Deprecation of support for Index User credentials in Sharepoint Online and OneDrive connections

1 Background
2 If I was notified about this by Ayfie, does that mean I am affected?
3 How to determine if I am affected?
4 What is the impact of this issue for my existing Locator/Supervisor environment?
5 What is the impact of the deprecation on the Locator side?
6 What do I need to do?
- 6.1 Reconfigure the connections to use Application credentials
- 6.2 Temporary solution: change security settings in Sharepoint
7 Do I need to update Locator and/or Supervisor?
8 Do I need to update the Sharepoint connector?

Background

In of July 2023, we have began observing issues with Sharepoint Online Document and User Profile connections and OneDrive for Business connections that were configured to use an Index User rather than an Azure Application.

Any attempts to authenticate with Index User credentials were being rejected on Microsoft side with status code HTTP 401 Unauthorized and the response included a header with the following contents: X-MSDAVEXT_Error=917656;Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically

This appears to be due to a change on the Sharepoint side, changing the setting Apps that don't use modern authentication to Block access by default, potentially for all tenants.

While at this time it is possible to revert the change, it is understood that Microsoft intends to deprecate support for apps that do not use Modern Authentication and this change would be the first step of that process, analogous to several deprecations that preceded it.

Consequently, we have decided to begin deprecating support for Index User credentials for these types of connections in the Sharepoint connector.

If I was notified about this by Ayfie, does that mean I am affected?

No. The notification was sent to all active customers, as the Sharepoint connector is a default part of each Locator license.

Consequently, outside of installations deployed by Ayfie Professional Services Team, we cannot know who is actively using this connector, much less whether they use them with Online or On-Premises sources

How to determine if I am affected?

If your environment contains any of: Sharepoint Online Document or User Profile or OneDrive for Business:
- You may be affected
- Otherwise, you are not affected
If any of these connections have not been configured to Use Application instead of index user
- You are affected
- Otherwise, you are not affected

What is the impact of this issue for my existing Locator/Supervisor environment?

Locator search will continue to work
The Sharepoint connector will stop discovering, indexing or updating documents from affected sources unless changes are made to configuration either in Locator or in Sharepoint Online

What is the impact of the deprecation on the Locator side?

The option to use Index User credentials will continue to be available for the foreseeable future
This option will eventually be removed completely, exact date to be announced later
Any newly created Sharepoint Online and OneDrive connections should be be created with Application credentials

What do I need to do?

Reconfigure the connections to use Application credentials

For each Sharepoint Online or OneDrive connection:

Edit the connection in the Management Console
Navigate to the Sharepoint Online Connection tab
Enable the Use application instead of Index User option
Replace the Index User credentials with an Application ID and Application Secret

Regarding the required set-up on the Sharepoint side, please refer to the Knowledge Base for Locator 4.x and newer: https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2937454598

Temporary solution: change security settings in Sharepoint

This should be considered a temporary workaround only.

Navigate to https://<your tenant>-admin.sharepoint.com
Log in with an account with Sharepoint Admin permissions
Navigate to Policies → Access Control -> Apps that don't use modern authentication
Change the setting to Allow Access and click Save

Do I need to update Locator and/or Supervisor?

Possibly.

Ensure that your installation of Locator / ViaWorks is updated to version 2.11 or newer. The versions of Sharepoint connector that supports using an application instead of Index User was only available for 2.10 and 2.11, and all versions prior to 2.11 have been declared End of Life
Any installations of Locator 4.x and newer will automatically update Locator upon restarting the Saga platform - please refer to https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758 for details
Please note that if you update your Locator installation from an earlier major version, all installed connectors should be updated and all connections edited and resaved to ensure correct functioning.

Do I need to update the Sharepoint connector?

If you are using Locator 2.11, ensure your Sharepoint connector is updated to version 2.9.7 or newer. Please refer to https://ayfie-dev.atlassian.net/wiki/spaces/VPKB/pages/433750292 for more information how to update connectors in Locator 2.11
Any installations of Locator 4.x and newer will automatically update the installed connectors upon restarting the Saga platform - please refer to for details