You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

EmpowerID Self-Hosted Deployment of the SharePoint Online Microservice

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

If you are self-hosting EmpowerID and want EmpowerID to manage your SharePoint online, you need to configure each Azure tenant that has SharePoint with the all of the components shown in the below image.

SharePoint Online Azure Component

Purpose

Key Vault

Cosmo DB

Az General Service App Service with Managed Identity

Storage Account

Service Bus

Web Jobs App Service with Managed Identity

SPO Functions Function App with Managed Identity

Configure Azure for the SharePoint Online Microservice

Prerequisites

Before configuring Azure for the SharePoint Online microservice, you need to connect EmpowerID to your Azure tenant. Please see Connecting to Azure AD for the details.

CosmosDB

  1. Create a Cosmos DB account with the following settings:

    • Account Name — Enter a name for database account

    • API — Core (SQL)

    • Location — Select the appropriate geographic location

    • Capacity mode — Provisioned throughput

Storage Account

  1. Create a storage account with the following settings:

    • Secure transfer required – Enabled

    • Allow Blob public access – Enabled

    • Allow storage account key access – Enabled

    • Minimum TLS version – Version 1.2

    • Blob access tier (default) – Hot

    • Large file shares – Disabled

    • Replication – Read-access geo-redundant storage (RA-GRS)

    • Azure Active Directory Domain services (Azure AD DS) – Disabled

    • Data Lake Storage Gen2 – Disabled

    • NFS v3 – Disabled

  2. Copy the connection string for later use.

Service Bus

  1. Create a service bus with the basic pricing tier and copy the connection string for later use.

Az General Service

  1. Create a Linux app service plan.

  2. Add an app service for the Az General Services microservice to the Linux app service plan with the following general settings:

    • Stack – .NET

    • Major version – .NET Core 3

    • FTP state – All allowed

    • HTTP version – 1.1

    • Web sockets – Off

    • Always on – Off

    • ARR affinity – Off

    • Debugging – Off

    • Client certificate mode – Ignore

  3. Turn on system managed identity for the app service and download the publish profile from the overview blade.

  4. In EmpowerID, publish the Az General Services microservice to Azure.

  5. Create a service principal in Azure active directory with the following settings:

    • Secret – Create a secret for the service principal and copy the value for later use.

    • Configure the service principal for Azure AD authentication.

  6. Return to the Cosmos DB account created earlier and create a new container and DB for the AZ General Services microservice with the below settings. The DB will be used by the service to persist data whenever EmpowerID makes a call to the service.

    • Database Id – AzureGeneralService

    • Container Id – AzureGeneralService

    • Partition key – id

Key Vault

  1. Create an Azure Key Vault for the Azure General app service with all the default setting.

  2. Create an access policy for the key vault with the following settings:

    • Key permissions

      • Get

      • Decrypt

      • Unwrap

      • Verify

    • Secret permissions

      • Get

      • List

      • Set

      • Delete

      • Purge

    • Service principal – Azure General service app

  3. Add the following config settings to the Az General service app service:

    • CosmosDbAuthKey – Primary key of the cosmos db account

    • CosmosDbContainerId – Container Id that was created in the above steps

    • CosmosDbEndpoint – URI of Cosmos db account

    • CosmosDbDatabaseId - Container Id that was created in the above steps

    • KeyVaultUrl – Vault Uri of the Key vault created in the above steps

  4. Create config necessary for SPO Inventory using Azure General service.

    • Generate a unique GUID and keep it for reference. This Id is called config settings id.

    • Request URL of the Azure General service to call: <Azure general service app service url>/app/config/GetById/<unique guid generated above>

    • Body of the request is shown below – Please change the details according to the comments:

      {
  "Id":"", //  unique guid which is same as the one in the request url
  "SpoStorageConnectionString":"", // storage account connection string
  "GetSiteCollectionStorageQueueName":"getsitecollectionqueue", // keep the name as it is
  "GetSiteTopologyStorageQueueName":"getsitetopologyqueue", // keep the name as it is
  "CosmosDbEndpointUri":"", // url of the cosmos db account
  "CosmosDbPrimaryKey":"", // primary key of cosmos db account
  "CosmosDbDatabaseId":"SPOTenantInventoryDetails", // keep the name as it is
  "CosmosDbSpoTenantDetailsContainerId":"SPOTenantInventoryDetails", // keep the name as it is
  "CosmosDbTenantSiteDetailsContainerId":"SPOTenantSiteDetails", // keep the name as it is
  "SpoServiceBusConnectionString":"", // connection string of the service bus we created
  "SpoServiceBusQueueName":"spoinventorydata", // // keep the name as it is 
  "PushDataBatchSize":"600" // // keep the value as it is
}


      Example Request:

      {
  "Id":"5d7736a6-9631-43b9-8aa2-29532e871180", //  unique guid which is same as the one in the request url
  "SpoStorageConnectionString":"DefaultEndpointsProtocol=https;AccountName=spoinventorystorage;AccountKey=LfnSj8q4h93re0mFusGnS2pu9bJHQRfCOyOng5jRbGRK9lH7CRsVCV6rnYiVwzEXSGHiwe9rmSw3gEI3WuTfyw==;EndpointSuffix=core.windows.net", // storage account connection string
  "GetSiteCollectionStorageQueueName":"getsitecollectionqueue", // keep the name as it is
  "GetSiteTopologyStorageQueueName":"getsitetopologyqueue", // keep the name as it is
  "CosmosDbEndpointUri":"https://spoinventoryaccount.documents.azure.com:443/", // url of the cosmos db account
  "CosmosDbPrimaryKey":"DXWh7C1vPWADrKCgkDNMksDvPFeXNOSG9AHYE6dZfMjxfLahRQr8wVrPVpnSUResPWAgspKMu7NsAuQajeQmRw==", // primary key of cosmos db account
  "CosmosDbDatabaseId":"SPOTenantInventoryDetails", // keep the name as it is
  "CosmosDbSpoTenantDetailsContainerId":"SPOTenantInventoryDetails", // keep the name as it is
  "CosmosDbTenantSiteDetailsContainerId":"SPOTenantSiteDetails", // keep the name as it is
  "SpoServiceBusConnectionString":"Endpoint=sb://spoinventoryservicebus.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=9yi9kM/Gbq7x9hm65UGhgmgGsn8+6hW8gcDv7wThgdM=", // connection string of the service bus we created
  "SpoServiceBusQueueName":"spoinventorydata", // // keep the name as it is 
  "PushDataBatchSize":"600" // // keep the value as it is
}

Azure Function app

  1. Create an Azure Function app with the following general configuration settings: Select .NET Core 3.1 as the runtime stack

    • Platform – 32 bit

    • Managed pipeline version – Integrated

    • FTP state – All allowed

    • HTTP version – 1.1

    • Web sockets – Off

    • Remote Debugging – Off

    • Client certificate mode – Ignore

    • Runtime version – 3

  2. Turn on system managed identity for the app service and download the publish profile from the overview blade.

  3. Open Workflow Studio and from Cloud Explorer, deploy the SharePoint Online Inventory function.

  4. In Azure, create an Azure Key Vault for SPO inventory and store the secret created for the service principal configured earlier. Name the secret AzGeneralServiceAuthSecret.

  5. Create an access policy for the key vault with the following settings:

    • Key permissions

      • Get

      • Decrypt

      • Unwrap

      • Verify

    • Secret permissions

      • Get

      • List

      • Set

      • Delete

      • Purge

    • Service principal – Azure Function app

  6. Add the following config settings to the Azure Function app service:

    • AzureWebJobsDashboard – Connection string of any storage account in that tenant

    • AzureWebJobsStorage – Connection string of any storage account in that tenant

    • AzureGeneralServiceConfigGetByIDUrl – <Azure general service app service Url>/app/config/GetById/>

    • AzureGeneralServiceAuthVaultUrl – Vault URL of the key vault created in the above step.

    • AzureGeneralServiceAuthKeyvaultSecretName – The name of the secret that was created in the above step.

    • AzureGeneralServiceAuthClientID – Client ID of the service principal which is configured for authorization of Azure general app service.

    • ConfigSettingsID – Config settings ID created earler.

    • AzureGeneralServiceAuthTenantID – Tenant ID of this tenant

    • AzureGeneralServiceMultitenantValidateSKeyUrl – <Azure general service app service Url>/app/multitenant/IsSubscriptionValid/

Azure App service for Web jobs

  1. Create an app service with the following settings:

    • Runtime stack – .Net Core 3.1 Windows

    • Stack – .NET

    • .Net version – .NET Core (3.1, 2.1)

    • Platform – 32 Bit

    • Managed pipeline version – Integrated

    • FTP state – All allowed

    • HTTP Version – 1.1

    • Web sockets – Off

    • Always on – On

    • ARR affinity – On

    • Remote debugging – Off

    • Incoming client certificates – Ignore

  2. Scale out the app service for Two instances.

  3. Ensure that the Always on option in the General settings of the app service is enabled.

  4. Turn on system managed identity for the app service and download the publish profile from the overview blade.

  5. Open Workflow Studio and from Cloud Explorer, deploy the following files to Azure:

    • SPOGetSiteCollectionWebJob.zip (first)

    • SPOGetTopologyForSiteCollectionsWebJob.zip

  6. Create an access policy in the key vault created earlier with the following settings:

    • Key permissions

      • Get

      • Decrypt

      • Unwrap

      • Verify

    • Secret permissions

      • Get

      • List

      • Set

      • Delete

      • Purge

    • Service principal – Azure Web Jobs app service

  7. Configure the app service with the app config settings created earlier.

  • No labels