Versions Compared

Old Version 7

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 8

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If you are self-hosting EmpowerID and want EmpowerID to manage your one or more SharePoint onlinetenants, you need to configure each an Azure tenant that has SharePoint with the all of the components shown in the below image.

...

SharePoint Online Azure Component

Purpose

Key Vault

  • Stores certificate and access policy information to allow the SPO microservice to call SharePoint endpoints

Cosmo DB

  • Stores SPO and the SPO site collection information

  • Tracks inventory objects per schedule

  • Stores configuration needed by the SPO app service

  • Used by the AzGeneralService app service to persist data each time a call is made to the service

Az General Service App Service with Managed Identity

  • Stores configuration settings needed by SPO functions

Storage Account

  • Stores SharePoint topology information

  • Retrieves data from the SPO microservice to update the Cosmos DB

  • Creates an execution runtime job record in EmpowerID with status

Service Bus

  • Queue stores differential data to be sent to EmpowerID

Web Jobs App Service with Managed Identity

  • Claim site collections to process

SPO Functions Function App with Managed Identity

  • Claims inventory

  • Retrieves configuration data from AzGeneralService App Service

  • Inserts new records in Cosmos DB for site collections created in EmpowerID

  • Retrieves data from Cosmos DB to show in EmpowerID

  • Compares information in

  • Processes queue data and sends to EmpowerDI

Configure Azure for the SharePoint Online Microservice

...

  1. Create an Azure Function app with the following general configuration settings: Select .NET Core 3.1 as the runtime stack

    • Platform – 32 bit

    • Managed pipeline version – Integrated

    • FTP state – All allowed

    • HTTP version – 1.1

    • Web sockets – Off

    • Remote Debugging – Off

    • Client certificate mode – Ignore

    • Runtime version – 3

  2. Turn on system managed identity for the app service and download the publish profile from the overview blade.

  3. Open Workflow Studio and from Cloud Explorer, deploy the SharePoint Online Inventory function.

  4. In Azure, create an Azure Key Vault for SPO inventory and store the secret created for the service principal configured earlier. Name the secret AzGeneralServiceAuthSecret.

  5. Create an access policy for the key vault with the following settings:

    • Key permissions

      • Get

      • Decrypt

      • Unwrap

      • Verify

    • Secret permissions

      • Get

      • List

      • Set

      • Delete

      • Purge

    • Service principal – Azure Function app

  6. Add the following config settings to the Azure Function app service:

    • AzureWebJobsDashboard – Connection string of any storage account in that tenant

    • AzureWebJobsStorage – Connection string of any storage account in that tenant

    • AzureGeneralServiceConfigGetByIDUrl – <Azure general service app service Url>/app/config/GetById/>

    • AzureGeneralServiceAuthVaultUrl – Vault URL of the key vault created in the above step.

    • AzureGeneralServiceAuthKeyvaultSecretName – The name of the secret that was created in the above step.

    • AzureGeneralServiceAuthClientID – Client ID of the service principal which is configured for authorization of Azure general app service.

    • ConfigSettingsID – Config settings ID created earler.

    • AzureGeneralServiceAuthTenantID – Tenant ID of this tenant

    • AzureGeneralServiceMultitenantValidateSKeyUrl – <Azure general service app service Url>/app/multitenant/IsSubscriptionValid/

...