OneConnect supports multiple authentication options to connect to SharePoint Online.
Please review the options available and choose the best option for your company, before beginning the integration setup.
URL + User Account
To authenticate to SharePoint, provide the URL of the SharePoint site along with a username and password for an account that has access to the site.
The user account cannot have Multi-Factor Authentication (MFA) enabled.
It is recommended to use a dedicated user account to access the SharePoint site. Best practice dictates one user account per integration to avoid data throttling and potential strategy failures by Microsoft.
Pros of using an account to connect:
- Quick to set up.
- Security can be setup to use
Cons of using an account to connect:
- The account cannot have Multi-Factor Authentication (MFA).
- A username and password must be configured in OneConnect.
- This method does not use "Modern" Authentication.
URL + Service Principal (New)
Service principal based authentication with SharePoint Online is an alternative to using a user account.
To authenticate SharePoint, provide the URL of the SharePoint site, check the Use a Service Principal to connect to SharePoint Online beneath the Advanced Options section of the SharePoint or Tabular Data connector. The checkbox will authenticate the integration via the Service Principal that will be created via the Authorize button.
Pros of Service Principal:
- More secure than using a user account
Cons of Service Principal:
- More involved process to set up (requires a Microsoft tenant administrator to approve permissions).
Creating a Service Principal
Connecting to any SharePoint or Tabular Data integration using a Service Principal can only be done through the Entra application that OnePlan creates via the integrations Authorize button.
Authorize Button (Default OnePlan Application)
Within the SharePoint or Tabular Data connector, expand the Advanced Options section, a Microsoft tenant administrator must click the Authorize button within the connector. This will prompt a login screen where the tenant administrator will need to enter their credentials.
That will add an Entra Application named OneConnect SharePoint Authentication to your tenant.
The OneConnect SharePoint Authentication application will have the following delegated permission:
- Microsoft Graph: User.Read
The OneConnect SharePoint Authentication application will have the following application permission:
- Office 365 SharePoint Online: Sites.Selected
NOTE: Without further configuration, this permission will not grant access to any of your SharePoint sites.
The next step is to use the Microsoft Graph API to grant specific permission to your SharePoint site to the service principal.
Please note that each SharePoint site must be given permissions to the service principal. If you are using multiple integrations with multiple SharePoint sites, then you need to repeat the steps below for each site.
You can revoke the site permissions that you previously granted using these steps.
Retrieve SharePoint Site Id
There are two ways to locate your SharePoint Site Id. Both methods require a Tenant Administrator.
Locate SharePoint Site Id (Via URL)
1. Navigate to: https://{OrganizationName}.sharepoint.com/sites/{SiteName}}/_api/site/id
Replace {OrganizationName} with your company’s name and {SiteName} with your SharePoint site name.
Example: https://yourtenantname.sharepoint.com/sites/yoursite/_api/site/id
2. The page will display XML data. Look for the line containing m:type=”Ed.Guid”, which will include your site Id (GUID).
Example:
Note: If you receive an error message stating “Attempted to perform an unauthorized operation”, proceed to the Locate SharePoint Site Id (Via Graph Explorer) section at the end of this article.
Set SharePoint Site Permissions
Once you have the Site Id, follow the steps to give access to this SharePoint site to the Service Principal:
Access Graph Explorer
1. Navigate to developer.microsoft.com/en-us/graph/graph-explorer.
2. Sign in using your tenant administrator credentials.
Grant/Ensure Microsoft Graph Permissions
1. If this is the first time you use Microsoft Graph Explorer, you will be asked to Grant Permissions to Microsoft Graph. Note that this is only granting permission for this configuration task, not to the integration.
2. Click your Profile icon in the top-right corner and select Consent to Permissions.
3. Search for Sites.FullConrol.All.
4. Select and click Consent.
5. The following dialog will be shown:
6. Click Accept.
You can revoke these permissions once you are done with the configuration, using these steps.
Set SharePoint Site Permissions
1. In Graph Explorer, change the first dropdown to POST. (from GET)
2. Enter the following URL: https://graph.microsoft.com/v1.0/sites/{SiteId}/permissions
Replace SiteId with your SharePoint Site Id.
3. In the Request Body, paste the following JSON text:
{
"roles": ["write"],
"grantedToIdentities": [{
"application": {
"id": "ec2e9acf-8093-4959-9f9d-5f561d15a97a",
"displayName": "OneConnect SharePoint Authentication"
}
}]
}
If you use an integration that only loads data from SharePoint, you can adjust the body above and use "roles": ["read"].
4. Click Run query.
5. The Response preview, verify that you see the grantedToIdentitesV2 and grantedToIdenties with the correct Application Id.
The SharePoint site permissions are now successfully set.
Optional steps
Locate SharePoint Site Id (Via Graph Explorer)
Access Graph Explorer
1. Navigate to developer.microsoft.com/en-us/graph/graph-explorer.
2. Sign in using your tenant administrator credentials.
Grant/Ensure Microsoft Graph Permissions
1. If this is the first time you use Microsoft Graph Explorer, you will be asked to Grant Permissions to Microsoft Graph. Note that this is only granting permission for this configuration task, not to the integration.
2. Click your Profile icon in the top-right corner and select Consent to Permissions.
3. Search for Sites.FullConrol.All.
4. Select and click Consent.
5. The following dialog will be shown:
6. Click Accept.
Retrieve SharePoint Site ID
If the steps located in Locate SharePoint Site Id (Via URL) section did not work, then these steps should also allow the SharePoint Site Id to be located.
In Microsoft’s Graph Explorer, in the main section of the browser:
1. Set first dropdown to GET.
2. Set second dropdown to v1.0.
3. Enter the following URL: https://graph.microsoft.com/v1.0/sites?search={SiteName}
Replace {SiteName} with your SharePoint site name.
4. Click Run query.
5. The Response preview look for an object named “value”.
6. The property called “id” contains your site Id in this format: {OrganizationName}.sharepoint.com, {SiteId}, {GuidId}
Note: Copy and securely store the SiteId value.
Revoke Graph Explorer Permissions
To remove previously granted permissions for Graph Explorer:
1. While logged in as a tenant or application administrator for your tenant, log in to portal.azure.com.
2. Navigate to Microsoft Entra Admin Center.
3. Within the left navigation bar, click Enterprise applications.
4. Locate and open on the Graph Explorer application.
5. Under Security, click Permissions.
a. Locate any permissions you wish to revoke.
b. Click the ellipses (…) on the far right and select Revoke Permissions.
c. A confirmation prompt will appear. Click Yes, revoke.
Deleting Site Permissions
To remove permissions for a specific SharePoint site, you will need its Site Id.
Retrieve Site Permissions
1. Navigate to developer.microsoft.com/en-us/graph/graph-explorer.
2. Sign in using your tenant administrator credentials.
3. Set first dropdown to GET.
4. Set second dropdown to v1.0.
5. Enter the following URL: https://graph.microsoft.com/v1.0/sites/{SiteId}/permissions
Replace {SiteId} with the SharePoint Site Id.
6. Click Run query.
7. The Response preview will display the permissions set on the site.
8. Locate the permission object where the Application Id is ec2e9acf-8093-4959-9f9d-5f561d15a97a.
9. The Permission Id will be a long string of letters and numbers directly above the grantedToItentiesV2 object.
10. Copy this ID.
Delete Site Permissions
1. In Graph Explorer:
2. Set first dropdown to DELETE.
3. Enter the following URL: https://graph.microsoft.com/v1.0/sites/{SiteId}/permissions/{PermissionId}
Replace {SiteId} with the SharePoint Site Id and {PermissionId} with the copied Permission Id.
4. Click Run query.
The permissions will then be revoked for that site.