To extract and index documents stored in Microsoft SharePoint, the Locator SharePoint connector needs to be configured with a user that has access to all the documents that are to be extracted. This user is referred to as the index user.
Establishing Access for the "Index User"
Within the Office 365 organization, create a dedicated Office 365 user account (e.g. "ex_index"). This user account will be used to establish a Locator SharePoint Online connection. This will be referred to as the "index user". An existing user account may be used, but a dedicated user account is recommended.
Make sure that the index user account password is set to never expire. Follow the instructions in the Microsoft document Setup user passwords to never expire.
Required permissions quick guide
Required permissions for each connection type
Required permissions for index user are different for each connection type. Table below provides quick guide on minimal permissions required by all connection types.
...
Connection Type
...
Notes
...
Document
...
- Index user doesn't need "Read for index user" permission level on each site collection it is already site collection administrator
- You can use Set-AdminOnSites.ps1 script to add index user as secondary site collection administrator to all site collections
...
Since version 2.9.7.0 of the SharePoint Connector Azure AD Application can be used to extract and index documents. If you decide to use Azure AD Application instead of index user you should skip to Setting up the Windows Azure Graph API for Locator and then go to Adding Permissions to the Azure AD Application for SharePoint Online indexing.
Establishing Access for the "Index User"
Within the Office 365 organization, create a dedicated Office 365 user account (e.g. "ex_index"). This user account will be used to establish a Locator SharePoint Online connection. This will be referred to as the "index user". An existing user account may be used, but a dedicated user account is recommended.
Make sure that the index user account password is set to never expire. Follow the instructions in the Microsoft document Setup user passwords to never expire.
Required permissions quick guide
Required permissions for each connection type
Required permissions for index user are different for each connection type. Table below provides quick guide on minimal permissions required by all connection types.
Connection Type | Required Permission | Can be indexed by Azure AD Application | Notes | ||||
|---|---|---|---|---|---|---|---|
| SharePoint Admin | Site Collection Administrator on each site collection/OneDrive | "Read for index user" custom permission on each site collection | "Read for index user" custom permission on site provided in Server Page | ||||
Document | Single site | No | No | No | Yes | Yes | |
| Index all site collections | Yes | No - but preferred | Yes | Yes | No |
| |
|
| Additional site templates* | No | No - but preferred |
| Yes | Yes |
| Yes |
|
...
| |||||||
| User Profiles | No | No | No | Yes | Yes | ||
| MySites/OneDrive | No | Yes | No | No | Yes | You can use Set-MySiteIndexUser.ps1 script | |
*This can used when at least on one of these: Include Office 365 Personal Blogs, Include Office 365 Group Sites, Include Office 365 Communication Sites or Include other site templates is selected on Connection Configuration Page.
...
- If any of the "Include Office 365..."-checkboxes in wizard is used for specific site collection templates
- If "Include other site templates" is checked in the wizard and some of the templates were selected.
Note 3: Global admins and SharePoint admins don't have automatic access to Group Sites. That means they can not manage permissions inside Group Sites. However global admins still have option to add members and owners to Group Sites.
...
| Excerpt |
|---|
Configuring Windows Azure Active Directory Setting up the Windows Azure Graph API for Locator
The screenshot above has the application Id we need. The two menu options that are to be used for creating and obtaining the client secret, are circled in red and will be used in the following screenshots:
 https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps using the global administrator account for your Office 365 organization and do the steps indicated in red below. The two values that are to be extracted are circled in green:
The screenshot above has the application Id we need. The two menu options that are to be used for creating and obtaining the client secret, are circled in red and will be used in the following screenshots:
|
Adding Permissions to the Azure AD Application for SharePoint Online indexing
You will need Azure AD Application with client secret set to Never Expires. You can use the same application you have created in the Graph API in the Setting up the Windows Azure Graph API for Locator section or create new one.
Go to https://[tenant]-admin.sharepoint.com/_layouts/15/appinv.aspx (replace [tenant] with your Office365 tenant name). This page can be accessed only by SharePoint administrator.
On this page perform following:
- Under App Id: type your Application (client) ID and press the Lookup button.
- Under App Domain: you can type anything, for example localhost
- Redirect URL you can leave empty.
Under Permission Request XML: paste this:
Code Block language xml title Permission Request XML <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Read" /> <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" /> </AppPermissionRequests>- Now you will have to confirm the changes. Press Trust It.
After those steps your applications can be used to index all sites, user profiles or OneDrives in your Office365 tenant.