Connecting to SharePoint

SharePoint works with all Lists and Documents in the global Microsoft Sharepoint site, as well as with individual sites. Set the URL connection property to your Site Collection URL to work with all Lists and Documents, or set it to a specific Site URL to work with Lists and Documents in that site only.

URL	Example URL
Site Collection	https://teams.contoso.com
Site	https://teams.contoso.com/teamA or https://teamA.contoso.com

In addition to providing the URL, use one of the following sets of connection properties to authenticate to SharePoint. The default values make it easy to connect in most environments, as shown below. Sharepoint supports online (cloud-based) and on-premises architectures. Each architecture supports a different set of authentication schemes.

Online and on-prem authentication are discussed in turn below.

Authenticating to SharePoint Online

Set SharePointEdition to "SharePoint Online" and set the User and Password to the credentials you use to log onto SharePoint, for example, the credentials to your Microsoft Online Services account.

The following authentication schemes are supported:

• AzureAD
• Single sign-on (SSO) schemes
• MSI
• OAuthJWT

The following SSO identity providers are supported:

• ADFS
• OneLogin
• Okta
• PingFederate

If the user account domain is different from the domain configured with the identity provider, set SSODomain to the latter. This property may be required for any SSO.

AzureAD

Azure Active Directory (AzureAD) is a connection type that leverages OAuth to authenticate. OAuth requires the authenticating user to interact with SharePoint using an internet browser. The driver facilitates this in several ways as described below. Set your AuthScheme to AzureAD. The AzureAD flows described below assume that you have done so.

Your organization may require Admin Consent when authorizing a new AzureAD application for your Azure Tenant. In all AzureAD flows, any initial installation and use of an AzureAD application requires that an administrator approve the application for their Azure Tenant.

Headless Machines

To configure the driver to use OAuth with a user account on a headless machine, you need to authenticate on another device that has an internet browser.

1. Choose one of these two options:
   • Option 1: Obtain the OAuthVerifier value as described in "Obtain and Exchange a Verifier Code" below.
   • Option 2: Install the adapter on another machine and transfer the OAuth authentication values after you authenticate through the usual browser-based flow, as described in "Transfer OAuth Settings" below.

2. Then configure the adapter to automatically refresh the access token from the headless machine.

Option 1: Obtain and Exchange a Verifier Code

To obtain a verifier code, you must authenticate at the OAuth authorization URL.

Follow the steps below to authenticate from the machine with an internet browser and obtain the OAuthVerifier connection property.

1. Choose one of these options:
   • If you are using the Embedded OAuth Application click SharePoint OAuth endpoint to open the endpoint in your browser.
   • If you are using a custom OAuth application, create the Authorization URL by setting the following properties:
     • InitiateOAuth: Set to OFF.
     • OAuthClientId: Set to the client Id assigned when you registered your application.
     • OAuthClientSecret: Set to the client secret assigned when you registered your application.
     Then call the GetOAuthAuthorizationURL stored procedure with the appropriate CallbackURL. Open the URL returned by the stored procedure in a browser.

2. Log in and grant permissions to the adapter. You are then redirected to the callback URL, which contains the verifier code.
3. Save the value of the verifier code. Later you will set this in the OAuthVerifier connection property.

Next, you need to exchange the OAuth verifier code for OAuth refresh and access tokens. Set the following properties:

On the headless machine, set the following connection properties to obtain the OAuth authentication values:

• InitiateOAuth: Set this to REFRESH.
• OAuthVerifier: Set this to the verifier code.
• OAuthClientId: (custom applications only) Set this to the client Id in your custom OAuth application settings.
• OAuthClientSecret: (custom applications only) Set this to the client secret in the custom OAuth application settings.
• OAuthSettingsLocation: Set this to the path to the file where the driver saves the OAuth token values that persist across connections.

After the OAuth settings file is generated, you need to re-set the following properties to connect:

• InitiateOAuth: Set this to REFRESH.
• OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
• OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
• OAuthSettingsLocation: Set this to the file containing the encrypted OAuth authentication values. Make sure this file grants read and write permissions to the adapter to enable the automatic refreshing of the access token.

Option 2: Transfer OAuth Settings

Prior to connecting on a headless machine, you need to create and install a connection with the driver on a device that supports an internet browser. Set the connection properties as described in "Desktop Applications" above.

After completing the instructions in "Desktop Applications", the resulting authentication values are encrypted and written to the path specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.

Once you have successfully tested the connection, copy the OAuth settings file to your headless machine.

On the headless machine, set the following connection properties to connect to data:

• InitiateOAuth: Set this to REFRESH.
• OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
• OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
• OAuthSettingsLocation: Set this to the path to your OAuth settings file. Make sure this file gives read and write permissions to the adapter to enable the automatic refreshing of the access token.

Azure Password

To connect using your Azure credentials directly, specify the following connection properties:

• AuthScheme: Set this to AzurePassword.
• User: Set this to your user account you use to connect to Azure.
• Password: Set this to the password you use to connect to Azure.
• AzureTenant: Set this to the Directory (tenant) ID, found on the Overview page of the OAuth app used to authenticate to SharePoint on Azure.

OAuth: Admin Consent

Admin consent refers to when the Admin for an Azure Active Directory tenant grants permissions to an application that requires an administrator in your organization to consent to the use case. The embedded application within the SharePoint Adapter, contains no permissions that require administrator consent. Therefore, this information applies only to custom applications.

Administrator Consent Permissions

When creating a new OAuth application in the Azure Portal, you must specify which permissions the application requires. Some permissions may be marked with "Admin Consent Required". For example, all Groups permissions require Admin Consent. If your application requires admin consent, there are two ways you can do this.

The easiest way to grant admin consent is to have an administrator log into the Azure Portal and navigate to the application you have created in App Registrations. Under API Permissions, click Grant Consent, which grants permissions on the tenant under which it was created.

If your organization has multiple tenants or you need to grant application permissions for other tenants outside your organization, use the GetAdminConsentURL stored procedure to generate the Admin Authorization URL. After the OAuth application is successfully authorized, it returns a Boolean indicating that permissions have been granted.

After the administrator has approved the OAuth Application, you can continue to authenticate.

Credentials Using a Custom App

Follow the steps below to create a custom OAuth app and obtain the connection properties for the OAuth authentication using Sharepoint App.

Register Add-In

1. Navigate to the Register Add-In page by entering the url as : https://{sitename}.SharePoint.com/_layouts/15/appregnew.aspx .
2. In the "App Information" section, click Generate, which is located next to the Client Id and Client Secret textboxes to generate the respective values.
3. Set Title, App Domain and Redirect URI by filling respective text boxes.
4. Click Create, which registers the add-in and returns the success message with created information.

Grant Permissions to Add-In

1. Navigate to the SharePoint site.
2. Enter the URL: https://{sitename}.sharepoint.com/_layouts/15/appinv.aspx in the browser. This redirects to the Grant permission page.
3. Enter the Client ID (which you generated earlier), in AppId and click Lookup button. That will populate the value to other textboxes in Title, App Domain and Redirect Url.
4. Now enter the below permission request in XML format.
   

       <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/>
       </AppPermissionRequests>

5. When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions.

ADFS

Set the AuthScheme to ADFS. You need to set the following connection properties:

• User: Set this to the ADFS user.
• Password: Set this to ADFS password for the user.
• SSODomain (optional): The domain configured with the ADFS identity provider.

Below is an example connection string:

AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;URL='http://sharepointserver/mysite';

Okta

Set the AuthScheme to Okta. The following connection properties are used to connect to Okta:

• User: Set this to the Okta user.
• Password: Set this to Okta password for the user.
• SSODomain (optional): The domain configured with the OKTA identity provider.

The following is an example connection string:

AuthScheme=Okta;User=oktaUserName;Password=oktaPassword;URL='http://sharepointserver/mysite';

OneLogin

Set the AuthScheme to OneLogin. The following connection properties are used to connect to OneLogin:

• User: Set this to the OneLogin user.
• Password: Set this to OneLogin password for the user.
• SSODomain (optional): The domain configured with the OneLogin identity provider.

The following is an example connection string:

AuthScheme=OneLogin;User=OneLoginUserName;Password=OneLoginPassword;URL='http://sharepointserver/mysite';

PingFederate

Set the AuthScheme to PingFederate. The following connection properties are used to connect to PingFederate:

• User: Set this to the PingFederate user.
• Password: Set this to PingFederate password for the user.
• SSODomain (optional): The domain configured with the PingFederate identity provider.

The following is an example connection string:

AuthScheme=PingFederate;User=PingFederateUserName;Password=PingFederatePassword;URL='http://sharepointserver/mysite';

SharePointOAuth

Set the AuthScheme to SharePointOAuth. The following connection properties are used to connect to SharePointOAuth:

• InitiateOAuth: Set this to GETANDREFRESH.
• User: Set this to the SharePointOAuth user.
• Password: Set this to SharePointOAuth password for the user.

The following is an example connection string:

Schema=REST;InitiateOAuth=GETANDREFRESH;AuthScheme=SharepointOAuth;URL=https://rssbuscrm.sharepoint.com;User=SharePointUserName;Password=SharePointPassword;SharePointEdition='SharepointOnline';

OAuthJWT Certificate

Set the AuthScheme to OAUTHJWT. The following connection properties are used to connect to SharePoint:

• OAuthGrantType: Set this to CLIENT.
• AzureTenant: Set this to the tenant you wish to connect to.
• OAuthJWTCert: Set this to the JWT Certificate store.
• OAuthJWTIssuer: Set this to the OAuth client Id.

MSI

If you are running SharePoint on an Azure VM, you can leverage Managed Service Identity (MSI) credentials to connect:

• AuthScheme: Set this to AzureMSI.

The MSI credentials are automatically obtained for authentication.

Authenticating to SharePoint On-Premises

Set SharePointEdition to "SharePoint On-Premises" to use the following authentication types.

Windows (NTLM)

This is the most common authentication type. As such, the adapter is preconfigured to use NTLM as the default; simply set the Windows User and Password to connect.

Kerberos

Set the AuthScheme to NEGOTIATE. The following connection properties are used to connect with Kerberos:

• KerberosKDC: Set this to the host name or IP Address of your Kerberos KDC machine.
• KerberosRealm: Set this to the realm of the SharePoint Kerberos principal. This is the value after the '@' symbol (for instance, EXAMPLE.COM) of the principal value (for instance, MyService/MyHost@EXAMPLE.COM).
• KerberosSPN: Set this to the service and host of the SharePoint Kerberos Principal. This is the value prior to the '@' symbol (for instance, MyService/MyHost) of the principal value (for instance, MyService/MyHost@EXAMPLE.COM).

Please see Using Kerberos for details on how to authenticate with Kerberos.

ADFS

Set the AuthScheme to ADFS. Then set the following connection properties:

• User: Set this to the ADFS user.
• Password: Set this to ADFS password for the user.
• SSOLoginURL: Set this to the WS-trust endpoint of the ADFS server.

You also need the to set SSOProperties to authenticate to ADFS. Specify the value of the RelyingParty parameter; it is located on the ADFS server for Sharepoint. Below is an example connection string:

AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;SSOLoginURL='https://<authority>/adfs/services/trust/2005/usernamemixed';SSO Properties ='RelyingParty=urn:sharepoint:sp2016;';

Anonymous Access

Set the AuthScheme to NONE along with the URL.

MSI

If you are running SharePoint on an Azure VM, you can leverage Managed Service Identity (MSI) credentials to connect:

• AuthScheme: Set this to AzureMSI.

The MSI credentials are automatically obtained for authentication.