Skip to main content

SP_RegisterAzureAppAuth Job

SP_RegisterAzureAppAuth will register an Microsoft Entra ID (formerly Azure AD) application for authentication and provision appropriate permissions for SharePoint Online scans. It requires:

  • A Connection Profile containing the following two user credentials, both with an Account Type of Task (Local):

    • Microsoft Entra ID Global Admin credential
    • A credential with the username newapp that contains the password for the new application

  • Microsoft Graph API PowerShell module to be installed on targeted hosts

Instantiate the SP_RegisterAzureAppAuth Job.

Follow the steps to instantiate the SP_RegisterAzureAppAuth Job.

Step 1 – In Enterprise Auditor navigate to the SharePoint Job Group (or any other Job Group you wish to place the SP_RegistureAzureApp job into).

Step 2 – Click Add Instant Job to open the Instant Job Wizard.

Step 3 – Install the SP_RegisterAzureAppAuth Job from the Instant Job Library under the SharePoint library. After installation, the job tree automatically refreshes with the new job available within the selected Job Group.

Step 4 – On the job description page, in the Configuration section, select the edit button for The new application’s display name and enter the name you want to apply to the registered Microsoft Entra ID application. Click Save.

Step 5 – On the Configure > Hosts node, select the targeted host. The targeted host should be the Microsoft Entra ID tenant on which you want to install the Microsoft Entra ID application (for example, myorg.onmicrosoft.com). Click Save. The job is now ready to be run.

After the job successfully runs it will open a browser window to Microsoft Entra ID that, when logged-in as a Global Administrator, allows the user to grant administrator consent to the Application's configured API Permissions. If the login attempt fails, or the user closes the browser, they will need to login to Microsoft Entra ID as a Global Administrator and navigate to the Application's API Permissions to grant Admin Consent before the Application can be used for SharePoint scans in Enterprise Auditor.

Additional Considerations

  • After the job successfully runs, there will be a new Connection Profile for this Application. Restart the Enterprise Auditor Console and enter a password to use this Connection Profile.
  • The password is the location of the PFX file generated by the script (in the \PrivateAssemblies directory), the Microsoft Entra ID application's password, and a numeric designator for the Microsoft 365 environment (0 is the default for production environments; the other supported options are 1 for pre-production environments, 2 for China, 3 for Germany, 4 for US Government, 5 for US Government-High, and 6 for US Government-DoD). To allow for multiple unique certificates for different Microsoft Entra ID tenants to be stored on the same Enterprise Auditor server, the script appends the targeted host name (without the domain) to the filename of the PFX file generated by the script. For example, if the targeted host is myorg.onmicrosoft.com, then the password for the connection profile would be:

...\STEALTHbits\StealthAUDIT\PrivateAssemblies\spaa_cert_myorg.pfx,YourPasswordHere,0