FME Version
Introduction
This article will walk through configuring a SharePointOnlineConnector web connection in FME Form using a single tenant Azure app registration with delegated permissions. Delegated permissions allow a user to authorize a connection with their Microsoft credentials.
To know if this is the right approach for you, and for a full list of all SharePoint connection articles, please first read Getting Started with Microsoft SharePoint.
Please note that Azure is subject to change at any time, so the instructions and screenshots in this article may be slightly different, but the concepts remain the same.
Requirements
- Access to your Microsoft Azure Portal and permissions to create an App Registration
Step-by-step Instructions
Part 1: Create the Azure App Registration
Before creating a SharePoint Web Connection in FME Form, you must create an app registration in Microsoft Azure.
1. Register an App in the Azure Portal
Log in to the Azure portal and go to App Registrations.
Add a new registration.
Choose ‘Accounts in this organizational directory only (Single tenant)’. Leave the Redirect URI blank for now, we will update this in a later step. Click Register.
2. Obtain the Client ID and Tenant ID
On the new app’s Overview page, take note of the Application (client) ID and the Directory (tenant) ID - these will be used to configure the web service later.
Note: you can confirm that your app is a single tenant app if the value of ‘Supported account types’ is ‘My organization only’.
3. Add the Platform and Redirect URI
Click Authentication and then 'Add a platform'. Choose Mobile and desktop applications.
For the Custom redirect URIs, enter:
https://login.microsoftonline.com/[TENANT ID]/oauth2/nativeclient
Replace [TENANT ID] with the value of Directory (tenant) ID from the app registration overview.
Click Configure.
You should now see Mobile and desktop applications with the redirect URI added in the previous step enabled, as well as additional default URIs added by Azure.
4. Add Delegated API Permissions
Click API permissions and then 'Add a permission'.
Choose Microsoft Graph from Request API permissions.
Click Delegated permissions. Search for and then check off Sites.ReadWrite.All. Click Add Permissions.
Once added, you should see the Sites.ReadWrite.All permission in the list of Configured permissions.
Your single tenant Azure app registration is complete.
If you wish to assign more restrictive permissions, you can use a combination of Sites.Read.All and Files.ReadWrite.All instead of Sites.ReadWrite.All. Other permissions may also work, but you may be required to perform additional configuration and testing outside the scope of this article.
Part 2: Configure the Connection in FME Form
A SharePointOnlineConnector web service must be configured before the web connection can be created. Follow these steps:
1. Open Web Services
In FME Form, go to Tools > FME Options > Web Connections > Manage Services.
2. Create a New Web Service
On the Manage Web Services screen, click the plus sign below the list of web services and then Create From > Microsoft SharePoint Online (safe.microsoft-sharepoint).
Do not choose Microsoft SharePoint Online (Template). It is for the SharePoint List Reader/Writer and will not work with the SharePointOnlineConnector.
In FME Form 2022 and earlier, you will not be able to create a new web service from the Microsoft SharePoint Online (safe.microsoft-sharepoint) template. Select the Microsoft SharePoint Online (safe.microsoft-sharepoint) web service from the list and edit its parameters following the instructions in the next step. The web service name is not editable.
3. Populate the Web Service
Single Tenant applications cannot use the /common/ endpoints. The ‘/common/’ endpoints are for multitenant Azure app registrations. Replace all instances of /common/ with your Tenant ID.
- Web Service Name: provide a unique name. It’s recommended to include the transformer that this web service will be used for and the Azure app registration name, so that you can cross-reference it.
- Client ID: the Application (client) ID from the SharePoint single tenant app
- Optional: leave this checked - the client secret should only be added in FME Flow
- Redirect URI: https://login.microsoftonline.com/[TENANT ID]/oauth2/nativeclient
- Authorization Parameters URL: replace common with your Tenant ID
- Retrieve Token Parameters URL: Replace common with your Tenant ID
- Refresh Token Parameters URL: Replace common with your Tenant ID
It’s also important to ensure that the web service’s Redirect URI value matches the custom redirect URI that was applied to the Azure registered application in Create the Azure App Registration step 3. If these two values do not match, the web service will not function properly.
Click Apply.
Note: If you assigned more restrictive API permissions when creating your Azure app registration in the previous section, then you will need to modify the Authorization Parameters URL to match those permissions. For example, if you granted the Sites.Read.All and Files.ReadWrite.All Graph API permissions to your Azure app registration, it would look like this:
4. Test the Web Service
Scroll down to the bottom of the web service and click Test.
When prompted, enter your Microsoft credentials. If Microsoft prompts you to grant permissions to the Azure app, click Accept.
You may be prompted to request admin approval after providing your Microsoft SharePoint credentials. If you or your Azure Administrator already approved the application in Azure, you should modify the Authorization URL under the Authorization Parameters section of the SharePoint web service: 1) Find ‘&prompt=select_account’ and change it to ‘&prompt=login’ and retest 2) If that doesn’t work, try removing the ‘&prompt=’ parameter and value and retest. For more information, refer to Microsoft documentation: Send the sign-in request
Once the web service test is successful, you can create a web connection. Close the Manage Web Services dialog to return to the Web Connections menu.
5. Create the Web Connection
From Web Connections, click the plus (+) button to add a new connection.
Choose the web service you created and give the connection a unique name. Click OK.
You will be prompted again to authenticate with Microsoft.
After successfully authenticating, your web connection and service are ready to use in FME Form. Note that the Microsoft account you authenticate with must have access to the SharePoint resources you want to connect to in FME.
If you encounter issues authenticating your SharePoint connection, please see Troubleshooting SharePoint Web Connections and Services.
If you want to use your connection in FME Flow, please see How to Create a SharePoint Single Tenant Web Connection for FME Flow
Comments
0 comments
Please sign in to leave a comment.