Overview of SharePoint Online Connector
The SharePoint Online (SPO) connector contains multiple Azure services including microservices, web jobs and Azure functions used for inventorying and managing SharePoint Online in EmpowerID. Inventoried information includes SPO site collections, user profiles, webs, groups, roles, role assignments and group membership. This information can managed in EmpowerID as well as managed and synchronized with data in any connected back-end user directories.
Supported Features and Attribute Mappings
User Profile Management
- Inventory user profiles
- Edit user profiles
- Bi-directional synchronization of SharePoint user profiles and EmpowerID Person attributes
Groups Management
- Inventory SharePoint groups
- Add users and groups to SharePoint groups
- Remove users and groups from SharePoint groups
Roles
- Inventory SharePoint roles / permissions
- Inventory SharePoint role assignments of users and groups to SharePoint resources
During the inventory process, EmpowerID discovers any roles or permissions that have been assigned to a user or group in SharePoint and adds these as SharePoint Role Definitions in EmpowerID. SharePoint Role Definitions represent the actual SharePoint permissions discovered by EmpowerID during the inventory of managed SharePoint Online resource systems. SharePoint Role Definitions or permissions are defined per SharePoint Site Collection and are used by all sites in that site collection. Each SharePoint Role Definition applies to multiple resource types in SharePoint, such as lists, folders, documents and webs.EmpowerID inventories both inherited and unique permissions for sites.
| SharePoint Permissions / EmpowerID SharePoint Online Role Definition | Description |
|---|---|
| Full Control | Has full control |
| Design | Can view, add, update, delete, approve, and customize |
| Edit | Can add, edit and delete lists; can view, add, update and delete list items and documents |
| Contribute | Can view, add, update, and delete list items and documents |
| Read | Can view pages and list items and download documents |
| Limited Access | Can view pages and list items and download documents |
Webs
- Inventory SharePoint webs
Site Collections
- Inventory SharePoint site collections
User Profile Attribute Flow
The default SharePoint profile properties that EmpowerID can synchronize with and the naming convention used is shown in the below table. Custom attributes can be added as needed.
| User Profile Sync Attribute Flow | |
|---|---|
| User Profile Sync Attribute Flow | Name of Profile property in SharePoint |
| FirstName | First Name |
| LastName | Last Name |
| UserName | |
| EIDJobTitle | Job Title |
| SID | SID |
| UserProfile_GUID | UserProfile_GUID |
Azure Components Required by the SharePoint Online Microservice
Key to the SharePoint Online connector is the SharePoint Online (SPO) microservice, which communicates with EmpowerID and your SharePoint to allow you to collect and manage your SharePoint data in EmpowerID. To do so, the microservice needs to be deployed to each SharePoint tenant and each of those tenants needs to be configured with additional Azure components. The number of components needed differs depending on whether you are self-hosting or using EmpowerID SaaS.
Azure Components for Self-hosting EmpowerID
If you are not using EmpowerID SaaS and want EmpowerID to manage one or more of your SharePoint tenants, you need to configure one of those tenants with all of the components shown on the “EmpowerID side” (left) of Figure 1. These components are necessary to inventory SharePoint. In addition to these, you also need to configure each SharePoint tenant to be managed by EmpowerID with all of the components shown on the “Self-hosted” side of Figure 1. The only exception to this is the EntraID SCIM app service. This service only needs to be set up once within Azure.
All of the components shown on the EmpowerID side of the image are required whether you are self-hosting EmpowerID or using EmpowerID SaaS. The only difference is when using EmpowerID SaaS, you do not need to set up these components. EmpowerID takes care of that for you.
Figure 1 below image depicts the Azure components you need to configure when self-hosting EmpowerID. The purpose for each component is described in the table that follows the figure.
| Azure Component | Purpose |
|---|---|
| Key Vault | Stores secrets and certificate for the Azure functions and web jobs to access |
| Cosmo DB | Stores SPO and the SPO site collection information Tracks inventory objects per schedule Stores configuration needed by the SPO app service Used by the AzGeneralService app service to persist data each time a call is made to the service |
| Az General Service App Service with Managed Identity | Stores and retrieves configuration settings needed by SPO functions and web jobs |
| Storage Account | Used to store SharePoint site collection and topology information for each site collection in blobs Used to store the data necessary in the queues to trigger the web jobs |
| Service Bus | Queue stores differential data to be pushed to EmpowerID |
| Web Jobs App Service with Managed Identity | Calls the SPO microservice to retrieve site collections and topology for each site collection and stores them in the blob |
| SPO Functions Function App with Managed Identity | Function to register SharePoint tenants in Cosmos DB Function to update SharePoint tenants in Cosmos DB Function to delete SharePoint tenants in Cosmos DB Function to claim inventory for SharePoint tenants in Cosmos DB Function to process data in the service bus queue and pushes it to EmpowerID All functions retrieve the configuration data from AzGeneralService App Service |
| Azure Components Required for each SharePoint Tenant | |
| Azure Component | Purpose |
| Service Principal application 1 | Used to provide Azure AD authentication to the app service that hosts the SharePoint Online microservice |
| Service Principal application 2 | Used to grant API permissions to Microsoft Graph and SharePoint API endpoints |
| App Service | Used to host the SharePoint Online app service |
| Key Vault | Stores certificate for certificate-based authentication between the microservice and the service principal registered in Azure for it Stores an access policy that grants key, secret and certificate permissions to the SharePoint Online app service hosting the microservice |
| Cosmo DB | Stores configuration information needed by the SharePoint Online app service |
| Function App | Used to update SharePoint user profiles |
| Azure AD SCIM Microservice | Used to inventory and manage Azure AD information in EmpowerID. This microservice must be deployed to Azure before setting up the SPO microservice. |
Azure Components Required for EmpowerID SaaS
If you are taking advantage of EmpowerID SaaS, the components you need to configure in Azure are minimal as EmpowerID configures everything needed to inventory SharePoint (represented by the grayed out components on the left side of Figure 2 below). As a SaaS customer, you only need to configure the components shown on the right side of the figure. If you are using EmpowerID to manage more than one SharePoint tenant, you need to configure these components for each of those tenants.
| Azure Component | Purpose |
|---|---|
| Service Principal application 1 | Used to provide Azure AD authentication to the app service that hosts the SharePoint Online microservice |
| Service Principal application 2 | Used to grant API permissions to Microsoft Graph and SharePoint API endpoints |
| App Service | Used to host the SharePoint Online app service |
| Key Vault | Stores certificate for certificate-based authentication between the microservice and the service principal registered in Azure for it Stores an access policy that grants key, secret and certificate permissions to the SharePoint Online app service hosting the microservice |
| Cosmo DB | Stores configuration information needed by the SharePoint Online app service |
| Function App | Used to update SharePoint user profiles |
| Azure AD SCIM Microservice | Used to inventory and manage Azure AD information in EmpowerID. This microservice must be deployed to Azure before setting up the SPO microservice. |
EmpowerID Items to Deploy
The SharePoint Online connector includes several components that you need to deploy to Azure from EmpowerID. These components and their related files are listed in the below table.
| EmpowerID Component | File |
|---|---|
| AzGeneralService Microservice | AzGeneralServices_MicroserviceV3.zip |
| Service Principal application 2 | Used to grant API permissions to Microsoft Graph and SharePoint API endpoints |
| App Service | Used to host the SharePoint Online app service |
| Key Vault | Stores certificate for certificate-based authentication between the microservice and the service principal registered in Azure for it Stores an access policy that grants key, secret and certificate permissions to the SharePoint Online app service hosting the microservice |
| Cosmo DB | Stores configuration information needed by the SharePoint Online app service |
| Function App | Used to update SharePoint user profiles |
| Azure AD SCIM Microservice | Used to inventory and manage Azure AD information in EmpowerID. This microservice must be deployed to Azure before setting up the SPO microservice. |