Microsoft SharePoint Server

Configuring the Veza integration for SharePoint Server (on-premises).

PreviousMicrosoft SharePoint Online NextMicrosoft SQL Server

Last updated 4 months ago

Was this helpful?

Microsoft SharePoint Server

Configuring the Veza integration for SharePoint Server (on-premises).

Overview

Veza can discover and analyze permissions in SharePoint Server environments that are configured with Microsoft Entra ID (formerly Azure AD) federated authentication. This offers visibility into your on-premises SharePoint infrastructure using an existing , including:

Site collections and sub-sites discovery
Document libraries and folders
Effective permission analysis
Microsoft Entra ID user and group federation
Optional site filtering with allow and deny lists

Prerequisites

SharePoint Server 2013 or newer
The SharePoint environment must be configured for federated authentication with Microsoft Entra ID following Microsoft's
The Azure integration in Veza must be configured with a valid SSL certificate for SharePoint site discovery (Signed certificate recommended for production environments)

Configuring the Azure Integration for SharePoint Server

You can connect to SharePoint by providing a certificate for app-only access when configuring an Azure integration. For testing environments, you can generate a self-signed certificate following the .

The integration requires read-only API permissions to discover SharePoint resources:

Go to the Integrations page and add or edit an Azure integration, following the instructions in .
In Azure, create or edit the app registration for the integration with the additional API scopes:
- SharePoint:
  - User.Read.All
  - Sites.Read.All
- Microsoft Graph API:
  - Directory.Read.All
  - Files.Read.All
  - Sites.Read.All
  - Reports.Read.All
Enable SharePoint discovery by providing a certificate for app-only access and granting optional API permissions as documented in .
If you are limiting the services discovered by the integration, ensure that SharePoint is enabled under Limited Services in the integration configuration.
(Optional) In the Limit Services > SharePoint section, add SharePoint site URLs to the allow or deny lists to limit extraction of specific sites. The integration will detect all on-premesis SharePoint sites included in the /sites/getAllSites Microsoft Graph API response.
Save your changes to the integration configuration after supplying the X.509 certificate and password, if encrypted.
When discovery completes, perform a Graph search for relationships between Azure AD Users and SharePoint Sites to validate that on-premises sites are appearing as expected.