Skip to main content
To securely connect our service to your SharePoint environment, you need to create and configure a Service Principal Name (SPN) in your Microsoft Entra ID (formerly Azure Active Directory). This process ensures that the Genow platform has the necessary, limited permissions to access your SharePoint data without requiring a user’s personal login credentials.
If you have already created a SPN for the SSO via Microsoft you can reuse this SPN for the connection to SharePoint. This makes particular sense if you do not plan to create multiple SPNs for different SharePoint sites.
This guide will walk you through the entire process, which consists of three main parts:
  1. Creating an App Registration in Microsoft Entra ID to generate the required credentials.
  2. Configuring API Permissions to define what the application is allowed to do.
  3. Granting Access to Specific SharePoint Sites to connect the SPN to the data.
To complete the setup, you will need the following three pieces of information:
  • Client ID (Application ID)
  • Tenant ID (Directory ID)
  • Client Secret (Application Password)
If you create a new SPN please share the client ID, tenant ID and client secret with us as we also have to store the mapping via the SPN. The information is stored securely.
Prerequisites: You must have administrative privileges in both Microsoft Entra ID and the target SharePoint sites to perform these actions.

Part 1: Create the App Registration and Credentials

First, you need to register a new application in your Microsoft Entra ID portal. This registration represents the identity of our service within your Microsoft environment.
  1. Navigate to App Registrations:
  2. Create a New Registration:
    • Click + New registration.
    • Give the application a descriptive name, such as “SharePoint Integration Service”.
    • Leave the other settings at their default values and click Register.
  3. Save the Client ID and Tenant ID:
    • Once the app is created, you will be taken to its Overview page.
    • Copy the Application (client) ID and the Directory (tenant) ID. Save them in a secure location, as you will need them to configure the integration in our platform.
  4. Create a Client Secret:
    • In the navigation for your app registration, go to Certificates & secrets.
    • Click on the Client secrets tab and select + New client secret.
    • Provide a description (e.g., “SharePoint API Key”) and choose an expiration period.
    • Click Add.
    IMPORTANT: A secret value will be displayed immediately. Copy this value now. It will be hidden permanently after you leave this page. This is your Client Secret.

Part 2: Configure API Permissions

Next, you must specify the exact permissions the application needs. We will use the Sites.Selected permission, which follows the principle of least privilege by allowing you to grant access only to specific SharePoint sites instead of all of them.
  1. Go to API Permissions:
    • In your app registration’s navigation menu, select API permissions.
  2. Add a Permission:
    • Click + Add a permission and select Microsoft Graph.
  3. Select Application Permissions:
    • Choose Application permissions. This type is required for services that run in the background without a signed-in user.
  4. Add Sites.Selected Permission:
    • In the “Select permissions” search box, type Sites.Selected.
    • Check the box next to Sites.Selected under the “Sites” category and click Add permissions.
  5. Grant Admin Consent:
    • The newly added permission will have a status indicating that admin consent is required.
    • Click the Grant admin consent for [Your Tenant Name] button at the top of the permissions list.
    • Click Yes to confirm. The status should now update to show a green checkmark, meaning the permissions are active at the tenant level.

Part 3: Grant Access to SharePoint Sites

The final step is to grant the newly created SPN access to each SharePoint site it needs to read. This process must be repeated for every top-level SharePoint site that you intend to use with our service. You can either do this via Fivetran or via the PowerShell. We would recommend using Fivetran, as it is much easier - you can find the needed steps in the following section. Credits and further description here.
1

Grant access for a selected site to the SharePoint app

  1. Navigate to the site you would like to connect to Fivetran > Home > Append /_api/site/id to the site’s URL in your browser.
  2. Make a note of the site ID in the JSON response as shown below. You will require this site ID in further steps.
  1. Sign in to Microsoft Graph Explorer with an account that has a SharePoint Administrator or higher role.
  2. In Graph Explorer, on the top right, click your avatar.
  3. Select Consent to permissions (by clicking on the “Modify Permissions” tab - see screenshot below) and then choose Consent for Sites.FullControl.All to provide the Graph Explorer tool the ability to modify site permissions for your tenant.
  1. Make a POST request to the endpoint https://graph.microsoft.com/v1.0/sites/{site_id}/permissions with Request Header Content-Type: application/json and Request Body:
body
{
"roles": ["read"],
"grantedToIdentities": [
{
"application": {
"id": "<application_client_id>",
"displayName": "<application_name>"
}
}
]
}
Replace site_id, application_client_id, and application_name from the steps above.
2

Select Site ID

Depending on the access type you selected, perform the following steps:Quick setup (All sites via Fivetran App)
  • Click Authorize. You will be redirected to your SharePoint account to authorize Fivetran’s access. Once you have finished, you will be redirected back to Fivetran.
  • Set the Use Input Field for Site toggle to choose how you want to specify the SharePoint site:
    • If the toggle is set to ON, a text input field appears, allowing you to manually enter the site using the format hostname,siteCollectionId,siteId.
    • If the toggle is set to OFF, use the Sync Lists from Site drop-down menu to select the SharePoint site from the available list.
Advanced setup (Granular access using your own Azure app):
  • In the Connect section, enter the Tenant ID, Client ID, and Client Secret you found.
  • In the Site Id field, enter the site ID that you found.
  • (Optional) Click Run connection test to validate the credentials and connection to SharePoint.
3

Finish Fivetran configuration

Click Save & Test. Fivetran will take it from here and sync your data from your lists.
You have now successfully configured the SPN for one SharePoint site. Remember to repeat this “Part 3” for all other required SharePoint sites.

Final Step

You have now successfully created an SPN and assigned it the necessary permissions. You can now use the Client ID, Tenant ID, and Client Secret you saved earlier to configure the SharePoint connection in our application. Please provide us with these variables. Credits / more information here