Pre-requisites
Before you can successfully setup SharePoint integration using Client Credential Authentication you must ensure that the SharePoint site allows the App authentication method. Please refer to this page for further information. You will also need to specify the Tenant ID, Client ID and Client Secret.
This page will guide you through setting these up for Microsoft SharePoint.
Finding Out Your Tenant ID:
Your Microsoft 365 tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain.
You can find your Microsoft 365 tenant ID in the Azure Active Directory Admin Centre.
Your tenant ID can be found in the Tenant ID box on the Properties page:
Select the following link to open the properties page of your Azure Active Directory Admin Centre:
Azure AD Admin Centre Properties page
Generating the Client ID and Client Secret:
Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx).
In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below.
-
Client ID. A GUID that can be generated (when you select Generate) or pasted into AppRegNew.aspx. The value must be unique for each add-in.
-
Client Secret. This is generated on the page by using the Generate button. The following is an example of an add-in secret:
xvVpG0AgVIJfch6ldu4dLUlcZyysmGqBRbpFDu6AfJw=.
-
Title. A user-friendly title; for example, Clever Document Links. Users are prompted to grant or deny the add-in the permissions that the add-in is requesting. This title appears as the name of the add-in on the consent prompt.
-
Add-in Domain. The host name of the remote component of the SharePoint Add-in. If the remote application isn't using port 443, the add-in domain must also include the port number. The add-in domain must match the URL bindings you use for your web application. Do not include protocol ("https:") or "/" characters in this value. Some examples:
-
Redirect URI:. The endpoint in your remote application or service to which ACS sends an authentication code. The redirect URI is required for web applications that are launched outside of SharePoint and that use the Authentication Code flow to get authorized access to SharePoint data.
Store the retrieved information (client id and client secret) since you'll need this in the next step!
Next step is granting permissions to the newly created principal. Since we're granting tenant scoped permissions this granting can only be done via the appinv.aspx page on the tenant administration site. You can reach this site via https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx. Once the page is loaded add your client id and look up the created principal:
To grant permissions, you'll need to provide the permission XML that describes the needed permissions. Since this application needs to be able to access all sites + also uses search with app-only it needs below permissions:
XML
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions:
| Warning: Please note that a Client Secret has an expiration date set to 1 year from creation and therefore you will need to increase the expiration date to ensure that the Clever Document Links continues to operate with Microsoft SharePoint after this time. Further information on how to extend the expiration date can be found here. |
| Important: Please safeguard the created client id/secret combination as would it be your administrator account. Using this client id/secret one can read/update all data in your SharePoint Online environment! |
With the preparation work done you can use the Tenant ID, Client ID and and Client Secret combination in the Clever Document link SharePoint Setup wizard.