Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

How to Use Certificates to Authenticate with SharePoint Online

This article describes how to use to use certificates instead of client secrets for scanning SharePoint Online, as many APIs no longer accept client secrets.

Before You Start

Note that Spirion is capable of scanning most SharePoint Online (O365) items, but there are limitations. See below.

  • Spirion can scan:
    • Document Libraries
    • Tasks
    • Calendars
    • Contacts
  • Spirion cannot scan:
    • Templates
    • Yeoman
    • Add-Ins 
    • InfoPath Forms
    • Form Libraries
    • Events
    • Web Parts

Overview

Spirion recommends you use certificates instead of client secrets to authenticate SharePoint Online with Spirion Sensitive Data Platform, as many APIs no longer accept client secrets.

Procedure Overview

Perform the following high-level actions to use the certificate method to authenticate SharePoint Online sites in Spirion Sensitive Data Platform:

  1. Create Certificate Pair with PowerShell Script
  2. Create an Azure App Registration
  3. Record Application ID and Tenant ID
  4. Apply SharePoint API Permissions
  5. Create and Configure a SharePoint Online Target in Spirion Sensitive Data Platform.

How to Create a Certificate Pair using a PowerShell Script

The following PowerShell script creates self-signed certificates for use as a secret during Azure App Registration.

The files are created on the user's desktop.

Note: Replace the password -p@ssword - in the script code below with your own (and record for use later in this process).

$certname = "AzureSSCert" ## Replace {certificateName}
$DesktopPath = [Environment]::GetFolderPath("Desktop")
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath "$($desktoppath)\$certname.cer" ## Specify your preferred location
$mypwd = ConvertTo-SecureString -String "p@ssword" -Force -AsPlainText ## Replace {myPassword}
Export-PfxCertificate -Cert $cert -FilePath "$($desktoppath)\SDPSScert.pfx" -Password $mypwd ## Specify your preferred location

How to Create an Azure Application Registration

Use the following steps to create an Azure application registration:

  1. Navigate to the Azure Portal and sign-in.
  2. From Azure Services, on the left side menu, expand the "Manage" section and select App registrations.
  3. Click the + New registration link at the top of the page.
    1. This generates an application (client) ID to use as the Identity Provider ID when you create a SharePoint Target in Spirion Sensitive Data Platform console.

      Azure App Registrations - Manage - App registrations - Owned applications
  5. Click the “Add a certificate or secret” link under "Client Credentials" on the right-side of the window.
    1. Upload the certificate file (AzureSSCert.cer in our example).

  7. Record the Application (client) ID and the Directory (tenant) ID from their respective fields.

  8. From the left side navigation menu, expand the "Manage" section and select API permissions for your new app registration.

  9. Select the + Add a permission link under the "Configured permissions" section.
  10. Add the following permission for the SharePoint API:
    1. Application permissions: Sites.FullControl.All
      (see the image below).

Request API permissions - SharePoint - Application Permissions

How to Create a SharePoint Online Target in Spirion Sensitive Data Platform Console

Use the following steps to authenticate SharePoint sites in the Spirion Sensitive Data Platform console:

  1. Within Spirion Sensitive Data Platform, from the left side navigation menu, navigate to Data Asset Inventory > Data Assets and Targets.
  2. The "Data Assets and Targets" page opens.
  3. Select the TARGETS tab at the top of the page.
  4. Select the blue Actions button in the top right corner of the page and select Add Target from the sub-menu that appears.
  5. The "Add New Target" window opens.
  6. Enter the Target Name in the "Target Name" field and select Collaboration Tools in the pop-up dialog.
  7. Select the "SharePoint/SharePoint Online" tile.

  8. Enter the appropriate information in the fields below.

    Add New SharePoint Target window
    1. Address: Enter the URL for the site you wish to scan
    2. Password: Enter the password used when creating the certificates
    3. Identity Provider ID: Enter the Application (client) ID
    4. Tenant: Enter the Directory (tenant) ID
    5. Certificate File: Upload your cert file (SDPSScert.pfx in our example)
  10. There is no need to select any SSL or TLS settings (checkboxes) as these are automatically used.
  11. Click the Save button at the bottom of the page.


Was this article helpful?

Powered by Product Fruits