) is compared. For example, if you find a document in the Mindbreeze search that you want to exclude, you can copy the URL from the "Open" action and use it in the "Excluded Lists/Files/Folders URL (regex)" option
“Included Metadata Names (regex)”	Regular expression used to include generic metadata with the name of the metadata. If nothing is specified, all metadata is included. The regex is applied to the name of the metadata (without the sp_ prefix).
“Excluded Metadata Names (regex)”	Regular expression that excludes generic metadata with the name of the metadata. If nothing is specified, all metadata is included. The regex is applied to the name of the metadata (without the sp_ prefix).
“Included Content Types (regex)” (Advanced Settings)	Regular expression that includes content types (e.g. file, folder) via the name of the content type. If nothing is specified, all content types are included. The content type of objects can be found in the contenttype metadata.
“Excluded Content Types (regex)” (Advanced Settings)	Regular expression that excludes content types (e.g. file, folder) via the name of the content type. If nothing is specified, all content types are included. The content type of objects can be found in the contenttype metadata.
“[Deprecated] Use delta key format” (Advanced Settings)	This option is deprecated and should always be left enabled so that the full functionality of the crawler can be used. If set, a different format is used for the keys. Certain functions of the delta crawl (e.g. renaming lists, deleting attachment files) do not work without this option. If this option is changed, the index should be cleaned and re-indexed.
“Enable Delta Crawl”	If set, the Sharepoint Online API will only fetch changes to files instead of crawling over the whole Sharepoint Online instance. For full functionality "Use delta key format" should be set.
"Crawl hidden lists"	If set, lists that are defined as hidden are also indexed
"Crawl lists with property 'NoCrawl'"	If this option is set, those lists are also indexed that have the "NoCrawl" property in Microsoft SharePoint Online
“Max Change Count Per Site” (Advanced Settings)	Number of changes that are processed in the delta crawl per page before the next page is processed. The remaining changes are processed at the next crawl run.
“Trust all SSL Certificates”	Allows the use of unsecured connections, for example for test systems. Must not be activated in production systems.
“Parallel Request Count”	Limits the number of parallel HTTP requests sent by the crawler.
„Page Size“	Maximum number of objects received per request to the API. A high value results in higher speed but higher memory consumption during the crawl run, a small value results in less memory consumption but reduces the speed. If the value is set to 0, no paging is used, meaning that the crawler attempts to fetch all objects at once with the request.
"Max Content Length (MB)"	Limits the maximum document size. If a document is larger than this limit, the content of the document is not downloaded (the metadata is retained). The default value is 50 megabytes
„[Deprecated] Send User Agent“ (Advanced Settings)	This option is deprecated and should always remain enabled. The User Agent header should always be sent with the request. Adjust the "User Agent" option instead. If set, the header configured with the "User Agent" option is sent with every HTTP request.
„User Agent“ (Advanced Settings)	The specified value is sent with the HTTP request in the User-Agent header, it the option “Send User Agent” is set.
„Thumbnail Generation for Web Content“ (Advanced Setting)	If set, thumbnails are generated for web documents. It is not recommended to enable this feature as it only works for public pages with anonymous access which have already been discontinued.
“Dump Change Responses” (Advanced Setting)	If set, the Sharepoint API responses are written to a log file during delta crawling.
“Log All HTTP Requests” (Advanced Setting)	If set, all HTTP requests sent by the crawler during the crawl run are written to a .csv file (sp-request-log.csv).
“Update Crawler State During Crawlrun” (Advanced Setting)	If set, the crawler state is continuously updated during the crawl run (instead of only at the beginning of the crawl run), which can prevent multiple downloads of the same file in certain situations. This option is only active for Delta Crawlruns.
Custom Delta CSV Path (Advanced Setting)	With this option a path to a .csv file can be specified, with which own delta points can be set. Each line must contain two entries separated by semicolons: First the Site Relative URL and then a time in the format yyyy-MM-ddTHH:mm:ssZ. Example: /sites/MySite; 2019-10-02T10:00:00Z This state is not adopted if a state already exists. If the old state is to be overwritten, it must be deleted from the DeltaState file.
Update all ACLs (Advanced Setting)	If set, the crawler updates all ACLs of SharePoint Online objects. This option should only be used for delta crawl runs after a plug-in update where ACL handling has been improved. This option should be turned off again after a crawl run because it may take a long time.
Check for Role Update within past Days (Advanced Setting)	With this setting, the crawler will check for Role Updates of all sites within the past days as configured. Due to limitations of the SharePoint Online getChanges API, the maximum value is 59 days.
Dry Run Role Update Check (Advanced Setting)	If set, the check for Role Updates since the date configured above is only logged into a role-update.csv file instead of being fully processed.
„Ignore Sharepoint ACLs“ (Advanced Setting)	If set, no access permissions to lists or documents are fetched from Sharepoint. This option can only be set if at least one Site ACL is configured.
“Site ACL”	With this option you can set your own ACLs. The Site URL Pattern is a regular expression for which pages this principal should be configured, Access Check Action can be used to select whether it is a grant or deny, and Principal is used to specify the group/user to which the principal should apply (e.g. everyone or max.mustermann@mycompany.onmicrosoft.com).

Section “Azure Endpoints”

Only enter the URL for the Azure ACS endpoint in the “Azure ACS endpoint” field if your SharePoint environment is hosted in a special environment (such as Germany).

The following environments require special URLs:

Germany	https://login.microsoftonline.de
China	https://accounts.accesscontrol.chinacloudapi.cn
US Government	https://accesscontrol.windows.net

A complete list for Azure ACS endpoints can also be found at https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/extending-sharepoint-online-for-germany-china-usgovernment-environments.

Section “App-Only Authentication”

Configure the options as follows:

“Use App-Only authentication”	When this option is selected, app-only authentication is used instead of user based authentication. If this option is selected, “Client ID” and “Client secret” also need to be configured. In addition, you need to perform all the “App Registration in Sharepoint” steps below.
“Client ID"	The client ID that is generated as described below.
“Client secret“	The client secret that is generated as described below.

App Registration: Step 1

There are two ways to register a new app: either directly in SharePoint Online or in Azure. The Client Secret of an app created in SharePoint Online expires after one year. Then the Secret would have to be renewed via PowerShell. In Azure you can set whether the Secret should expire after one year, two years or not at all.

In SharePoint Online:

To generate a client ID and a client secret, enter the following URL in the browser:
<Server URL>/_layouts/15/appregnew.aspx
(e.g. https://mycompany.sharepoint.com/_layouts/15/appregnew.aspx)

Click the two buttons "Generate" (for "client Id" and for "client secret") and enter the other information as follows:

"Title": user-definable
"App Domain": "localhost"
“Redirect URI”: https://localhost/

Then click “Create."

Then enter the client id and the client secret into the Mindbreeze InSpire configuration. Otherwise you will not be able to access the client secret later.

In Azure:

To create an app in Azure, first go to portal.azure.com.

There you have to register a new app under the tab "Azure Active Directory" and then under the tab "App registrations":

In the newly generated app you will find the application id and under the tab "Certificates & Secrets" you can generate a key.

You can use this App Id and Secret in step 2 to authorize the app for SharePoint Online.

App Registration in Sharepoint: Step 2

Now enter the following URL in the browser:
<Server URL>/_layouts/15/appinv.aspx
(e.g. https://mycompany.sharepoint.com/_layouts/15/appinv.aspx)

Enter the client id in the “App Id” field and click “Lookup.” “Title,” “App Domain,” and “Redirect URL” will be filled in automatically. Then enter the following in the “Permission Request XML” field:

<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web"

Right="FullControl"

</AppPermissionRequests>

Note: "FullControl" is required so that Mindbreeze InSpire has access to the access rights of the SharePoint documents to be indexed in order to map the authorizations in Mindbreeze InSpire.

Then click “Create."

App Registration in Sharepoint: Step 3

Additional rights are required so that the ACL information on the users and groups required by the Principal Resolution Service can also be downloaded from SharePoint Online.

Now enter the following URL in the browser:

<Admin Site URL>/_layouts/15/appinv.aspx
(z.B. https://mycompany-admin.sharepoint.com/_layouts/15/appinv.aspx)

ATTENTION: Make sure that you are on the admin page. For example, if the URL is https://mycompany.sharepoint.com, then the admin page is usually https://mycompany-admin.sharepoint.com.

Enter the Client Id in the "App Id" field and activate the "Lookup" button. "Title", "App Domain" and "Redirect URL" will be filled in automatically. Then enter the following in the "Permission Request XML" field:

<AppPermissionRequest

Scope="http://sharepoint/content/tenant"

Right="FullControl" />

</AppPermissionRequests>

Then activate the "Create" button.

Section “Content Settings“ (Advanced Settings)

“Do Not Request File Author Metadata”	If active no information regarding authors is requests for Lists, Items or Files. This may help resolve the following Error: „HTTP 500: User cannot be found".
“Get Author From File Properties”	If active, the author metadata is retrieved from the File/Properties object instead of the File/Author object. This prevents errors during crawl runs, for example, if the user has since been deleted. A complete re-index is required so that this option can be used correctly.
“List All Content Types“	If active, an all-content-types.csv file is created in the log directory at the beginning of a crawl run, which contains all content types of all lists of all configured pages.
“Include Unpublished Documents“	If active, all documents/items are always indexed in their most recent version, regardless of whether they have already been published. If this option is disabled, only published sites and only major versions (1.0, 2.0 etc., usually created with each publish) will be indexed.
“ASPX Content Metadata”	With this option you can set your own metadata as content for .aspx files. By default, "WikiField" and "CanvasContent1" are used. If metadata is set with this option, it will be used instead, if available. For this option to be applied correctly, a full re-index is required.