Accessing SharePoint Online Using Modern Authentication
This option is recommended for organizations that use modern authentication as the identity management approach, having multi-factor authentication (MFA) enabled for their user accounts. In this scenario, Netwrix Data Classification will access the cloud-based infrastructure via Microsoft Graph and other modern APIs, being authenticated through a pre-configured Azure AD application with appropriate access permissions.
So, if you plan to implement such scenario, you should register an Azure AD app manually and provide its settings to Netwrix Data Classification when configuring a monitored item.
Step 1: Prepare an Application Certificate
Prepare application certificate as follows:
- Create (or load) an IIS certificate on NDC Server (recommended).
NOTE: This certificate should be installed for the local machine so that it can be accessed by Netwrix Data Classification and other services.
-
Export the certificate (.CER file):
- Open the certificate in IIS management console.
- Go to the Details tab.
- Select Copy to File.
NOTE:
Do not export private key.
- Set file type to DER-encoded CER.
Step 2: Create and Register a New App in Azure AD
To register a new Azure AD application, do the following:
-
Sign into the Microsoft 365 Admin Center (with your Global Administrator, Application Administrator or Cloud Application Administrator account).
-
Search for and select the Azure Active Directory admin center.
-
Under the Azure Directory select the App registrations section.
-
Select New registration.
-
In the Name field, enter the application name.
-
In the Supported account types select who can use this application – use the Accounts in this organizational directory only option.
-
Click the Register button.
NOTE: Application redirect URl is optional, you can leave it blank on this step.
-
Copy your application ID from the Overview section it to a safe location.
Step 3: Grant Required Permissions
Next, you need to grant your new application the required API permissions.
Azure AD applications can be assigned Delegated or Application permissions:
- Delegated permissions require a signed-in user present who consents to the permissions every time an API call is sent.
- Application permissions are consented by an administrator once granted.
For the newly created app, you should use Application permissions.
NOTE: By default, a new application is granted one delegated permission for Microsoft Graph API – User.Read. It is not required and can be removed.
Do the following:
When found, click on the entry and proceed with adding the necessary permissions. The steps from here on remain the same, so in most cases you would need the Application permissions entry, and the relevant set of permissions therein.
-
Select the relevant entries, hit the Add permissions.
-
On the Request API permissions→Microsoft APIs pane, scroll down and select SharePoint.
-
Select Application Permissions.
-
Apply the following permissions:
-
Graph – Application permissions (With admin consent granted)
- Sites.FullControl.All (Crawling)
- Sites.Read.All
- Sites.ReadWrite.All
- TermStore.ReadWrite.All
-
SharePoint – Application permissions (With admin consent granted)
- Sites.FullControl.All (Crawling)
- TermStore.ReadWrite.All (Term Set access)
NOTE: For taxonomy manager to full operate you must also make the user “app@sharepoint” a taxonomy admin (or group admin).
-
-
Click Add permissions.
Step 4: Configure Certificates & Secrets
Having configured the app, you can upload its application certificate.
- In the app settings, click Certificates & secrets and select Upload certificate.
- Upload the .CER file you prepared at Step 1: Prepare an Application Certificate.
- Copy the certificate thumbprint to a safe location.
Step 5: Obtain Tenant ID
- Open Azure Active Directory admin center.
- Select Azure Active Directory > Overview section for the required Exchange Online organization.
- Locate the Tenant ID and copy it to a safe location.