To extract and index documents stored in Microsoft SharePoint, the Locator SharePoint connector needs to be configured with a user that has access to all the documents that are to be extracted. This user is referred to as the index user.
...
Required permissions for index user are different for each connection type. Table below provides quick guide on minimal permissions required by all connection types.
Connection Type | Required Permission | ||||
|---|---|---|---|---|---|
Notes | ||||||
|---|---|---|---|---|---|---|
| SharePoint Admin | Site Collection Administrator on each site collection/OneDrive | "Read for index user" custom permission on each site collection | "Read for index user" custom permission on site provided in Server Page | |||
Document | Single site | No | No | No | Yes | |
| Index all site collections | Yes | No - but preferred | Yes | Yes |
| |
| Additional site templates* | No | No - but preferred | Yes | Yes |
| |
| User Profiles | No | No | No | Yes | ||
| MySites/OneDrive | No | Yes | No | No | You can use Set-MySiteIndexUser.ps1 script | |
*This can used when at least on one of these: Include Office 365 Personal Blogs, Include Office 365 Group Sites, Include Office 365 Communication Sites or Include other site templates is selected on Connection Configuration Page.
...
- If any of the "Include Office 365..."-checkboxes in wizard is used for specific site collection templates
- If "Include other site templates" is checked in the wizard and some of the templates were selected.
Note 3: Global admins and SharePoint admins don't have automatic access to Group Sites. That means they can not manage permissions inside Group Sites. However global admins still have option to add members and owners to Group Sites.
...
- Navigate to the top most site to which the index user will be given access. This is the site that you will specify when presented with the “Enter the address of MS SharePoint server site you want to make searchable.” in the Locator Connector Wizard.
- Click on the gears icon at the top right of the page, and from the drop-down list click on "Site settings".
- Under "Users and Permissions" click on "Site permissions".
- From the Permissions tab click on "Permission Levels".
- From the "Permissions > Permission Levels" page, click "Add a Permission Level"
- Provide a name (e.g. “Read for Index user”) and select the following permissions:
- List Permissions:
- Manage Lists
- View Items
- Open Items
- View Versions
- Create Alerts
- View Application Pages
- Site Permissions
- Add and Customize Pages
- Browse Directories
- Use Self-Service Site Creation
- View Pages
- Enumerate Permissions
- Browse User Information
- Use Remote Interfaces
- Use Client Integration Features
- Open
- List Permissions:
- Click the “Create” button
- Go back to Site Permissions by clicking on “Permissions”
- Click on “Create Group”
- Provide a name for this group (it will be used to apply to the index user)
- Under “Choose the permission level group members get on this site:...” check the box for the new permission level you added in a prior step (e.g. "Read for Index user").
- Click the “Create” button.
- You will now see the new group
- Click on “New” and with "Invite people" highlighted, enter the name of the index user, and click “Share”.
Adding Index User as Site Collection Administrator
To index all site collections the index user requires either to have custom permission level set on all site collection or to be part within primary or secondary site collection administrator. You can use the Set-AdminOnSites.ps1 PowerShell script to add index user as secondary site collection administrator to all site collections in your tenant, excluding personal sites.
Important notes:
- To execute the Set-AdminOnSites.ps1 the SharePont Online Client Components SDK is required >> SharePointOnlineClientComponentsSDK
- You can run this script with IndexUser parameter set to index user's LoginName or Email. It is important to add i:0#.f|membership| prefix if LoginName is used.
- Each time a new site collection is added to SharePoint, the SharePoint administrator will need to rerun this script or manually add index user permissions on newly created site collections.
- Before running this script you have to replace domain in SPOAdminURL with your tenant name.
- Before running this script you have to change SPOAdminUser value to your Index User name.
- This script will prompt you for credentials, you have to provide SharePoint Admin credentials otherwise the script will fail.
Adding Permissions to the Index User for MySites, OneDrive for Business and Delve Blogs
...
NOTE: If your SharePoint Administrator account uses Multi-Factor Authentication then you have to use SharePoint Connector: Online Index User and Crawl Permissions use Set-MySiteIndexUserMFA.ps1 version of the script instead. There are few differences compared to Set-MySiteIndexUser.ps1 script. There is additional prerequisite: you have to install module SharePoint Patterns and Practices PowerShell Cmdlets for SharePoint Online. This script is also slower than Set-MySiteIndexUser.ps1. There are few suggestions on how to use this script:
...
| Excerpt |
|---|
Configuring Windows Azure Active Directory Setting up the Windows Azure Graph API for Locator
The screenshot above has the application Id we need. The two menu options that are to be used for creating and obtaining the client secret, are circled in red and will be used in the following screenshots:
|
