From 2626077c27a4956bcb884ada70b8520c35a17f49 Mon Sep 17 00:00:00 2001 From: kosabogi Date: Tue, 10 Dec 2024 11:47:02 +0100 Subject: [PATCH 1/4] Updates SharePoint Online page --- .../docs/connectors-sharepoint-online.asciidoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc index 02f598c16f63c..88873943e98b6 100644 --- a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc +++ b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc @@ -145,6 +145,12 @@ Here's a summary of why we use these Graph API permissions: * *Groups.Read.All* is used to fetch groups for document-level permissions * *User.Read.All* is used to fetch user information for document-level permissions +[NOTE] +==== +When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. +If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. +==== + Due to the way the Graph API is designed, these permissions are "all or nothing" - it's currently impossible to limit access to these resources. **** @@ -606,6 +612,12 @@ Here's a summary of why we use these Graph API permissions: * *Groups.Read.All* is used to fetch groups for document-level permissions * *User.Read.All* is used to fetch user information for document-level permissions +[NOTE] +==== +When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. +If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. +==== + Due to the way the Graph API is designed, these permissions are "all or nothing" - it's currently impossible to limit access to these resources. **** From de178b63d2630fa0315190bff7ae9bf339016491 Mon Sep 17 00:00:00 2001 From: kosabogi Date: Wed, 11 Dec 2024 12:55:14 +0100 Subject: [PATCH 2/4] Adds detailed guidance on settings --- .../connectors-sharepoint-online.asciidoc | 59 +++++++++++++++++-- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc index 88873943e98b6..e6fddfa08ea4f 100644 --- a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc +++ b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc @@ -133,6 +133,59 @@ The application name will appear in the Title box. ---- +[discrete#es-connectors-sharepoint-online-sites-selected-permissions] +====== Granting `Sites.Selected` permissions + +To configure `Sites.Selected` permissions, follow these steps in the Azure Active Directory portal. These permissions enable precise access control to specific SharePoint sites. + +. Sign in to the https://portal.azure.com/[Azure Active Directory portal^]. +. Navigate to **App registrations** and locate the application created for the connector. +. Under **API permissions**, click **Add permission**. +. Select **Microsoft Graph** > **Application permissions**, then add `Sites.Selected`. +. Click **Grant admin consent** to approve the permission. + +[TIP] +==== +Refer to the official Microsoft documentation for managing permissions in Azure AD: +* https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft Graph permissions reference^] +==== + +To assign access to specific SharePoint sites using `Sites.Selected`: + +. Use Microsoft Graph Explorer or PowerShell to grant access. +. To fetch the site ID, run the following Graph API query: ++ +[source, http] +---- +GET https://graph.microsoft.com/v1.0/sites?select=webUrl,Title,Id&$search="*" +---- ++ +This will return the `id` of the site. + +. Use the `id` to assign read or write access: ++ +[source, http] +---- +POST https://graph.microsoft.com/v1.0/sites//permissions +{ + "roles": ["read"], // or "write" + "grantedToIdentities": [ + { + "application": { + "id": "", + "displayName": "" + } + } + ] +} +---- + +[NOTE] +==== +When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. +If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. +==== + .Graph API permissions **** Microsoft recommends using Graph API for all operations with Sharepoint Online. Graph API is well-documented and more efficient at fetching data, which helps avoid throttling. @@ -145,12 +198,6 @@ Here's a summary of why we use these Graph API permissions: * *Groups.Read.All* is used to fetch groups for document-level permissions * *User.Read.All* is used to fetch user information for document-level permissions -[NOTE] -==== -When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. -If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. -==== - Due to the way the Graph API is designed, these permissions are "all or nothing" - it's currently impossible to limit access to these resources. **** From 86756922a6ce6492f613a7b71c14c1b286f72391 Mon Sep 17 00:00:00 2001 From: kosabogi Date: Wed, 11 Dec 2024 12:59:23 +0100 Subject: [PATCH 3/4] Updates self-managed connector reference --- .../connectors-sharepoint-online.asciidoc | 59 +++++++++++++++++-- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc index e6fddfa08ea4f..a81e66e08157b 100644 --- a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc +++ b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc @@ -647,6 +647,59 @@ The application name will appear in the Title box. ---- +[discrete#es-connectors-sharepoint-online-sites-selected-permissions] +====== Granting `Sites.Selected` permissions + +To configure `Sites.Selected` permissions, follow these steps in the Azure Active Directory portal. These permissions enable precise access control to specific SharePoint sites. + +. Sign in to the https://portal.azure.com/[Azure Active Directory portal^]. +. Navigate to **App registrations** and locate the application created for the connector. +. Under **API permissions**, click **Add permission**. +. Select **Microsoft Graph** > **Application permissions**, then add `Sites.Selected`. +. Click **Grant admin consent** to approve the permission. + +[TIP] +==== +Refer to the official Microsoft documentation for managing permissions in Azure AD: +* https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft Graph permissions reference^] +==== + +To assign access to specific SharePoint sites using `Sites.Selected`: + +. Use Microsoft Graph Explorer or PowerShell to grant access. +. To fetch the site ID, run the following Graph API query: ++ +[source, http] +---- +GET https://graph.microsoft.com/v1.0/sites?select=webUrl,Title,Id&$search="*" +---- ++ +This will return the `id` of the site. + +. Use the `id` to assign read or write access: ++ +[source, http] +---- +POST https://graph.microsoft.com/v1.0/sites//permissions +{ + "roles": ["read"], // or "write" + "grantedToIdentities": [ + { + "application": { + "id": "", + "displayName": "" + } + } + ] +} +---- + +[NOTE] +==== +When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. +If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. +==== + .Graph API permissions **** Microsoft recommends using Graph API for all operations with Sharepoint Online. Graph API is well-documented and more efficient at fetching data, which helps avoid throttling. @@ -659,12 +712,6 @@ Here's a summary of why we use these Graph API permissions: * *Groups.Read.All* is used to fetch groups for document-level permissions * *User.Read.All* is used to fetch user information for document-level permissions -[NOTE] -==== -When using the `Comma-separated list of sites` configuration field, ensure the sites specified match those granted `Sites.Selected` permission in SharePoint. -If the `Comma-separated list of sites` field is set to `*` or the `Enumerate all sites` toggle is enabled, the connector will attempt to access all sites. This requires broader permissions, which are not supported with `Sites.Selected`. -==== - Due to the way the Graph API is designed, these permissions are "all or nothing" - it's currently impossible to limit access to these resources. **** From 9383b4cb2b094e8b8dadb4ed5896ea8f3bcbdd50 Mon Sep 17 00:00:00 2001 From: kosabogi Date: Wed, 11 Dec 2024 13:09:44 +0100 Subject: [PATCH 4/4] Fixes link --- .../connector/docs/connectors-sharepoint-online.asciidoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc index a81e66e08157b..2680e3ff840a6 100644 --- a/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc +++ b/docs/reference/connector/docs/connectors-sharepoint-online.asciidoc @@ -146,8 +146,7 @@ To configure `Sites.Selected` permissions, follow these steps in the Azure Activ [TIP] ==== -Refer to the official Microsoft documentation for managing permissions in Azure AD: -* https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft Graph permissions reference^] +Refer to the official https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft documentation] for managing permissions in Azure AD. ==== To assign access to specific SharePoint sites using `Sites.Selected`: @@ -647,7 +646,7 @@ The application name will appear in the Title box. ---- -[discrete#es-connectors-sharepoint-online-sites-selected-permissions] +[discrete#es-connectors-sharepoint-online-sites-selected-permissions-self-managed] ====== Granting `Sites.Selected` permissions To configure `Sites.Selected` permissions, follow these steps in the Azure Active Directory portal. These permissions enable precise access control to specific SharePoint sites. @@ -660,10 +659,10 @@ To configure `Sites.Selected` permissions, follow these steps in the Azure Activ [TIP] ==== -Refer to the official Microsoft documentation for managing permissions in Azure AD: -* https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft Graph permissions reference^] +Refer to the official https://learn.microsoft.com/en-us/graph/permissions-reference[Microsoft documentation] for managing permissions in Azure AD. ==== + To assign access to specific SharePoint sites using `Sites.Selected`: . Use Microsoft Graph Explorer or PowerShell to grant access.