Microsoft SharePoint Online
Enabling Veza discovery of SharePoint resources
To enable SharePoint discovery for an Azure tenant configuration, you will need to upload an X.509 certificate for authentication. Once provided, Veza will automatically extract permissions metadata for SharePoint Online resources, and show effective permissions for AzureAD users and groups to SharePoint servers, sites, libraries, and folders.
1. Prepare certificate
Veza requires a certificate bundle containing the public and private key, uploaded in PKCS #12 format (typically .p12
or .pfx
). Additionally, you will need the public key as either a .pem
, .cer
or .crt
file to upload to the Azure app registration's Certificates & Secrets (see step 2.4 below).
The bundle should only contain the public and private keys, and not include the CA or full chain. If you encounter an error when uploading the certificate:
On Windows, use the Certificates MMC snap-in to import the original certificate to your local machine, then export it ensuring the option to "include all certificates in the certification path if possible" isn't selected.
Alternatively, you can generate a new bundle with
openssl
:
Microsoft and Veza recommend using a valid signed certificate, but you can optionally generate a self-signed certificate if necessary. For information about generating a self-signed certificate, see Setting up an Azure AD app for app-only access.
2. Configure the Veza Enterprise App
If you haven't already completed the steps to configure a Microsoft Azure integration, you should do so before continuing.
From your Microsoft Azure Portal, go to Azure Active Directory and select "App Registrations"
Select the app registration used by Veza for discovery of the Azure tenant
Click on API permissions, and "Add a permission" Grant the following Application Permissions.
For SharePoint:
User.Read.All
Sites.Read.All
For Microsoft Graph:
Directory.Read.All
Files.Read.All
Sites.Read.All
Reports.Read.All
Verify that "Grant Admin Consent" is enabled on the API permissions screen.
See the Expanded Functionality section below for optional permissions.
Go to the app registration's Certificates & Secrets, click "Upload certificate," and provide the public key from the key pair from step 1.
Verify that the certificate has been uploaded by selecting "Manifest" and checking the
keyCredentials
property.
3. Configure Veza
You can upload the required certificate when adding a new Azure account to Veza, or by navigating to Administration > Configurations and editing an existing Azure tenant. Upload the certificate pair from the first step.
Enabling Last Activity Date for SharePoint Sites
To enable parsing of Last Activity Date
as a searchable property for SharePoint sites, you will need to disable hidden user details in Office 365 Reports:
From the Office 365 admin center, go to Settings > Org Settings > Services
Select Reports
Clear the checkbox for Display concealed user, group, and site names in all reports, and save your changes
Note: Last activity stats are only obtainable for top-level sites (not sub-sites).
Supported Entities
SharePoint Online (Server)
Sites (server Site Collections)
Site (Communication or Team)
Sub-sites
Library
Folders (and sub-folders)
Lists
Library and folder permissions
The entities listed here reflect the limitations of read-only SharePoint API and Microsoft Graph API access. Additional entities are supported with optional permissions described in the Expanded Functionality section below.
Expanded Functionality
When granted write-level or admin-level permissions, Veza can gather additional entities and properties. The following table identifies our expanded support and the required permissions:
Entity / Property | API Permissions |
---|---|
Sharing Capability | Microsoft Graph: |
SharePoint Site Permissions | Microsoft Graph: |
SharePoint List Permissions | SharePoint: |
Enabling List and Site Permissions will create distinct Permission nodes connecting principal-type entities such as users to SharePoint Site and List entities.
Sharing Capability is a property on the tenant-level SharePoint Online
Server entity indicating the maximum-permitted sharing settings for sharable objects within the tenant. The value can be:
Value | Description |
---|---|
disabled | Users can share only with people in the organization. |
externalUserSharingOnly | Users can share with new and existing guests. |
externalUserAndGuestSharing | Users can share with anyone, with no sign-in requirement. |
existingExternalUserSharingOnly | Users can share with existing guests in the organization directory. |
Sharing capability is not currently provided for child Sites and Libraries due to Microsoft API limitations.
Last updated