The EmpowerID SharePoint Online (SPO) connector inventories SPO site collections, user profiles, webs, groups, roles, role assignments and group membership and provides you the capability to manage user profiles and group memberships in EmpowerID. Additionally, inventoried user data can be managed and synchronized with data in any connected back-end user directories.
Supported Features and Attribute Mappings
User Profile Management
Inventory user profiles
Edit user profiles
Bi-directional synchronization of SharePoint user profiles and EmpowerID Person attributes
Groups Management
Inventory SharePoint groups
Add users and groups to SharePoint groups
Remove users and groups from SharePoint groups
Roles
Inventory SharePoint roles / permissions
Inventory SharePoint role assignments of users and groups to SharePoint resources
During the inventory process, EmpowerID discovers any roles or permissions that have been assigned to a user or group in SharePoint and adds these as SharePoint Role Definitions in EmpowerID. SharePoint Role Definitions represent the actual SharePoint permissions discovered by EmpowerID during the inventory of managed SharePoint Online resource systems. SharePoint Role Definitions or permissions are defined per SharePoint Site Collection and are used by all sites in that site collection. Each SharePoint Role Definition applies to multiple resource types in SharePoint, such as lists, folders, documents and webs.EmpowerID inventories both inherited and unique permissions for sites.
SharePoint Permissions / EmpowerID SharePoint Online Role Definition
Description
Full Control
Has full control
Design
Can view, add, update, delete, approve, and customize
Edit
Can add, edit and delete lists; can view, add, update and delete list items and documents
Contribute
Can view, add, update, and delete list items and documents
Read
Can view pages and list items and download documents
Limited Access
Can view pages and list items and download documents
Webs
Inventory SharePoint webs
Site Collections
Inventory SharePoint site collections
User Profile Attribute Flow
The default SharePoint profile properties that EmpowerID can synchronize with and the naming convention used is shown in the below table. Custom attributes can be added as needed.User Profile Sync Attribute Flow
User Profile Sync Attribute Flow
Name of Profile property in SharePoint
FirstName
First Name
LastName
Last Name
UserName
email
EIDJobTitle
Job Title
SID
SID
UserProfile_GUID
UserProfile_GUID
Next steps
Register Service Principal for App Service Authentication
Register Service Principal with SharePoint API Permissions
Create an app service for the SharePoint Online Microservice
Provision a Cosmos DB Account for SharePoint Online
Create a Function app to Update User Profiles
Add application settings to the app service
Add Secret to Key Vault in EmpowerID Tenant
Publish the SharePoint Online Microservice
Configuration of SharePoint Online Inventory - Not Applicable if using EmpowerID SaaS