Skip to main content

How to set up an App Registration & SharePoint File Share

Permanently deleted user
Updated

Summary

This article is for IT Personnel.

What follows are instructions for setting up a CityLaw/CountyLaw NG (CLNG) File Share in a SharePoint Site that exists within your Microsoft 365 organization.

Here is an outline of the process:

  1. Create an Azure App Registration for CLNG.
  2. Grant necessary Permissions to the Azure App Registration.
  3. Create the SharePoint Site to serve as the File Share.
  4. Grant the CLNG App Registration access to the SharePoint Site.
  5. Send Cycom the App Registration and SharePoint Site connection info.

What you will need

  1. The URL of your organization's deployment of CLNG (provided by Cycom).
  2. Access to your organization's Microsoft 365 Azure Portal and permissions to create Entra ID App Registrations and SharePoint Sites. (If you are an Administrator of your Microsoft 365 Account then you have sufficient permissions.)

Create the Azure App Registration

Navigate to the Azure Portal (https://portal.azure.com). Sign in with your Microsoft 365 credentials and select Microsoft Entra ID (formerly Azure Active Directory).

 

 
In the left-hand navigation, select "App registrations" (under the "Manage" heading).
 
 
(You will see your organization's name at the top-left instead of "Cycom Data Systems".)
Select "New registration".
 
 
In the "Register an application" view:
  1. Name the new App Registration (e.g. "CityLaw NG (Production)").
  2. Select the Single Tenant radio button under "Supported account types".
  3. Under "Redirect URI", enter the URL of the CLNG deployment as a Web URI. We will add more redirect URIs later.
  4. Select "Register".

 

⭐ Copy the Directory (Tenant) ID

On the "Overview" page, copy the value of "Directory (Tenant) ID". Later, you will provide Cycom with this value so that your deployment of CLNG knows which Azure Entra ID Tenant to connect to.
 
⭐ Copy the Application (Client) ID
On the "Overview" page, copy the value of "Application (client) ID". Later, you will provide Cycom with this value so that your deployment of CLNG can identify itself to your organization's Entry ID tenant.
 

Add additional redirect URIs

In the left-hand navigation, select "Authentication" (under the "Manage" heading).

Using the CLNG URL provided by Cycom, add this Web Redirect URI: 

https://{Your_CLNG_URL}/home/modules/assignments/attachments

❗ Remember to replace "{Your_CLNG_URL}" with the URL provided by Cycom.


 

Enable ID Tokens

On the same page ("Authentication"), scroll down to the "Implicit grant and hybrid flows" heading and select the ID Tokens checkbox.

❗ Press "Save" to save these changes.

 

Create a Client Secret

Select "Certificates & secrets" from the left-hand navigation (under the "Manage" heading), then select the "Client secrets" tab.

 
Select "New client secret".
 
In the "Add a client secret" panel, enter a name for the new client secret and select an expiry in accordance with your organization's security policies.
 
 
❗ When this Client Secret expires, you will need to generate a new one and provide it to Cycom. CLNG requires a valid Client Secret to allow your users to work with files in your SharePoint File Share.
 
Press "Add" to create the new client secret.
 
⭐ Copy the Client Secret
Copy the value of the client secret. You will provide Cycom with this value so that your deployment of CLNG can be authorized to access your CLNG SharePoint File Share, which we will create later.
 
 

Grant Permissions to the App Registration

In the left-hand navigation select "API Permissions" (under the "Manage" header). You should see the User.Read delegated permission granted by default.

 

Select "Add a permission".
In the "Request API permissions" panel select the "Microsoft Graph" card.
 
 
Select the "Application permissions" card.
 
 
In the search box below the "Select permissions" heading, enter Sites. and select the Sites.Selected and Sites.ReadWrite.All checkboxes. Then enter Mail.ReadWrite and select the Mail.ReadWrite checkbox. Finally, press "Add permissions" to add the selected to permissions to the App Registration.
 
 
 
Note on Permissions
The Sites.Selected permission authorizes CLNG to read from and write to the SharePoint Site's Document Library, and the Sites.ReadWrite.All permission authorizes CLNG to create "open" links, so authenticated users can open files within CLNG on those Matters to which they have access.
 

Grant Admin Consent

Note that Admin consent has not yet been granted for your organization. To grant consent, press the button above the permissions table labeled "Grant admin consent...".

You will see a pop-up confirmation. Press "Yes" to grant consent.

 

 

The status of the permissions should then change to "Granted":

 

Your CLNG Azure App Registration is now configured!

⭐ Provide Cycom with the Application (Client) ID and Client Secret you copied earlier. Next, we will create the SharePoint site that will serve as your CLNG File Share.

 

Create the SharePoint Site

Sign in to your Microsoft 365 tenant and navigate to your SharePoint site list.

 

At the top-left, select "Create site".

 

 

Select the "Team site" type.

 

 

Select the "Standard team" template. (This site will not be accessed from the browser, so the template is not important.)

 

 

Press the "Use template" button to continue.

 

 

Name the SharePoint site and provide a description if desired.

 

 

Verify that the "Privacy settings" dropdown is set to "Private" and press "Create site".

 

❗ Important

The CLNG File Share should never be modified directly by users, therefore it should remain private, and no member should be granted access to it.
CLNG is granted access to the SharePoint File Share via the Azure App Registration you created above, and CLNG controls end-user access to the contents of the SharePoint File Share.
 
 
 
The "Finish" button will be disabled while Microsoft builds your SharePoint site.
 
❗ Important
Do not add members to the CLNG SharePoint File Share. Only CLNG and your Microsoft 365 tenant administrators should have direct access. The CLNG SharePoint site should not be manually modified.
 
 
Once the site has been built, press "Finish".
 
Your SharePoint site is now configured!
 
Note that it may take some time for your new SharePoint site to appear in the list of sites, and that it will only be visible to your Microsoft 365 tenant Administrators.
 

Grant the CLNG App Registration access to the SharePoint Site

Now that we have both the Azure App Registration and the SharePoint Site created and configured, we need to grant the App Registration access to the SharePoint site.
 
Currently the only way to do this is via the Microsoft Graph API. It cannot be done within the SharePoint UI or Azure portal. The easiest way to work with the Microsoft Graph API is via Graph Explorer.
 

Grant Consent to Modify Permissions

Before you can modify the permissions granted to your Azure App Registration, you will need to authorize Microsoft Graph Explorer to make the changes on your behalf.
 
Open a browser and navigate to Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer/).
 
At the top-right corner, press the user icon and sign in to the same Microsoft 365 account with which you created the Azure App Registration.
 
 
Once you have signed in, select your profile photo at the top-right corner (where the user icon was before you signed in) and in the profile card that appears, select the "Consent to permissions" link.
 
The Permissions panel will appear. In the search box, enter "Sites". You should see the Sites.FullControl.All permission in the list.
 
 
Press the "Consent" button to grant the permission. A pop-up window will ask you to confirm your consent. This is required for granting an App Registration access to a SharePoint site in your Microsoft 365 tenant. Press "Accept".
 
 

Obtain the SharePoint Site ID and Drive ID

Enter a new POST query with this URL:
https://graph.microsoft.com/v1.0/search/query
And this body, replacing "production" with text that appears in the name of your SharePoint Site:
{
    "requests": [
        {
            "entityTypes": [
                "drive"
            ],
            "query": {
                "queryString": "production"
            }
        }
    ]
}
When finished, your query should look something like this:
 
 
Press the "Run query" button.
 

Drive ID

Scroll down through the results in the "Response preview" tab until you find the "id" property. It should be immediately below the "@odata.type" property that has a value of "#microsoft.graph.drive".
 
❗ Note that it may take some time for the new SharePoint Site to appear in your site list.
 
It should look something like this:
 
 
⭐ Copy the value of "id"
When you find this entry, copy the value of "id". This is the Drive ID of the SharePoint Site.
 

SharePoint Site ID

Scroll further down until you see the "siteId" property. This is the ID of the SharePoint Site. It should look something like this:
// Example SharePoint Site ID:
'pawnee.sharepoint.com,d2045e1a-c8d0-42b5-9e39-f41e6f7d6f9d,1d38138e-bdbe-4956-9d28-c760b84132a9'
 
⭐ Copy the value of "siteId"
When you find the "siteId" property, copy the value. This is the ID of the SharePoint Site.
 

Grant Write Permission to the Azure App Registration

Now that you have the SharePoint site id, you can grant the CLNG Azure App Registration write permission to that SharePoint site.
 
Modify the URL in the Graph query box so that it matches the format below, inserting your SharePoint site ID for {id}.
📌 Replace {id} with your actual SharePoint Site ID
https://graph.microsoft.com/v1.0/sites/{id}/permissions
 
For example:
 
 
Next, we'll need to modify the Request Body.
 
Enter the Application (Client) ID of the CLNG Azure App Registration as the value of the "id" property and match the value of "displayName" to the name of the Azure App Registration.
 
{
    "roles": [
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": {Application (Client) ID of the Azure App Registration},
                "displayName": {Name of the Azure App Registration}
            }
        }
    ]
}
For example:
 
 
After entering the URL and Request Body, your query should look something like this:
 
 
Now press "Run query" to grant the write permission. You should see a Created 201 confirmation below the Request Body and receive a response like the one below.
 
 
 

Optional: Unconsent to Modify Permissions

Your CLNG Azure App Registration is now authorized to work with the contents of your CLNG SharePoint site's Document Library. You can if you wish, unconsent the Sites.FullControl.All permission in Microsoft Graph Explorer.
  1. Select your Profile Picture at the top-right of Graph Explorer to open your Profile Card, then click the "Consent to permissions" link to open the Permissions panel.
  2. In the Permissions panel, enter "Sites" in the search box to filter the list of permissions, and press "Unconsent" to the right of the Sites.FullControl.All permission.

 

You should see the label on the button change from "Unconsent" to "Consent".

 

📌 If Unconsent is Disabled

If the "Unconsent" button is disabled, verify that you have consented to the following permissions in the Permissions panel:
  1. Directory.Read.All
  2. DelegatedPermissionGrant.ReadWrite.All
Once you have consented to the above permissions, refresh the page and navigate to the Sites.FullControll.All permission again.
 

Checkup

You have now:
  1. Created and configured the CLNG App Registration in Azure.
  2. Created and configured the CLNG SharePoint File Share.
  3. Granted the CLNG App Registration write access to the SharePoint File Share.

You should have the following information to provide to Cycom:
  1. The Directory (Tenant) ID of your Organization's Azure Entra ID Tenant.
  2. The Application (Client) ID of the Azure App Registration.
  3. The Client Secret of the Azure App Registration.
  4. The Drive ID of the SharePoint File Share.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk