If you are self-hosting EmpowerID and want EmpowerID to manage your one or more SharePoint onlinetenants, you need to configure each an Azure tenant that has SharePoint with the all of the components shown in the below image.
...
SharePoint Online Azure Component | Purpose |
---|---|
Key Vault |
|
Cosmo DB |
|
Az General Service App Service with Managed Identity |
|
Storage Account |
|
Service Bus |
|
Web Jobs App Service with Managed Identity |
|
SPO Functions Function App with Managed Identity |
|
Configure Azure for the SharePoint Online Microservice
...
Create an Azure Function app with the following general configuration settings: Select .NET Core 3.1 as the runtime stack
Platform – 32 bit
Managed pipeline version – Integrated
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Remote Debugging – Off
Client certificate mode – Ignore
Runtime version – 3
Turn on system managed identity for the app service and download the publish profile from the overview blade.
Open Workflow Studio and from Cloud Explorer, deploy the SharePoint Online Inventory function.
In Azure, create an Azure Key Vault for SPO inventory and store the secret created for the service principal configured earlier. Name the secret AzGeneralServiceAuthSecret.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure Function app
Add the following config settings to the Azure Function app service:
AzureWebJobsDashboard – Connection string of any storage account in that tenant
AzureWebJobsStorage – Connection string of any storage account in that tenant
AzureGeneralServiceConfigGetByIDUrl – <Azure general service app service Url>/app/config/GetById/>
AzureGeneralServiceAuthVaultUrl – Vault URL of the key vault created in the above step.
AzureGeneralServiceAuthKeyvaultSecretName – The name of the secret that was created in the above step.
AzureGeneralServiceAuthClientID – Client ID of the service principal which is configured for authorization of Azure general app service.
ConfigSettingsID – Config settings ID created earler.
AzureGeneralServiceAuthTenantID – Tenant ID of this tenant
AzureGeneralServiceMultitenantValidateSKeyUrl – <Azure general service app service Url>/app/multitenant/IsSubscriptionValid/
...