Versions Compared

Old Version 33

changes.mady.by.user Mateusz Lorc

Saved on

compared with

New Version 34

changes.mady.by.user Mateusz Lorc

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To extract and index documents stored in Microsoft SharePoint, the Locator SharePoint connector needs to be configured with a user that has access to all the documents that are to be extracted. This user is referred to as the index user.

...

Connection Type

Required PermissionCan be indexed by Azure AD Application

Notes

SharePoint AdminSite Collection Administrator on each site collection/OneDrive"Read for index user" custom permission on each site collection"Read for index user" custom permission on site provided in Server Page

Document

Single siteNoNo**NoYes

Yes


Index all site collectionsYesNo - but preferred**YesYesNo
  • Index user doesn't need "Read for index user" permission level on each site collection it is already site collection administrator
  • You can use Set-AdminOnSites.ps1 script to add index user as secondary site collection administrator to all site collections
Additional site templates*NoNo - but preferred**YesYesYes
  • Index user doesn't need "Read for index user permission" level on each site collection it is already site collection administrator
  • You can use Set-AdminOnSites.ps1 script to add index user as secondary site collection administrator to all site collections
User ProfilesNoNoNoYesYes
MySites/OneDriveNoYesNoNoYesYou can use Set-MySiteIndexUser.ps1 script

*This  This can used when at least on one of these: Include Office 365 Personal Blogs, Include Office 365 Group Sites, Include Office 365 Communication Sites or Include other site templates is selected on Connection Configuration Page.

Additional permissions for included features

** If index user isn't site collection administrator then the connections won't be able to build document security correctly for groups that have "Who can view the membership of the group?" set to "Group Members" and index user isn't member of that group. This means some users might not get search hits for documents they have access to.
Image Added

Additional permissions for included features

Some features provided by SharePoint connector may require some requirements.

...

  • If any of the "Include Office 365..."-checkboxes in wizard is used for specific site collection templates
  • If "Include other site templates" is checked in the wizard and some of the templates were selected.

Note 3: Global admins and SharePoint admins don't have automatic access to Group Sites. That means they can not manage permissions inside Group Sites. However global admins still have option to add members and owners to Group Sites.

...

  1. Navigate to the top most site to which the index user will be given access.  This is the site that you will specify when presented with the “Enter the address of MS SharePoint server site you want to make searchable.” in the Locator Connector Wizard.
  2. Click on the gears icon  at the top right of the page, and from the drop-down list click on "Site settings".
  3. Under "Users and Permissions" click on "Site permissions".
  4. From the Permissions tab click on "Permission Levels".
  5. From the "Permissions > Permission Levels" page, click "Add a Permission Level"
  6. Provide a name (e.g. “Read for Index user”) and select the following permissions:
    • List Permissions:
      • Manage Lists
      • View Items
      • Open Items
      • View Versions
      • Create Alerts
      • View Application Pages
    • Site Permissions
      • Add and Customize Pages
      • Browse Directories
      • Use Self-Service Site Creation
      • View Pages
      • Enumerate Permissions
      • Browse User Information
      • Use Remote Interfaces
      • Use Client Integration Features
      • Open
  7. Click the “Create” button
  8. Go back to Site Permissions by clicking on “Permissions”
  9. Click on “Create Group”
  10. Provide a name for this group (it will be used to apply to the index user)
  11. Under “Choose the permission level group members get on this site:...” check the box for the new permission level you added in a prior step (e.g. "Read for Index user").
  12. Click the “Create” button.
  13. You will now see the new groupClick on “New” and with "Invite people" highlighted, enter the name of the index user, and click “Share”group
  14. Click on “New” and with "Invite people" highlighted, enter the name of the index user, and click “Share”.

Note: There is no permission that would allow index user to retrieve group membership for groups that have "Who can view the membership of the group?" set to "Group Members". Even "Full Control" is not enought for that scenario. The only way for the index user to build the document security correctly is to either add index user as a member of that group or set them as site collection administrator.

Adding Index User as Site Collection Administrator

...

Excerpt

   

Configuring Windows Azure Active Directory

Locator uses the Windows Azure Graph API.  The Office 365 Global Administrator will need to configure an application, called a "service principal" in Windows Azure terminology, to be authorized to read Windows Azure Active Directory information.

Setting up the Windows Azure Graph API for Locator 

Setting up the Windows Azure Graph API for Locator is required in order to configure either an Exchange Online or a SharePoint online connection.  This need only be done one time, as the client ID and secret key obtained through these steps can be used for both the Exchange Online connector and the SharePoint Online connector.


To create and obtain an Azure AD Client App Id and a Client Secret, sign into https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps using the global administrator account for your Office 365 organization and do the steps indicated in red below. The two values that are to be extracted are circled in green:






The screenshot above has the application Id we need. The two menu options that are to be used for creating and obtaining the client secret, are circled in red and will be used in the following screenshots:

Image Modified



Adding Permissions to the Azure AD Application for SharePoint Online indexing

...