Zum Hauptinhalt springen

Create Entra ID Application

To successfully connect to Microsoft SharePoint Online using the tenantId and clientId parameter in the storage.yaml, an application must be created in Microsoft Entra ID (formerly Azure AD). This application will manage the API permissions for both configuration and deployment.

info

The outcome of this chapter is to obtain the necessary values from the created app to continue with the configuration or data model deployment.

Create new Entra ID Application

Follow the steps below to create and configure a new Microsoft Entra ID application to work with aqishare.

  1. Log in to Microsoft Entra ID.

  2. Navigate to Identity -> Applications -> App registrations. Alternatively, you can enter "App registrations" into the global search bar to quickly locate the section.

  3. Create a new app using the New registration button:

    MS Entra ID Create: Step 1

  4. Choose a name for the app, such as SAPIntegration, and select the supported account types based on your requirements:

    MS Entra ID Create: Step 2

  5. The application has been created, and you are now on the application's overview page:

    MS Entra ID Create: Step 3

Upload Certificate

To authenticate aqishare through this app against SharePoint, a certificate is required and the public key has to be uploaded to the newly created app.

info

The creation of the certificate is not covered in this documentation. The certificate must already be available. If you do not have one yet, you can follow the instructions, for example here: https://go.spflow.com/auth/strategies/azure-certificate-auth, to create a self-signed certificate that can be used.

  1. Navigate to Certificates & secrets to upload the certificate (public key) to the app:

    MS Entra ID Certificates: Upload Certificate

  2. Once added, it should appear as shown in the following screenshot:

    MS Entra ID Certificates: Overview Certificate

Add API Permissions

Configure the necessary API permissions required by the application. The following table provides an overview of the required permissions along with their description.

PermissionAPITypeDescription
Sites.Manage.AllSharePointApplicationaqishare requires this API to run in the background to create, update, or delete documents stored from the SAP system, as well as to create or delete folders in the lists.

To add the permssions, follow these steps:

  1. Navigate to the API permissions menu of the newly created SAPIntegration app.

    note

    By default, the new application automatically receives the User.Read permission of the Microsoft Graph API. This is a delegated permission acting on behalf of a signed-in user and is therefore not required by the app -> Remove this permission!

    MS Entra ID API: API Persmissions 1

  2. Click Add a permission, choose Microsoft SharePoint, then click Applications permissions and search for Sites. Under the Sites section select the Sites.Manage.All permission and add it:

    MS Entra ID API: API Persmissions 2

  3. Again, click Add a permission, Microsoft SharePoint, now select Delegated permissions and choose AllSites.FullControl permission:

    MS Entra ID API: API Persmissions 3

  4. The required permissions has been added.

Now, you must grant admin consent for your tenant to the app. Granting admin consent is essential for application permissions because they operate at the organization level, and only an administrator can approve such permissions for security reasons.

Click on Grant admin consent for Tenant and approve the grant. If the consent has been successfully granted, it should appear as shown in the following screenshot:

MS Entra ID API: API Persmissions 3

All required API permissions have been successfully set up and granted.

Add Redirect URI

To deploy the data model to SharePoint via PnP PowerShell, you must set up a redirect URL (also known as a Reply URL) to http://localhost in the authentication section of the application. The interactive login flow in PnP PowerShell uses localhost as a loopback address to process the authentication response locally on the machine performing the deployment. Without this configuration, the deployment process cannot successfully complete.

  1. Navigate to the Authentication menu of the application to add a new platform for Mobile and desktop applications.

    MS Entra ID Authentication: Authentication 1

  2. Now, enter the value http://localhost in the Custom redirect URIs field and click "Configure".

    MS Entra ID Authentication: Authentication 2

Retrieving Authentication Values

To continue the configuration of the related storage.yaml for connecting and authenticating aqishare to SharePoint, you will need specific values from the Microsoft Entra ID application you created above. These values can be found on the application's overview page of the app. Refer to the following mapping table and the screenshot below.

Microsoft Entra ID Application Overview PageCorresponding Parameter in storage.yaml
Application (client) IDclientId
Directory (tenant) IDtenantId

MS Entra ID Overview: Get Values