Overview of SharePoint Online Connector
The SharePoint Online (SPO) connector contains multiple Azure services including microservices, web jobs and Azure functions used for inventorying and managing SharePoint Online in EmpowerID. Inventoried information includes SPO site collections, user profiles, webs, groups, roles, role assignments and group membership. This information can managed in EmpowerID as well as managed and synchronized with data in any connected back-end user directories.
Supported Features and Attribute Mappings
User Profile Management
Inventory user profiles
Edit user profiles
Bi-directional synchronization of SharePoint user profiles and EmpowerID Person attributes
Groups Management
Inventory SharePoint groups
Add users and groups to SharePoint groups
Remove users and groups from SharePoint groups
Roles
Inventory SharePoint roles / permissions
Inventory SharePoint role assignments of users and groups to SharePoint resources
Webs
Inventory SharePoint webs
Site Collections
Inventory SharePoint site collections
User Profile Attribute Flow
The default SharePoint profile properties that EmpowerID can synchronize with and the naming convention used is shown in the below table. Custom attributes can be added as needed.
Azure Components Required by the SharePoint Online Microservice
Key to the SharePoint Online connector is the SharePoint Online (SPO) microservice, which communicates with EmpowerID and your SharePoint to allow you to collect and manage your SharePoint data in EmpowerID. To do so, the microservice needs to be deployed to each SharePoint tenant and each of those tenants needs to be configured with additional Azure components. The number of components needed differs depending on whether you are self-hosting or using EmpowerID SaaS.
Azure Components for Self-hosting EmpowerID
If you are not using EmpowerID SaaS and want EmpowerID to manage one or more of your SharePoint tenants, you need to configure one of those tenants with all of the components shown on the “EmpowerID side” (left) of Figure 1. These components are necessary to inventory SharePoint. In addition to these, you also need to configure each SharePoint tenant to be managed by EmpowerID with all of the components shown on the “Self-hosted” side of Figure 1. The only exception is to this is the Azure AD SCIM app service. This service only needs to be set up once within Azure.
All of the components shown on the EmpowerID side of the image are required whether you are self-hosting EmpowerID or using EmpowerID SaaS. The only difference is when using EmpowerID SaaS, you do not need to set up these components. EmpowerID takes care of that for you.
Figure 1 below image depicts the Azure components you need to configure when self-hosting EmpowerID. The purpose for each component is described in the table that follows the figure.
Table 1: Azure Components you need to configure when self-hosting EmpowerID
Azure Component | Purpose |
---|---|
Key Vault |
|
Cosmo DB |
|
Az General Service App Service with Managed Identity |
|
Storage Account |
|
Service Bus |
|
Web Jobs App Service with Managed Identity |
|
SPO Functions Function App with Managed Identity |
|
Azure Components Required for each SharePoint Tenant | |
Azure Component | Purpose |
Service Principal application 1 |
|
Service Principal application 2 |
|
App Service |
|
Key Vault |
|
Cosmo DB |
|
Function App |
|
Azure AD SCIM Microservice |
|
Azure Components Required for EmpowerID SaaS
If you are taking advantage of EmpowerID SaaS, the components you need to configure in Azure are minimal as EmpowerID configures everything needed to inventory SharePoint (represented by the grayed out components on the left side of Figure 2 below). As a SaaS customer, you only need to configure the components shown on the right side of the figure. If you are using EmpowerID to manage more than one SharePoint tenant, you need to configure these components for each of those tenants.
Table 2: Azure Components you need to configure when using EmpowerID SaaS
Azure Component | Purpose |
---|---|
Service Principal application 1 |
|
Service Principal application 2 |
|
App Service |
|
Key Vault |
|
Cosmo DB |
|
Function App |
|
Azure AD SCIM Microservice |
|
EmpowerID Items to Deploy
The SharePoint Online connector includes several components that you need to deploy to Azure from EmpowerID. These components and their related files are listed in the below table.
EmpowerID Component | File |
---|---|
AzGeneralService Microservice | AzGeneralServices_MicroserviceV3.zip |
Service Principal application 2 |
|
App Service |
|
Key Vault |
|
Cosmo DB |
|
Function App |
|
Azure AD SCIM Microservice |
|
Next steps
Register Service Principal for App Service Authentication
Register Service Principal with SharePoint API Permissions
Create an app service for the SharePoint Online Microservice
Provision a Cosmos DB Account for SharePoint Online
Create a Function app to Update User Profiles
Add application settings to the app service
Add Secret to Key Vault in EmpowerID Tenant
Publish the SharePoint Online Microservice
Configuration of SharePoint Online Inventory - Not Applicable if using EmpowerID SaaS