25.24.Azure app registration
In this section, we will explain how an app is registered on the Azure portal.
Navigate to portal.azure.com. Go to All services -> App registrations -> + New registration. Fill in the details of the new application. The only mandatory field that needs to be changed is the name of the application, the other options can be left as-is.
After the app is successfully registered, you will be able to see the Application ID and Directory ID in the app’s Overview.
In this step, the necessary permissions will be granted to the application. On the application details page, click on the API permissions button on the left menu. When the configured permissions page loads in, click on the “Add a permission” button, then select “SharePoint” from the right-side menu (when registering Teams archive app, select Microsoft Graph)..
On the next screen we can decide whether we want to grant Delegated or Application permissions to our app. We need the Application permissions.
After the application permissions option is chosen, a list with the available permissions will appear. Select
-
– SharePoint – to support all the functions of contentACCESS and other client applications (including AAD groups support in SharePoint archive), all the following permissions need to be added from Microsoft Graph API and SharePoint:
- Microsoft Graph – Application permissions:
o Group.Read.All – read all groups
o Group.Members.Read.All – read all group memberships - SharePoint – Application permissions:
o Sites.FullControl.All – Have full control of all site collections
o Sites.Manage.All – Read and write items and lists in all site collections
o Sites.Read.All – Read items in all site collections
o Sites.ReadWrite.All – Read and write items in all site collections
o TermStore.Read.All – Read managed metadata
o TermStore.ReadWrite.All – Read and write managed metadata
o User.Read.All – Read user profiles
o User.ReadWrite.All – Read and write user profiles - Microsoft Graph – Delegated permissions:
o ChannelMessage.Read.All – Read user channel messages
o Directory.Read.All – Read directory data
o Group.ReadWrite.All – Read and write all groups
o GroupMember.Read.All – Read all group memberships
o TeamsTab.Read.All – Read tabs in Microsoft Teams
o TeamworkTag.ReadWrite – Read and write tags in Teams
o User.Read – Sign in and read user profileSharePoint – Delegated permissions:
o Sites.FullControl.All – Have full control of all site collections
o Sites.Manage.All – Read and write items and lists in all site collections
o Sites.ReadWrite.All – Read and write items in all site collections
o TermStore.ReadWrite.All – Read and write managed metadata
o User.ReadWrite.All – Read and write user profilesMicrosoft Graph – Application permissions:
o ChannelMessage.Read.All – Read all channel messages
o Directory.Read.All – Read directory data
o Group.ReadWrite.All – Read and write all groups
o GroupMember.Read.All – Read all group memberships
o TeamsTab.Read.All – Read tabs in Microsoft Teams
o Teamwork.Migrate.All – Creating and managing resources for migration to Microsoft Teams
o TeamworkTag.Read.All – Read tags in TeamsSharePoint – Application permissions:
o Sites.FullControl.All – Have full control of all site collections
o Sites.Manage.All – Read and write items and lists in all site collections
o Sites.ReadWrite.All – Read and write items in all site collections
o TermStore.ReadWrite.All – Read and write managed metadata
o User.ReadWrite.All – Read and write user profiles
– for Teams archive – some permissions need to be selected from the Delegated option, some from the Application option. The following permissions need to be granted from Microsoft Graph API. The required permission set depends on the Teams Archive configuration in contentACCESS you would use. There you can use delegated access or application access.
When you choose delegated access, contentACCESS will connect and access the Teams data in the name of a superuser. This superuser MUST have owner access to every team you would like to archive.
The second approach is application access, where contentACCESS will connect to Microsoft Teams using a configured application. This application must NOT have owner access to any of the Teams, but you need to request access to Microsoft Protected API. To order this access, please follow the guideline here. The request is usually accepted within a day or two. The recommended approach is application access. If you do not know at this point which approach will fit the best for you, add both permissions to the application. You can decide later during the archive configuration which option to use.
Click on Add permissions.
For delegated access the following option must be enabled:
After the permissions have been assigned to the application, the administrator must grant consent for these permissions. Click on the Grant admin consent for “TENANTNAME” button.
When the permissions are assigned to the application and the admin consent is granted, the client access certificate needs to be assigned to the application. Click on the Certificates & secrets option in the left side menu. On the certificate management screen click on the Upload certificate button. Browse the client certificate you want to use and upload it. It can be a self-signed certificate or an already existing one. PowerShell script for creating a self-signed certificate can be downloaded here.
Next, add a new client secret by clicking on the + New client secret button. This is necessary for some plugins and client applications.