How to Create a SharePointOnlineConnector Web Connection with Application Permissions

Matt Meeboer
Matt Meeboer
  • Updated

Introduction

This article will walk through configuring a SharePointOnlineConnector web connection in FME Form using an Azure app registration with application permissions. Application permissions allow FME to connect to SharePoint without providing Microsoft credentials to authorize the connection.

To know if this is the right approach for you, and for a full list of all SharePoint connection articles, please first read Getting Started with Microsoft SharePoint

Please note that Azure is subject to change at any time, so the instructions and screenshots in this article may be slightly different, but the concepts remain the same.

 

Requirements

 

Step-by-step Instructions

Part 1: Create the Azure App Registration

Before you can create a SharePoint Web Connection in FME Form, you must create an app registration in Microsoft Azure.

 

1. Register an App in the Azure Portal

Log in to the Azure portal and go to App Registrations.
App Registration

Add a new registration.
New App Registration

If you’re registering a Multitenant application, choose ‘Accounts in any organization directory (Any Azure AD - directory - Multitenant)’. For a single tenant application, choose ‘Accounts in this organizational directory only’. The Redirect URI can be left empty. The example in the screenshot below shows a multitenant registration.

Click Register.

2. Obtain the Client ID and Tenant ID

On the new app’s Overview page, take note of the Application (client) ID and the Directory (tenant) ID - these will be used to configure the web connection in FME later.

Note: you can confirm that your app is a mutitenant app if the value of ‘Supported account types’ is ‘Multiple organizations’. If it is single tenant, the value will be ‘My organization only’.


3. Add Application API Permissions

Click API permissions and then Add a permission.
Add API Permission

Choose Microsoft Graph from Request API permissions.
Graph API Permissions

Click Application permissions. Search for and then check off Sites.ReadWrite.All. Click Add Permissions.


Once added, you should see the Sites.ReadWrite.All permissions in the list of Configured permissions. Since this permission requires admin consent, click ‘Grant admin consent…’

Confirm that the Status is now Granted.

If you wish to assign more restrictive permissions, you can use a combination of Sites.Read.All and Files.ReadWrite.All instead of Sites.ReadWrite.All. Other permissions may also work, but may require you to perform additional configuration and testing that is outside the scope of this article.

 

4. Create a Client Secret

Click Certificates & secrets and then 'New client secret'. 

CreateClientSecret

 

Give your client secret a description and expiry. Click Add. 

Add New Client Secret

Once your client secret expires, you will need to create a new one and update your web connection to continue connecting to SharePoint.

After clicking Add, make sure to copy the secret value (not the Secret ID) and store it in a safe place, like a password manager. You will only get one chance to save the secret value! You can create another secret if needed.

Your Azure app registration is complete.

Part 2: Configure the Connection in FME Form

Application permissions use a simple client credentials OAuth2.0 flow, so configuring a web service is not required before creating a web connection. To learn more, please read Getting Started with Microsoft SharePoint. Follow the steps below to create a web connection:

 

1. Create a New Web Connection

From Web Connections, click the plus (+) button to add a new connection.


2. Populate the Web Connection

  1. Web Service: choose the ‘Microsoft Graph (App Only)’ web service. This web service comes with the SharePoint Online package from the FME HUB. 
  2. Connection Name: provide a unique name. It’s recommended to include the transformer that this web service will be used for and the Azure app registration name, so that you can cross-reference it.
  3. Tenant ID: the Directory (tenant) ID from the SharePoint app registration
  4. Client ID: the Application (client) ID from the SharePoint app registration 
  5. Client Secret: the Client Secret value from the client secret you added to the SharePoint app registration 

Click OK.


After clicking OK, FME will use the web connection to obtain an access token from Azure. If you receive an Access Token Generation Failed error, like the example below, re-confirm your settings and try again. 

 

If you do not receive an error, then your web connection is ready to use in FME Form. 

This connection can also be published to and used in FME Flow without additional configuration or authorization.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.