SharePoint Online Access Needs

Sharepoint Access (per-Site basis)

The following steps will allow Moveworks to be granted read access to the specific site(s) that need to be ingested, you can do so with the following steps.

You will need Azure app (Microsoft Entra ID) to assign the access.

If you do not have one, please follow the instructions here to create one.

If you are also deploying Moveworks to Microsoft Teams, the same app can be used.

📘

Note: In order to add this permission appropriately, you must be an administrator of both the Azure App and the SharePoint Site.

1. Follow the powershell commands below to set SiteOwnerManageLegacyServicePrincipalEnabled to true.

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

2. For each sub-site the bot should have access to, navigate to: https://**<tenant_name>**.sharepoint.com/sites/**<sub_site_name>**/_layouts/15/appinv.aspx
3. Put in the App Id of your App created in Azure and then click the Lookup button -- the Title field should auto populate.
4. For App Domain, and RedirectURL, enter localhost as shown in the screenshot below

5. Enter the following XML as Permission Requests -- this grants Read Only access to the specific sub site.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

6. After clicking Create, you will be prompted to authenticate & confirm the install. Select Trust.
7. You will need to do this for each sub site the bot should have access to and provide the list of sites you have authorized to your Moveworks Customer Success team.

📘

Validating Moveworks Access to the site

Note: At any point in the future, a SharePoint Site Admin can visit https://<tenant_name>.sharepoint.com/sites/<sub_site_name>/_layouts/15/appprincipals.aspx to validate if Moveworks has access to the site.

If the permissions were granted correctly, you should see the Azure app listed like this.

FAQ

Q: I am seeing the following error:

A: Recently, Microsoft implemented some enhanced security settings for better governance of the Sharepoint platform (Details here). If you see the error above, run the powershell the commands below to resolve the issue, and properly grant permissions to Sharepoint:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Update-Module -Name Microsoft.Online.SharePoint.PowerShell # Make sure the module is on version 16.0.23710.12000 or later
Connect-SPOService -Url https://<domain>-admin.sharepoint.com # Replace domain with your Sharepoint domain
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

Once the commands above are run and the SiteOwnerManageLegacyServicePrincipalEnabled property is set to true, your Sharepoint admin can proceed forward with the steps outlined above.