Versions Compared

Old Version 3

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 4

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID Sharepoint Online microservice is an enterprise-scale, high-security product that can be run on premise or as Software-as-a-Service run by EmpowerID as Web and Application Server containers in the cloud or on premise. As shown below, it is comprised of components common to all EmpowerID connectors with several that are specific to the module. The below image depicts a high-level overview of the Azure deployment model for microservices and includes a breakdown of the components that must be configured in Azure for the SharePoint Online microservice. As can be seen, the tenant needs to be configured for both the EmpowerID SCIM microservice as well as the SharePoint microservice. The EmpowerID SCIM microservice is needed for EmpowerID to connect with the Azure tenant, while the SharePoint Online (SPO) microservice allows EmpowerID to communicate with and inventory SharePoint data.

Image Removed

If you are self-hosting EmpowerID and want EmpowerID to manage your SharePoint online, you need to configure each Azure tenant that has SharePoint with the all of the components shown in the below image. An explanation of the , to deploy the SharePoint Online microservice to Azure, you must first configure Azure with the components shown in the below image.

...

SharePoint Online Azure Component

Purpose

Key Vault

Cosmo DB

Az General Service App Service with Managed Identity

Storage Account

Service Bus

Web Jobs App Service with Managed Identity

SPO Functions Function App with Managed Identity

Configure Azure for the SharePoint Online Microservice

Note

Prerequisites

Before configuring Azure for the SharePoint Online microservice, you need to connect EmpowerID to your Azure tenant. Please see Connecting to Azure AD for the details.

...

Log in to your Azure tenant as a user with the necessary permissions to configure the above referenced components.

...

CosmosDB

  1. Create a Cosmos DB account with the following settings:

    • Account Name — Enter a name for database account

    • API — Core (SQL)

    • Location — Selectthe appropriate geographic location

    • Capacity mode — Provisioned throughput

Storage Account

  1. Create a storage account with the following settings:

    • Secure transfer required – Enabled

    • Allow Blob public access – Enabled

    • Allow storage account key access – Enabled

    • Minimum TLS version – Version 1.2

    • Blob access tier (default) – Hot

    • Large file shares – Disabled

    • Replication – Read-access geo-redundant storage (RA-GRS)

    • Azure Active Directory Domain services (Azure AD DS) – Disabled

    • Data Lake Storage Gen2 – Disabled

    • NFS v3 – Disabled

  2. Copy the connection string for later use.

Service Bus

  1. Create a service bus with the basic pricing tier and copy the connection string for later use.

...

  1. Create a Linux app service plan.

  2. Add an app service for the Az General Services microservice to the Linux app service plan with the following general settings:

    • Stack – .NET

    • Major version – .NET Core 3

    • FTP state – All allowed

    • HTTP version – 1.1

    • Web sockets – Off

    • Always on – Off

    • ARR affinity – Off

    • Debugging – Off

    • Client certificate mode – Ignore

  3. Turn on system managed identity for the app service and download the publish profile from the overview blade.

  4. In EmpowerID, publish the Az General Services microservice to Azure.

  5. Create a service principal in Azure active directory with the following settings:

    • Secret – Create a secret for the service principal and copy the value for later use.

    • Configure the service principal for Azure AD authentication.

  6. Return to the Cosmos DB account created earlier and create a new container and DB for the AZ General Services microservice with the below settings. The DB will be used by the service to persist data whenever EmpowerID makes a call to the service.

    • Database Id – AzureGeneralService

    • Container Id – AzureGeneralService

    • Partition key – id

Key Vault

  1. Create an Azure Key Vault for the Azure General app service with all the default setting.

  2. Create an access policy for the key vault with the following settings:

    • Key permissions

      • Get

      • Decrypt

      • Unwrap

      • Verify

    • Secret permissions

      • Get

      • List

      • Set

      • Delete

      • Purge

    • Service principal – Azure General service app

  3. Add the following config settings to the Az General service app service:

    • CosmosDbAuthKey – Primary key of the cosmos db account

    • CosmosDbContainerId – Container Id that was created in the above steps

    • CosmosDbCosmosDbEndpoint CosmosDbEndpoint – URI of Cosmos Db Accountdb account

    • CosmosDbDatabaseId - Container Id that was created in the above steps

    • KeyVaultUrl – Vault Uri of the Key vault created in the above steps

  4. Create config necessary for SPO Inventory using Azure General service (Contact EpowerID contact EmpowerID developer for this). Once this is created, copy the config settings ID for reference.

...