The EmpowerID Sharepoint Online microservice is an enterprise-scale, high-security product that can be run on premise or as Software-as-a-Service run by EmpowerID as Web and Application Server containers in the cloud or on premise. As shown below, it is comprised of components common to all EmpowerID connectors with several that are specific to the module. The below image depicts a high-level overview of the Azure deployment model for microservices and includes a breakdown of the components that must be configured in Azure for the SharePoint Online microservice. As can be seen, the tenant needs to be configured for both the EmpowerID SCIM microservice as well as the SharePoint microservice. The EmpowerID SCIM microservice is needed for EmpowerID to connect with the Azure tenant, while the SharePoint Online (SPO) microservice allows EmpowerID to communicate with and inventory SharePoint data.
Configure Azure for the SharePoint Online Microservice
Prerequisites
Before configuring Azure for the SharePoint Online microservice, you need to connect EmpowerID to your Azure tenant. Please see Connecting to Azure AD for the details.
Log in to your Azure tenant as a user with the necessary permissions to configure the above referenced components.
Create a Cosmos DB account.
Create a storage account with the following settings:
Secure transfer required – Enabled
Allow Blob public access – Enabled
Allow storage account key access – Enabled
Minimum TLS version – Version 1.2
Blob access tier (default) – Hot
Large file shares – Disabled
Replication – Read-access geo-redundant storage (RA-GRS)
Azure Active Directory Domain services (Azure AD DS) – Disabled
Data Lake Storage Gen2 – Disabled
NFS v3 – Disabled
Copy the connection string for later use.
Create a service bus with the basic pricing tier and copy the connection string for later use.
Az General Service
Create a Linux app service plan.
Add an app service for the Az General Services microservice to the Linux app service plan with the following general settings:
Stack – .NET
Major version – .NET Core 3
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Always on – Off
ARR affinity – Off
Debugging – Off
Client certificate mode – Ignore
Turn on system managed identity for the app service and download the publish profile from the overview blade.
In EmpowerID, publish the Az General Services microservice to Azure.
Create a service principal in Azure active directory with the following settings:
Secret – Create a secret for the service principal and copy the value for later use.
Configure the service principal for Azure AD authentication.
Return to the Cosmos DB account created earlier and create a new container and DB for the AZ General Services microservice with the below settings. The DB will be used by the service to persist data whenever EmpowerID makes a call to the service.
Database Id – AzureGeneralService
Container Id – AzureGeneralService
Partition key – id
Create an Azure Key Vault for the Azure General app service with all the default setting.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure General service app
Add the following config settings to the Az General service app service:
CosmosDbAuthKey – Primary key of the cosmos db account
CosmosDbContainerId – Container Id that was created in the above steps
CosmosDbCosmosDbEndpoint – URI of Cosmos Db Account
CosmosDbDatabaseId - Container Id that was created in the above steps
KeyVaultUrl – Vault Uri of the Key vault created in the above steps
Create config necessary for SPO Inventory using Azure General service (Contact EpowerID developer for this). Once this is created, copy the config settings ID for reference.
Azure Function app
Create an Azure Function app with the following general configuration settings:
Platform – 32 bit
Managed pipeline version – Integrated
FTP state – All allowed
HTTP version – 1.1
Web sockets – Off
Remote Debugging – Off
Client certificate mode – Ignore
Runtime version – 3
Turn on system managed identity for the app service and download the publish profile from the overview blade.
Open Workflow Studio and from Cloud Explorer, deploy the SharePoint Online Inventory function.
In Azure, create an Azure Key Vault for SPO inventory and store the secret created for the service principal configured earlier. Name the secret AzGeneralServiceAuthSecret.
Create an access policy for the key vault with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure Function app
Add the following config settings to the Azure Function app service:
AzureWebJobsDashboard – Connection string of any storage account in that tenant
AzureWebJobsStorage – Connection string of any storage account in that tenant
AzureGeneralServiceConfigGetByIDUrl – <Azure general service app service Url>/app/config/GetById/>
AzureGeneralServiceAuthVaultUrl – Vault URL of the key vault created in the above step.
AzureGeneralServiceAuthKeyvaultSecretName – The name of the secret that was created in the above step.
AzureGeneralServiceAuthClientID – Client ID of the service principal which is configured for authorization of Azure general app service.
ConfigSettingsID – Config settings ID created earler.
AzureGeneralServiceAuthTenantID – Tenant ID of this tenant
AzureGeneralServiceMultitenantValidateSKeyUrl – <Azure general service app service Url>/app/multitenant/IsSubscriptionValid/
Azure App service for Web jobs
Create an app service with the following settings:
Runtime stack – .Net Core 3.1 Windows
Stack – .NET
.Net version – .NET Core (3.1, 2.1)
Platform – 32 Bit
Managed pipeline version – Integrated
FTP state – All allowed
HTTP Version – 1.1
Web sockets – Off
Always on – On
ARR affinity – On
Remote debugging – Off
Incoming client certificates – Ignore
Scale out the app service for Two instances.
Ensure that the Always on option in the General settings of the app service is enabled.
Turn on system managed identity for the app service and download the publish profile from the overview blade.
Open Workflow Studio and from Cloud Explorer, deploy the following files to Azure:
SPOGetSiteCollectionWebJob.zip (first)
SPOGetTopologyForSiteCollectionsWebJob.zip
Create an access policy in the key vault created earlier with the following settings:
Key permissions
Get
Decrypt
Unwrap
Verify
Secret permissions
Get
List
Set
Delete
Purge
Service principal – Azure Web Jobs app service
Configure the app service with the app config settings created earlier.