Microsoft Sharepoint Connector
Contents
Microsoft Sharepoint Connector#
Squirro provides a 1-click connector for Microsoft SharePoint. This connector allows the Project Creators to connect to a Microsoft Azure account and index the Microsoft SharePoint data into Squirro.
Set up Connector#
Usage assumes that the OAuth setup for the 1-click connectors has already been done on the server. This is by default available on all of our cloud servers at https://start.squirro.com. For any other Squirro installation, please ask your Squirro server admin to follow the steps in the OAuth Configuration section below.
Head over to the Enterprise tab on the Data screen as shown in the screenshot below.
Click on the Microsoft SharePoint icon. Squirro will show a prompt asking you to authenticate your Microsoft Azure account. Click on the Authenticate button there.
Once you click on the Authenticate button, you will be re-directed to the Sign-in screen hosted by Microsoft.
Squirro will never ask you for your Microsoft password. This is requested by Microsoft itself.
Once you sign-in you will be prompted to approve Microsoft SharePoint scopes. This screen is presented to you by Microsoft asking you to provide consent for your Microsoft SharePoint data to Squirro.
After approving scopes you will be brought back to Squirro’s source configuration screen. This screen shows which Microsoft account Squirro has connected to.
Now, you can click Save & Exit for Squirro to automatically configure the mapping of item fields and labels, as well as any other required source configuration.
Media files content (image, video, audio) is not fetched by default. To change that behaviour expand the Advanced Options section and check the option to fetch media files content.
Alternatively you can define those settings manually by clicking Next and going through the whole source setup process. This allows you the full flexibility of how the Microsoft SharePoint data should be mapped to Squirro items.
After clicking on Save & Exit, you will see your source running. Sit back, relax & enjoy while we index your Microsoft SharePoint data into Squirro.
OAuth Configuration#
App Config#
You will need to register an OAuth2 app on the Microsoft Azure portal to allow Squirro to connect to the Microsoft accounts of end users. Please follow the steps below to do so.
Note that the exact process on the Microsoft platform may change. If you notice big discrepancies between the current Microsoft website and the documentation page here, please reach out to Squirro’s support at support@squirro.com for help.
Go to Microsoft Azure Portal here: https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade, and click on the Register an application button.
On the next screen, choose the following options as shown in the screenshot below and then click on Register button:
Name: Name of the app
Supported account types: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)”
- Redirect URI: This is the URL Microsoft will redirect the user to after successful authorization. This needs to be set to
https://<your-server-url>/dataloader/sharepoint_plugin/pl/azure/authorizedon your server.For example:https://squirro.example-company.com/dataloader/sharepoint_plugin/pl/azure/authorized.
The next step is to add scopes to the app. To do that go to the API permissions tab and click Add a permission button.
On the next screen click Microsoft Graph button.
Next go to the Delegated permissions section.
On the next screen add the following scopes:
emailoffline_accessFiles.Read.AllGroupMember.Read.AllSites.Read.AllUser.ReadBasic.AllUser.Read.
GroupMember.Read.All scope is used to download files from the Group Drives. However, GroupMember.Read.All is a tenant-wide scope and requires admin consent to use. Information how to grant tenant-wide admin consent you can find here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
After adding scopes, confirm your choices by clicking Add permissions button.
In the next step go to the Token configuration tab, click Add optional claim button and add new claim:
Token type: “ID”
Claim: “email”.
The final step is to create a Client secret key for your app. To do that go to the Certificates & secrets tab, click New client secret button and add a key:
Description: Name of your key (could be whatever you want)
Expires: Period of time after your secret key will expire (max period of time is 24 months).
Apply for Production#
Unverified apps will show a warning about unverified status during the user authorization process when the users connect their Squirro instance to their Microsoft account. To avoid that, you have to apply for Production status of the Microsoft SharePoint app.
To start that process you first have to configure the Branding. This will require a logo icon, homepage URL, links to your terms of service and privacy policy. For more information go to the link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-configure-publisher-domain.
Squirro Configuration#
After having created the OAuth2 app on the Microsoft Azure portal, you need to configure the Client ID and the Client Secret on your Squirro instance.
Go to the Overview tab of the app and copy Application (client) ID.
Next switch to the Certificates & secrets tab and copy the value of your Client Secret key.
This configuration will soon be possible from the user interface.
Edit
/etc/squirro/common.inion your Squirro cluster and add the following lines:
[dataloader]
sharepoint_client_id = YOUR_ID
sharepoint_client_secret = YOUR_SECRET
To enable org-wide access scopes used by your app also add the following line to the
[dataloader]header:
sharepoint_org_scopes_enabled=true
Note that this requires tenant-wide admin consent described in the App Config section.
If the
[dataloader]header is already present in this file, add the lines to the existing section. The section header can not appear more than once in the configuration file.Restart the frontend & datasource service to apply the settings:
sudo systemctl restart sqfrontendd
sudo systemctl restart sqdatasourced
ACL Configuration via Microsoft Azure Active Directory#
Using query templates, you can configure the ACLs for your Microsoft SharePoint data.
This allows you to configure permissions within your projects so that users can only see the data that they have access to in Microsoft SharePoint.
Prerequisites#
To configure permissions, two things are required:
Users must be logged into Squirro with the same Microsoft account that is used to access the Microsoft SharePoint data. In other words, the SSO used by Squirro must be the same organizational Microsoft Azure account as the SSO used by Microsoft SharePoint.
You must have administrative access for both the Squirro and SharePoint.
Note
This feature does not work with Squirro cloud instances unless those instances have been configured to use Microsoft for SSO rather than SquirroID.
How to Set Up#
To configure permissions, follow the steps below:
Part 1 - Set Project Configurations#
Log in to your Squirro project.
Navigate to Setup > Settings
Click Project Configuration from the left menu.
Set
dataloading.get-microsoft-user-groupstoTrue.
Part 2 - Use SAML-SSO Authentication#
Configure Azure SSO by following the steps in Azure Active Directory Setup.
Provide the following configuration in the SAML-SSO authentication Fields to map in as user’s session field:
‘msAzureUserId = http://schemas.microsoft.com/identity/claims/objectidentifier’
Part 3 - Create and Configure a Query Template#
Create a query template by following the steps in Query Templates.
Use the following query template to configure the ACLs for your Microsoft SharePoint data:
(acl_users:{{msAzureUserId[0]}} {%- for item in user_values['microsoft_user_groups'] %} OR acl_groups:{{item}} {%- endfor %}) AND source_type:"Microsoft SharePoint" OR NOT source_type:"Microsoft SharePoint"
In the Azure app permissions, ensure the following permissions:
GroupMember.Read.AllGroup.Read.AllDirectory.Read.AllFiles.Read.AllSites.Read.AllSites.FullControl.All
Reference: For more information, see Microsoft Graph v1.0 - List Group Owners and Microsoft Graph v1.0 - driveItem: delta.