How to use Sharepoint (application)
NOTE: for projects using 蜜豆视频鈥檚 Sharepoint please continue here.
If you use SharePoint as your content source, AEM uses a registered Microsoft Azure application to access your content. This application has delegated permissions defined that allow the service to access SharePoint on behalf of a user. This user needs to be registered to the project that is using SharePoint.
Alternatively, the services can also authenticate as an application and use application permissions to access the sites. This needs additional setup by a SharePoint site administrator that can grant the permissions for the application.
The preferred setup is to use application permissions, as this narrows down the access the service has to a specific SharePoint site and does not require to share any secrets of a technical user. Also, it reduces the problems around password rotation.
The following describes how to set up application permissions for your project. If you want to set up a technical user, please continue here.
Setting up SharePoint involves the following steps:
- Create or identify a Sharepoint site that will serve as site for the document based authoring
- Create a folder within SharePoint that will be the website root.
- Configure the
fstab.yaml
with the respective folder - Access the Registration Portal
- Register the Application
- Apply the
sites.selected
permission to the SharePoint site
1. Create or identify a Sharepoint site
Talk to your IT department to either identify or create a Sharepoint site that will be used for document based authoring. One site can 鈥渉ost鈥 multiple websites (projects). This site will later receive the respective permissions so that the publishing services can access it.
2. Create the website root folder
Navigate to your desired location in the SharePoint site created or identified above and create a root folder that will be your website root. It is best to not use a SharePoint list root directly, so that you have a shared space for your authors to put collateral documents, for example a drafts folder, or how-to-author documentations.
An example file structure might look like this, using the website
folder as the root:
3. Configure the fstab.yaml
The next step is to configure the mountpoint in the fstab.yaml
to point to the website root. It usually has the form of
https://<tenant>.SharePoint.com/sites/<sp-site>/Shared%20Documents/website
But this might vary depending on how you create the SharePoint site and lists. In order to obtain the url, the simplest way is to copy-past the first part from the browser address, eg:
And then add the rest manually (Note, that copying the sharelink via the UI adds unnecessary information and it is better to use a canonical representation of the url). Once you composed the url, you can test it by entering it again in the browser. You should end up in the folder view of your website root.
After that, update the fstab.yaml
accordingly.
For example:
mountpoints:
/: https://adobeenterprisesupportaem.SharePoint.com/sites/hlx-test-project/Shared%20Documents/website
To finalize the configuration, commit the fstab.yaml
back to the main branch.
4. Access the Registration Portal
Overview
In order for the AEM service to access the authored content it needs a couple of information and setup. The AEM service (a cloud function) accesses the on behalf of an application (or configured user). In order to do so, it needs to authenticate first in the context of an . This is important because the scopes given to the application define what permission the service has on the MS Graph API. For example, it should be allowed to read and write documents, but not to alter access control.
An application is represented as an 鈥淓nterprise Application鈥 in the respective Active Directory of a tenant. The permissions given to that enterprise application ultimately define what the service can access in that tenant鈥檚 resources. Certain permissions need to be approved by an Active Directory administrator before a user can use the application. This so-called 鈥渁dmin consent鈥 is a mechanism to verify and control which permissions apps can have. This is to prevent dubious apps from tricking users into trusting an app that is not official. Having the extra admin consent step allows IT security to control which apps the employees can use.
1. Sign-in in the Registration Portal
Create application using MSGraph or Powershell
Alternatively, you can create the Enterprise application via MSGraph or Powershell.
In order to make it visible in the azure UI you also need to add the WindowsAzureActiveDirectoryIntegratedApp
tag. This can be done directly when creating the application.
Using graph explorer:
POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json
{
"appId": "e34c45c4-0919-43e1-9436-448ad8e81552",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
]
}
Using powershell:
PS> connect-MgGraph -Scopes "Application.ReadWrite.All"
PS> New-MgServicePrincipal -AppId e34c45c4-0919-43e1-9436-448ad8e81552 -Tags WindowsAzureActiveDirectoryIntegratedApp
Adding the Franklin Service with application permissions
Same as above, the Enterprise application for the Franklin Service (83ab2922-5f11-4e4d-96f3-d1e0ff152856)
is not present in Azure yet,
In order to add it, use the graph explorer or powershell to add it:
Using graph explorer:
POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json
{
"appId": "83ab2922-5f11-4e4d-96f3-d1e0ff152856",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
]
}
Using powershell:
PS> connect-MgGraph -Scopes "Application.ReadWrite.All"
PS> New-MgServicePrincipal -AppId 83ab2922-5f11-4e4d-96f3-d1e0ff152856 -Tags WindowsAzureActiveDirectoryIntegratedApp
Also see:
Add Application Roles using Powershell or Graph Explorer
Alternatively, adding the app roles can be done with the following steps:
- Find the service principal of the enterprise application (
principalId
). This is the one you created above. - Find the service principal of the Microsoft Graph API (
resourceId
) - Find the Id for the
Sites.Selected
Application Role (appRoleId
) - Assign the Application Role to the Managed Identity (The Enterprise Application)
Using powershell this can be done with:
$ObjectId = "abcdef-1234-49b6-b660-cc85b34fe516" <<------ replace with your enterprise app id
$AAD_SP = Get-AzureADServicePrincipal -SearchString "Microsoft Graph";
$AAD_SP
$MSI = Get-AzureADServicePrincipal -ObjectId $ObjectId
if($MSI.Count -gt 1)
{
Write-Output "More than 1 principal found, please find your principal and copy the right object ID. Now use the syntax $MSI = Get-AzureADServicePrincipal -ObjectId <your_object_id>"
Exit
}
$AAD_AppRole = $AAD_SP.AppRoles | Where-Object {$_.Value -eq "Sites.Selected"}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $AAD_SP.ObjectId[0] -Id $AAD_AppRole.Id
Using graph explorer it involves more steps:
- Find the principal of the enterprise application:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '83ab2922-5f11-4e4d-96f3-d1e0ff152856'
...
"value": [
{
"id": "6761ada0-733b-4a02-98b2-3db970834fe0",
...
This will be our principalId
- Find the service principal of the Microsoft Graph API
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
...
"value": [
{
"id": "5159db96-7193-414e-9730-b1d1e4448443",
...
This is the resourceId
. (the resource that defines the application role)
- Find the id of the application role.
GET https://graph.microsoft.com/v1.0/servicePrincipals/5159db96-7193-414e-9730-b1d1e4448443/appRoles
...
{
"allowedMemberTypes": [
"Application"
],
"description": "Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.",
"displayName": "Access selected site collections",
"id": "883ea226-0bf2-4a8f-9f9d-92c9162a727d",
"isEnabled": true,
"origin": "Application",
"value": "Sites.Selected"
},
...
This Id is the appRoleId
- Assign the Application Role to the Managed Identity. The request has the format:
POST https://graph.microsoft.com/v1.0/servicePrincipals/${principalId}/appRoleAssignedTo
Content-Type: application/json
{
"principalId": "${principalId}",
"resourceId": "${resourceId}",
"appRoleId": "${appRoleId}"
}
https://graph.microsoft.com/v1.0/servicePrincipals/6761ada0-733b-4a02-98b2-3db970834fe0/appRoleAssignedTo
Content-type: application/json
{
"principalId": "6761ada0-733b-4a02-98b2-3db970834fe0",
"resourceId": "5159db96-7193-414e-9730-b1d1e4448443",
"appRoleId": "883ea226-0bf2-4a8f-9f9d-92c9162a727d"
}
Add permissions to Sharepoint Site
In order to add the permissions to the sharepoint site, we need to find its SiteId
.
This can be done using again the graph explorer:
GET https://graph.microsoft.com/v1.0/sites/{host-name}:/{server-relative-path}
Example:
GET https://graph.microsoft.com/v1.0/sites/adobeenterprisesupportaem.sharepoint.com:/sites/hlx-test-project
{
...
"id": "adobeenterprisesupportaem.sharepoint.com,03cc3587-0e4d-405e-b06c-ffb0a622b7ac,5fbc1df5-640c-4780-8b59-809e3193c043",
...
}
Using the Id
we can set the permissions:
POST https://graph.microsoft.com/v1.0/sites/adobeenterprisesupportaem.sharepoint.com,03cc3587-0e4d-405e-b06c-ffb0a622b7ac,5fbc1df5-640c-4780-8b59-809e3193c043/permissions
Content-type: application/json
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "83ab2922-5f11-4e4d-96f3-d1e0ff152856",
"displayName": "Franklin Service"
}
}
]
}