File Search Sharepoint Online Configuration

📘

Note: For Sharepoint Access requirements, Steps 1 and 2 describe separate sets of access that you have to provide to BOTH the Sharepoint Online REST API and the MSGraph API, due to our current implementation of the product.

1. Grant Per-Site Access to Sharepoint REST API

In this step, you will grant per-site access for each of the Sites that you wish to ingest, as our current implementation today requires us to use Sharepoint REST API to read the files from your Sites.

Provide Sharepoint per-Site Access

You will need Azure app (Microsoft App ID) to assign the access. If you are also deploying Moveworks to Microsoft Teams, the same app can be used.

📘

Note: In order to add this permission appropriately, you must be an administrator of both the Azure App and the SharePoint Site.

  1. Follow the powershell commands below to set SiteOwnerManageLegacyServicePrincipalEnabled to true.

    Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
    Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
    Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
    Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
    
  2. For each sub-site the bot should have access to, navigate to: https://**<tenant_name>**.sharepoint.com/sites/**<sub_site_name>**/_layouts/15/appinv.aspx.

  3. Put in the App Id of your App created in Azure and then click the Lookup button -- the Title field should auto populate.

  4. For App Domain, and RedirectURL, enter "localhost" as shown in the screenshot below.

  5. Enter the following XML as Permission Requests -- this grants Read Only access to the specific sub site.

    <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
    </AppPermissionRequests>
    
  6. After clicking Create, you will be prompted to authenticate and confirm the install. Select Trust.

  7. You will need to do this for each sub site the bot should have access to and provide the list of sites you have authorized to your Moveworks Customer Success team.

📘

Validating Moveworks access to the site

Note: At any point in the future, a SharePoint Site Admin can visit https://<tenant_name>.sharepoint.com/sites/<sub_site_name>/_layouts/15/appprincipals.aspx to validate if Moveworks has access to the site.

If the permissions were granted correctly, you should see the Azure app listed like this.

2. Grant Moveworks Access to MSGraph API

In this step, you will grant scopes for Moveworks to execute your file-level ACL permissions by ingesting your Sites, Files, Users, and Groups via the MSGraph API. This is used to enforce that users are only able to search for information from files that they already have access to. For more on the reasons for the scopes, see File Search - Respecting File Permissions.

You must grant your Moveworks bot Azure application the following scopes for it over the MSGraph API to support this:

There are three different ways to do this depending on how your Moveworks bot is deployed:

If you are using the Microsoft AppSource Moveworks Teams Bot

We have updated the app with the requested scopes necessary for us to read your permissions data. One of your Azure admins simply needs to consent to these additional requested scopes.

  1. Simply navigate to the following URL, replacing <CUSTOMER_TENANT_ID> with the ID of the tenant to which you have installed the app, and click Accept:

    1. https://login.microsoftonline.com/<CUSTOMER_TENANT_ID>/adminconsent?client_id=b8ec4e1a-e05a-49d0-ba3a-05119b8b62c0&state=12345&redirect_uri=https://www.moveworks.com/msteamsd

If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you ALREADY have a Moveworks Azure application

You will grant these permissions via the Azure admin portal by modifying your existing app.

  1. Go to your Microsoft Azure portal, and select Enterprise applications.

  2. Search for the application to which you’ll be granting the new permissions. Note down its Application ID (aka App Id).

  3. Navigate to this URL, replacing the end of the URL with your App Id: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/CallAnAPI/appId/{Application ID}

  4. This will bring you to the API Permissions page for that application. You may already see some permissions configured for this application, some of which may already be ones we need. In the image below, however, you’ll see this app only has User.Read, and that is not one of the four permissions we need, so we need to add all four.

  5. Click Add Permission.

  6. This will open a panel on the right side:

  7. Click on Microsoft Graph.

  8. Click on Application permissions.

  9. A search bar will appear.

  10. Search for the permissions you need to grant (noted above) and check the box for each.

  11. Once they’ve all been checked, click Add permissions.

  12. You’ll now see all the newly added permissions alongside any you previously had granted the app, however, the new ones will have a status of “Not granted for” your organization.

  13. To complete the process, click Grant admin consent for your organization.

  14. If this panel appears, click Yes, add other granted permissions to configured permissions then Save and continue, then Grant admin consent, and then Yes.

  15. You will see green checkmarks on the newly added permissions if this was successful.

If you are NOT using the Microsoft AppSource Moveworks Teams Bot and you DO NOT ALREADY have a Moveworks Azure application

You will be creating a new app in the Azure admin portal with these permissions.

  1. Follow this guide, completing all the steps up through and including “Provide the Credentials to the Moveworks Customer Success team” (but skipping the “Verify Azure Manifest” step).
    1. As you do this, when you reach the step titled “Add API Permissions” also add and grant consent for the permissions noted above (Files.Read.All, Sites.Read.All, Group.Read.All, User.Read.All).
    2. You will not need to worry about connecting this to Teams, so please disregard references to doing so.

3. Get App ID and Create Connectors in MW Setup (Coming Soon)

In this step, you will create a Connector in your Moveworks Self-Serve portal, using the credentials that you have configured above. If you have not been granted access to Moveworks Setup, please provide your credentials to your Customer Success team, who will help you create your Connectors and configure your File Ingestions, akin to the following steps.

Get App ID

If you have a Microsoft Teams App Store Bot, use the App ID for Microsoft Team App Store Chatbot for Moveworks: b8ec4e1a-e05a-49d0-ba3a-05119b8b62c0, and proceed with the Sharepoint Online Access Requirements below.

If you don’t have a Moveworks Teams App Store Chatbot, but do have a Teams Bot with an AzureBot/Bot Channel Registration in your own tenant, then go to portal.azure.com to find the App ID, and then proceed with the Sharepoint Online Access Requirements below.

If you use Slack, or another Chat platform, and have never set up a Microsoft Teams Chatbot for Moveworks, then follow these steps to set up a Microsoft App Registration first: https://help.moveworks.com/docs/creating-a-microsoft-app-registration-for-moveworks.

Create Two Connectors: One MSGraph Connector and One Sharepoint Online Connector

https://help.moveworks.com/docs/creating-a-microsoft-app-registration-for-moveworks

  1. Configure one of each of the following connectors, as both will be required for File Search
  2. Start by navigating to the Connector module in your Self Serve portal.
  3. If you have not already, create the MSGraph Connector
    1. Use OAuth2, select Client Credentials, and enter your Client ID, Client Secret, and Tenant ID
  4. If you have not already, find the Sharepoint Online Connector
    1. If you are using App Store Auth, enter your Tenant ID
    2. If you are using OAuth2, select Client Credentials, and enter your Client ID, Client Secret, and Tenant ID

4. Configure File Ingestions in Moveworks Setup (Coming Soon)

Coming soon via Moveworks setup, in this step, you will be able to configure the File Ingestions in Moveworks Self-Serve, using the Connector you have created above. Until then, your Customer Success team will help you configure your File Ingestions.

  1. Navigate to the Enterprise Search → Answers → Ingestion → Files module.

  2. Select the Sharepoint_Online Connector and Name your File ingestion config.

  3. You must also select a second connector, the MS_Graph Connector, for Sharepoint Online File Ingestion.

    1. (Optional) Select the refresh rate for which we ingest and enforce your ACL permissions – the default rate is 1 hour, the fastest interval that we currently support.
  4. Continue to the Ingestion Details page and Specify each Site.

    1. From the list of sites that you have granted us access to in Step 2 above , specify each Site.

      1. Please double check that each Site has been granted the access in Step 2.
        1. If you are using Sites.Selected in Step 3, please double check that you have properly granted MSGraph access for the Site.
      2. Please double check that you have entered each SiteName correctly.
        1. For example, if the URL of your site is https://tenant.sharepoint.com/sites/sitename), enter the verbatim into your File Ingestion.
          1. You can select the option to crawl through all nested resources within the Site you inputted.
          2. You can also specify specific paths within the Sites, by using the Library Configs action. Please specify the path of the file, separating nested Site names in the following format, //.
  5. Save the File Ingestions and continue on next steps in the original guide: File Search Self-Serve – Configuration Guide.

5. Continue to launch File Search to your employees (if not already)

  1. Refer back to the main File Search Self-Serve guide: File Search Self-Serve Configuration.