Release Notes

Microsoft SharePoint Server

Configuring the Veza integration for SharePoint Server (on-premises).

Overview

Veza can discover and analyze permissions in SharePoint Server environments that are configured with Microsoft Entra ID (formerly Azure AD) federated authentication. This offers visibility into your on-premises SharePoint infrastructure using an existing Azure Integration, including:

  • Site collections and sub-sites discovery

  • Document libraries and folders

  • Effective permission analysis

  • Microsoft Entra ID user and group federation

  • Optional site filtering with allow and deny lists

Prerequisites

  • SharePoint Server 2013 or newer

  • The SharePoint environment must be configured for federated authentication with Microsoft Entra ID following Microsoft's official documentation

  • The Azure integration in Veza must be configured with a valid SSL certificate for SharePoint site discovery (Signed certificate recommended for production environments)

Configuring the Azure Integration for SharePoint Server

You can connect to SharePoint by providing a certificate for app-only access when configuring an Azure integration. For testing environments, you can generate a self-signed certificate following the Microsoft documentation.

The integration requires read-only API permissions to discover SharePoint resources:

  1. Go to the Integrations page and add or edit an Azure integration, following the instructions in Microsoft Azure.

  2. In Azure, create or edit the app registration for the integration with the additional API scopes:

    • SharePoint:

      • User.Read.All

      • Sites.Read.All

    • Microsoft Graph API:

      • Directory.Read.All

      • Files.Read.All

      • Sites.Read.All

      • Reports.Read.All

  3. Enable SharePoint discovery by providing a certificate for app-only access and granting optional API permissions as documented in Microsoft SharePoint Online.

  4. If you are limiting the services discovered by the integration, ensure that SharePoint is enabled under Limited Services in the integration configuration.

  5. (Optional) In the Limit Services > SharePoint section, add SharePoint site URLs to the allow or deny lists to limit extraction of specific sites. The integration will detect all on-premesis SharePoint sites included in the /sites/getAllSites Microsoft Graph API response.

  6. Save your changes to the integration configuration after supplying the X.509 certificate and password, if encrypted.

  7. When discovery completes, perform a Graph search for relationships between Azure AD Users and SharePoint Sites to validate that on-premises sites are appearing as expected.

PreviousMicrosoft SharePoint OnlineNextMicrosoft SQL Server

Last updated

Was this helpful?