Microsoft SharePoint Server
Configuring the Veza integration for SharePoint Server (on-premises).
Last updated
Was this helpful?
Configuring the Veza integration for SharePoint Server (on-premises).
Last updated
Was this helpful?
Was this helpful?
Veza can discover and analyze permissions in SharePoint Server environments that are configured with Microsoft Entra ID (formerly Azure AD) federated authentication. This offers visibility into your on-premises SharePoint infrastructure using an existing Azure Integration, including:
Site collections and sub-sites discovery
Document libraries and folders
Effective permission analysis
Microsoft Entra ID user and group federation
Optional site filtering with allow and deny lists
SharePoint Server 2013 or newer
The SharePoint environment must be configured for federated authentication with Microsoft Entra ID following Microsoft's official documentation
The Azure integration in Veza must be configured with a valid SSL certificate for SharePoint site discovery (Signed certificate recommended for production environments)
You can connect to SharePoint by providing a certificate for app-only access when configuring an Azure integration. For testing environments, you can generate a self-signed certificate following the Microsoft documentation.
The integration requires read-only API permissions to discover SharePoint resources:
Go to the Integrations page and add or edit an Azure integration, following the instructions in Microsoft Azure.
In Azure, create or edit the app registration for the integration with the additional API scopes:
SharePoint:
User.Read.All
Sites.Read.All
Microsoft Graph API:
Directory.Read.All
Files.Read.All
Sites.Read.All
Reports.Read.All
Enable SharePoint discovery by providing a certificate for app-only access and granting optional API permissions as documented in Microsoft SharePoint Online.
If you are limiting the services discovered by the integration, ensure that SharePoint is enabled under Limited Services in the integration configuration.
(Optional) In the Limit Services > SharePoint section, add SharePoint site URLs to the allow or deny lists to limit extraction of specific sites. The integration will detect all on-premesis SharePoint sites included in the /sites/getAllSites Microsoft Graph API response.
Save your changes to the integration configuration after supplying the X.509 certificate and password, if encrypted.
When discovery completes, perform a Graph search for relationships between Azure AD Users and SharePoint Sites to validate that on-premises sites are appearing as expected.