SharePoint Online Access Requirements [Legacy]
If you want to setup access based on the new Azure AD method, follow these steps.
SharePoint Online Access Needs
Sharepoint Access (per-Site basis)
The following steps will allow Moveworks to be granted read access to the specific site(s) that need to be ingested, you can do so with the following steps.
You will need an Azure App (Microsoft Entra ID) to assign the access. If you do not have one, please follow the instructions here to create one. Make sure to add the Sites.Read.All permission and set it to Application type.
If you are also deploying Moveworks to Microsoft Teams (either via the App Store, Non-App Store or GCCH methods) the same application can be used.
Note: In order to add this permission appropriately, you must be an administrator of both the Azure App and the SharePoint Site.
- Follow the powershell commands below to set
SiteOwnerManageLegacyServicePrincipalEnabled
to true.Please ensure you are using the SharePoint Online Management Shell.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
- For each sub-site the bot should have access to, navigate to:
https://**<tenant_name>**.sharepoint.com/sites/**<sub_site_name>**/_layouts/15/appinv.aspx
- Put in the App Id of your App created in Azure and then click the Lookup button -- the Title field should auto populate.
- For App Domain enter
localhost
, and for RedirectURL enterhttps://localhost.com
as shown in the screenshot below
- Enter the following XML as Permission Requests -- this grants Read Only access to the specific sub site.
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>
- After clicking Create, you will be prompted to authenticate & confirm the install. Select Trust.
- You will need to do this for each sub site the bot should have access to and provide the list of sites you have authorized to your Moveworks Customer Success team.
Validating Moveworks Access to the site
Note: At any point in the future, a SharePoint Site Admin can visit https://<tenant_name>.sharepoint.com/sites/<sub_site_name>/_layouts/15/appprincipals.aspx to validate if Moveworks has access to the site.
If the permissions were granted correctly, you should see the Azure app listed like this.
FAQ
Q: I am seeing the following error:
A: Recently, Microsoft implemented some enhanced security settings for better governance of the Sharepoint platform (Details here). If you see the error above, run the powershell the commands below to resolve the issue, and properly grant permissions to Sharepoint:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
Once the commands above are run and the SiteOwnerManageLegacyServicePrincipalEnabled
property is set to true, your Sharepoint admin can proceed forward with the steps outlined above.
Updated 17 days ago