Tip |
---|
This article only applies if you are not using EmpowerID SaaS. |
If you are self-hosting not using EmpowerID SaaS and want EmpowerID to manage one or more of your SharePoint onlinetenants, you need to configure each Azure tenant that has SharePoint with the all of the components shown in the below image.
...
SharePoint Online Azure Component
...
Purpose
...
Key Vault
...
Cosmo DB
...
Az General Service App Service with Managed Identity
...
Storage Account
...
Service Bus
...
Web Jobs App Service with Managed Identity
...
SPO Functions Function App with Managed Identity
Configure Azure for the SharePoint Online Microservice
Note |
---|
Prerequisites Before configuring Azure for the SharePoint Online microservice, you need to connect EmpowerID to your Azure tenant. Please see Connecting to Azure AD for the details. |
...
one of those tenants as described in this article for EmpowerID to inventory your SharePoint Online (SPO) data. Please note that you must also deploy the SharePoint online microservice in each of your SharePoint tenants as depicted in the Deploying the SharePoint Online microservice topics.
Step 1 – Create a CosmosDB account
Create a Cosmos DB account with the following settings:
Account Name— – Enter a name for database account
API— – Core (SQL)
Location — – Selectthe appropriate geographic location
Capacity mode— – Provisioned throughput
Step 2 – Create a Storage Account
Create a storage account with the following settings:
Secure transfer required – Enabled
Allow Blob public access – Enabled
Allow storage account key access – Enabled
Minimum TLS version – Version 1.2
Blob access tier (default) – Hot
Large file shares – Disabled
Replication – Read-access geo-redundant storage (RA-GRS)
Azure Active Directory Domain services (Azure AD DS) – Disabled
Data Lake Storage Gen2 – Disabled
NFS v3 – Disabled
Copy the connection string for later use.
Step 3 – Create a Service Bus
Create a service bus with the basic pricing tier and copy the connection string for later use.
...
Sep 4 – Create an App Service for the AzGeneralServices Microservice
Create a Linux app service plan.
Add an app service for the Az General Services AzGeneralServices microservice to the Linux app service plan with the following general settings:
Stack – .NET
Major version – .NET Core 3
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Always on – Off
ARR affinity – Off
Debugging – Off
Client certificate mode – Ignore
Turn on system managed identity for the app service and download the publish profile from the overview blade.
In EmpowerID, publish the Az General Services AzGeneralServices microservice to Azure.
Create a service principal in Azure active directory with the following settings:
Secret – Create a secret for the service principal and copy the value for later use.
Configure the service principal for Azure AD authentication.
Return to the Cosmos DB account created earlier and create a new container and DB for the AZ General Services microservice with the below settings. The DB will be used by the service to persist data whenever EmpowerID makes a call to the service.
Database Id – AzureGeneralService
Container Id – AzureGeneralService
Partition key – id
Step 5 – Create a Key Vault
Create an Azure Key Vault for the Azure General app service with all the default setting.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure General service app
Add the following config settings to the Az General AzGeneral service app service:
CosmosDbAuthKey – Primary key of the cosmos db account
CosmosDbContainerId – Container Id that was created in the above steps
CosmosDbEndpoint – URI of Cosmos db account
CosmosDbDatabaseId - Container Id that was created in the above steps
KeyVaultUrl – Vault Uri of the Key vault created in the above steps
Create config necessary for SPO Inventory using Azure General service.
Generate a unique GUID and keep it for reference. This Id is called config settings id.
Request URL of the Azure General service to call:
<Azure general service app service url>/app/config/GetById/<unique guid generated above>
Body of the request is shown below – Please change the details according to the comments:.
Add a new item to the Cosmos DB
Currently, there is no UI for making this call in EmpowerID; therefore use a tool like Postman to make the call.Code Block { "Id":"", // unique guid which is same as the one in the request url "SpoStorageConnectionString":"", // storage account connection string "GetSiteCollectionStorageQueueName":"getsitecollectionqueue", // keep the name as it is "GetSiteTopologyStorageQueueName":"getsitetopologyqueue", // keep the name as it is "CosmosDbEndpointUri":"", // url of the cosmos db account "CosmosDbPrimaryKey":"", // primary key of cosmos db account "CosmosDbDatabaseId":"SPOTenantInventoryDetails", // keep the name as it is "CosmosDbSpoTenantDetailsContainerId":"SPOTenantInventoryDetails", // keep the name as it is "CosmosDbTenantSiteDetailsContainerId":"SPOTenantSiteDetails", // keep the name as it is "SpoServiceBusConnectionString":"", // connection string of the service bus we created "SpoServiceBusQueueName":"spoinventorydata", // // keep the name as it is "PushDataBatchSize":"600" // // keep the value as it is }
Example Request:Code Block { "Id":"5d7736a6-9631-43b9-8aa2-29532e871180", // unique guid which is same as the one in the request url "SpoStorageConnectionString":"DefaultEndpointsProtocol=https;AccountName=spoinventorystorage;AccountKey=LfnSj8q4h93re0mFusGnS2pu9bJHQRfCOyOng5jRbGRK9lH7CRsVCV6rnYiVwzEXSGHiwe9rmSw3gEI3WuTfyw==;EndpointSuffix=core.windows.net", // storage account connection string "GetSiteCollectionStorageQueueName":"getsitecollectionqueue", // keep the name as it is "GetSiteTopologyStorageQueueName":"getsitetopologyqueue", // keep the name as it is "CosmosDbEndpointUri":"https://spoinventoryaccount.documents.azure.com:443/", // url of the cosmos db account "CosmosDbPrimaryKey":"DXWh7C1vPWADrKCgkDNMksDvPFeXNOSG9AHYE6dZfMjxfLahRQr8wVrPVpnSUResPWAgspKMu7NsAuQajeQmRw==", // primary key of cosmos db account "CosmosDbDatabaseId":"SPOTenantInventoryDetails", // keep the name as it is "CosmosDbSpoTenantDetailsContainerId":"SPOTenantInventoryDetails", // keep the name as it is "CosmosDbTenantSiteDetailsContainerId":"SPOTenantSiteDetails", // keep the name as it is "SpoServiceBusConnectionString":"Endpoint=sb://spoinventoryservicebus.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=9yi9kM/Gbq7x9hm65UGhgmgGsn8+6hW8gcDv7wThgdM=", // connection string of the service bus we created "SpoServiceBusQueueName":"spoinventorydata", // // keep the name as it is "PushDataBatchSize":"600" // // keep the value as it is }
Step 6 – Create an Azure Function app
Create an Azure Function app with the following general configuration settings: Select .NET Core 3.1 as the runtime stack
Platform – 32 bit
Managed pipeline version – Integrated
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Remote Debugging – Off
Client certificate mode – Ignore
Runtime version – 3
Turn on system managed identity for the app service and download the publish profile from the overview blade.Open Workflow Studio and from Cloud Explorer, deploy the SharePoint Online Inventory function.
In EmpowerID, do the following to publish the Azure Function to Azure:
Navigate to Azure License Manager > Configuration > Tenants Tab and click the Publish Azure App Service action to start the AzPublishMsAppToAppService workflow.
For Application Type, select Azure Functions and click Submit.
Search for and select SPO Inventory Functions and click Submit.
Select the publish profile file for the Function app you downloaded from Azure and then click Submit.
Confirm that you want to publish the function.
Click OK to close the publish message.
In Azure, create an Azure Key Vault for SPO inventory and store the secret created for the service principal configured earlier. Name the secret AzGeneralServiceAuthSecret.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure Function app
Add the following config settings to the Azure Function app service:
AzureWebJobsDashboard – Connection string of any storage account in that tenant
AzureWebJobsStorage – Connection string of any storage account in that tenant
AzureGeneralServiceConfigGetByIDUrl – <Azure general service app service Url>/app/config/GetById/>
AzureGeneralServiceAuthVaultUrl – Vault URL of the key vault created in the above step.
AzureGeneralServiceAuthKeyvaultSecretName – The name of the secret that was created in the above step.
AzureGeneralServiceAuthClientID – Client ID of the service principal which is configured for authorization of Azure general app service.
ConfigSettingsID – Config settings ID created earler.
AzureGeneralServiceAuthTenantID – Tenant ID of this tenant
AzureGeneralServiceMultitenantValidateSKeyUrl – <Azure general service app service Url>/app/multitenant/IsSubscriptionValid/
Step 7 – Create an Azure App service for Web jobs
Create an app service with the following settings:
Runtime stack – .Net Core 3.1 Windows
Stack – .NET
.Net version – .NET Core (3.1, 2.1)
Platform – 32 Bit
Managed pipeline version – Integrated
FTP state – All allowed
HTTP Version – 1.1
Web sockets – Off
Always on – On
ARR affinity – On
Remote debugging – Off
Incoming client certificates – Ignore
Scale out the app service for Two two instances.
Ensure that the Always on option in the General settings of the app service is enabled.
Turn on system managed identity for the app service and download the publish profile from the overview blade.
Open Workflow Studio and from Cloud Explorer, deploy the following files to Azure:
SPOGetSiteCollectionWebJob.zip (first)
SPOGetTopologyForSiteCollectionsWebJob.zip
Create an access policy in the key vault created earlier in step 5 above with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure Web Jobs app service
Configure the app service with the app config settings created earlier.in step 6.
Additionally, add the following two setting to the app config.
Name | Value |
---|---|
GetSiteCollectionQueue | getsitecollectionqueue |
GetSiteTopologyQueue | getsitetopologyqueue |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|