The EmpowerID Sharepoint Online microservice is an enterprise-scale, high-security product that can be run on premise or as Software-as-a-Service run by EmpowerID as Web and Application Server containers in the cloud or on premise. As shown below, it is comprised of components common to all EmpowerID connectors with several that are specific to the module. The below image depicts a high-level overview of the Azure deployment model for microservices and includes a breakdown of the components that must be configured in Azure for the SharePoint Online microservice. As can be seen, the tenant needs to be configured for both the EmpowerID SCIM microservice as well as the SharePoint microservice. The EmpowerID SCIM microservice is needed for EmpowerID to connect with the Azure tenant, while the SharePoint Online (SPO) microservice allows EmpowerID to communicate with and inventory SharePoint data.
If you are self-hosting EmpowerID and want EmpowerID to manage your SharePoint online, you need to configure each Azure tenant that has SharePoint with the all of the components shown in the below image. An explanation of the , to deploy the SharePoint Online microservice to Azure, you must first configure Azure with the components shown in the below image.
...
SharePoint Online Azure Component | Purpose |
---|---|
Key Vault | |
Cosmo DB | |
Az General Service App Service with Managed Identity | |
Storage Account | |
Service Bus | |
Web Jobs App Service with Managed Identity | |
SPO Functions Function App with Managed Identity |
Configure Azure for the SharePoint Online Microservice
Note |
---|
Prerequisites Before configuring Azure for the SharePoint Online microservice, you need to connect EmpowerID to your Azure tenant. Please see Connecting to Azure AD for the details. |
...
Log in to your Azure tenant as a user with the necessary permissions to configure the above referenced components.
...
CosmosDB
Create a Cosmos DB account with the following settings:
Account Name — Enter a name for database account
API — Core (SQL)
Location — Selectthe appropriate geographic location
Capacity mode — Provisioned throughput
Storage Account
Create a storage account with the following settings:
Secure transfer required – Enabled
Allow Blob public access – Enabled
Allow storage account key access – Enabled
Minimum TLS version – Version 1.2
Blob access tier (default) – Hot
Large file shares – Disabled
Replication – Read-access geo-redundant storage (RA-GRS)
Azure Active Directory Domain services (Azure AD DS) – Disabled
Data Lake Storage Gen2 – Disabled
NFS v3 – Disabled
Copy the connection string for later use.
Service Bus
Create a service bus with the basic pricing tier and copy the connection string for later use.
...
Create a Linux app service plan.
Add an app service for the Az General Services microservice to the Linux app service plan with the following general settings:
Stack – .NET
Major version – .NET Core 3
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Always on – Off
ARR affinity – Off
Debugging – Off
Client certificate mode – Ignore
Turn on system managed identity for the app service and download the publish profile from the overview blade.
In EmpowerID, publish the Az General Services microservice to Azure.
Create a service principal in Azure active directory with the following settings:
Secret – Create a secret for the service principal and copy the value for later use.
Configure the service principal for Azure AD authentication.
Return to the Cosmos DB account created earlier and create a new container and DB for the AZ General Services microservice with the below settings. The DB will be used by the service to persist data whenever EmpowerID makes a call to the service.
Database Id – AzureGeneralService
Container Id – AzureGeneralService
Partition key – id
Key Vault
Create an Azure Key Vault for the Azure General app service with all the default setting.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure General service app
Add the following config settings to the Az General service app service:
CosmosDbAuthKey – Primary key of the cosmos db account
CosmosDbContainerId – Container Id that was created in the above steps
CosmosDbCosmosDbEndpoint CosmosDbEndpoint – URI of Cosmos Db Accountdb account
CosmosDbDatabaseId - Container Id that was created in the above steps
KeyVaultUrl – Vault Uri of the Key vault created in the above steps
Create config necessary for SPO Inventory using Azure General service (Contact EpowerID contact EmpowerID developer for this). Once this is created, copy the config settings ID for reference.
...