Microsoft SharePoint Online

Enabling Veza discovery of SharePoint resources

To enable SharePoint discovery for an Azure tenant configuration, you will need to upload an X.509 certificate for authentication. Once provided, Veza will automatically extract permissions metadata for SharePoint Online resources, and show effective permissions for AzureAD users and groups to SharePoint servers, sites, libraries, and folders.

1. Prepare certificate

Veza requires a certificate bundle containing the public and private key, uploaded in PKCS #12 format (typically .p12 or .pfx). Additionally, you will need the public key as either a .pem, .cer or .crt file to upload to the Azure app registration's Certificates & Secrets (see step 2.4 below).

The bundle should only contain the public and private keys, and not include the CA or full chain. If you encounter an error when uploading the certificate:

On Windows, use the Certificates MMC snap-in to import the original certificate to your local machine, then export it ensuring the option to "include all certificates in the certification path if possible" isn't selected.
Alternatively, you can generate a new bundle with openssl:

openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:4096 -keyout SharePoint.key -out SharePoint.crt

openssl pkcs12 -export -out SharePoint.pfx \
-inkey SharePoint.key -in SharePoint.crt

Microsoft and Veza recommend using a valid signed certificate, but you can optionally generate a self-signed certificate if necessary. For information about generating a self-signed certificate, see Setting up an Azure AD app for app-only access.

2. Configure the Veza Enterprise App

If you haven't already completed the steps to configure a Microsoft Azure integration, you should do so before continuing.

From your Microsoft Azure Portal, go to Azure Active Directory and select "App Registrations"
Select the app registration used by Veza for discovery of the Azure tenant
Click on API permissions, and "Add a permission" Grant the following Application Permissions.
1. For SharePoint:
  - User.Read.All
  - Sites.Read.All
2. For Microsoft Graph:
  - Directory.Read.All
  - Files.Read.All
  - Sites.Read.All
  - Reports.Read.All
3. Verify that "Grant Admin Consent" is enabled on the API permissions screen.
See the Expanded Functionality section below for optional permissions.
Go to the app registration's Certificates & Secrets, click "Upload certificate," and provide the public key from the key pair from step 1.
Verify that the certificate has been uploaded by selecting "Manifest" and checking the keyCredentials property.

3. Configure Veza

You can upload the required certificate when adding a new Azure account to Veza, or by navigating to Administration > Configurations and editing an existing Azure tenant. Upload the certificate pair from the first step.

Enabling Last Activity Date for SharePoint Sites

To enable parsing of Last Activity Date as a searchable property for SharePoint sites, you will need to disable hidden user details in Office 365 Reports:

From the Office 365 admin center, go to Settings > Org Settings > Services
Select Reports
Clear the checkbox for Display concealed user, group, and site names in all reports, and save your changes

Note: Last activity stats are only obtainable for top-level sites (not sub-sites).

Supported Entities

SharePoint Online (Server)
Sites (server Site Collections)
Site (Communication or Team)
- Sub-sites
- Library
  - Folders (and sub-folders)
- Lists
Library and folder permissions

The entities listed here reflect the limitations of read-only SharePoint API and Microsoft Graph API access. Additional entities are supported with optional permissions described in the Expanded Functionality section below.

Expanded Functionality

When granted write-level or admin-level permissions, Veza can gather additional entities and properties. The following table identifies our expanded support and the required permissions:

Entity / Property API Permissions

Entity / Property	API Permissions
Sharing Capability	Microsoft Graph: `SharePointTenantSettings.Read.All`
SharePoint Site Permissions	Microsoft Graph: `Sites.FullControl.All` SharePoint: `Sites.FullControl.All`
SharePoint List Permissions	SharePoint: `Sites.FullControl.All`

Sharing Capability

Microsoft Graph: SharePointTenantSettings.Read.All

SharePoint Site Permissions

Microsoft Graph: Sites.FullControl.All SharePoint: Sites.FullControl.All

SharePoint List Permissions

SharePoint: Sites.FullControl.All

Enabling List and Site Permissions will create distinct Permission nodes connecting principal-type entities such as users to SharePoint Site and List entities.

Sharing Capability is a property on the tenant-level SharePoint Online Server entity indicating the maximum-permitted sharing settings for sharable objects within the tenant. The value can be:

Value	Description
disabled	Users can share only with people in the organization.
externalUserSharingOnly	Users can share with new and existing guests.
externalUserAndGuestSharing	Users can share with anyone, with no sign-in requirement.
existingExternalUserSharingOnly	Users can share with existing guests in the organization directory.

Value

Description

disabled

Users can share only with people in the organization.

externalUserSharingOnly

Users can share with new and existing guests.

externalUserAndGuestSharing

Users can share with anyone, with no sign-in requirement.

existingExternalUserSharingOnly

Users can share with existing guests in the organization directory.

Sharing capability is not currently provided for child Sites and Libraries due to Microsoft API limitations.

PreviousMicrosoft Azure AD NextMicrosoft SQL Server

Last updated 5 months ago