Issue

  • We are missing Sharepoint REST API permissions for the app.

Resolution

Since the graph API does not support many of our sharepoint use cases (e.g. site page permissions), we need to use the Sharepoint REST API. This will need to be done for every Azure app.

Prerequisites

  • Provisioning REST API permissions directly through Azure portal requires your application to be authenticated through the certificate-based method.
    • If you are currently using a client secret, contact support to enable the new certificate-based method for setup. This is not required, but recommended for the best setup experience.
    • This requires creating a certificate and uploading it to Azure. Then, you must upload the certificate and associated private key to Glean through Sharepoint connector setup.

Remediation Steps

  • Open a PowerShell session. Note these steps may also require you to install Sharepoint PowerShell.
Connect-PnPOnline -Url $SITE_COLLECTION_URL
Grant-PnpAzureADAppSitePermission -AppId '$CLIENT_ID' -Site $SITE_COLLECTION_URL -Permissions FullControl

For client secret-based setup (deprecated)

Grant-PnpAzureADAppSitePermission -AppId '$CLIENT_ID' -Site $SITE_COLLECTION_URL -Permissions FullControl

You should expect the output to include

Id    : <id>
Roles : {fullcontrol}
Apps  : {$DISPLAY_NAME, $CLIENT_ID_FOR_SETUP}
  • For your application in Azure, on the left side of the applications pane, navigate to Manage > API Permissions.
  • Click Add a permission and select Sharepoint. Choose Application permissions and add Sites.FullControl.All These steps require being either a tenant administrator, or a site administrator of the associated site collection.

For client Secret-based Setup (Deprecated)

  • Navigate to <sharepoint-domain>-admin.sharepoint.com/_layouts/15/appinv.aspx (where if you access Sharepoint at glean.sharepoint.com, the sharepoint-domain would be glean).
  • Look up the app using the Client ID for the app you created for Glean. You can fill the App Domain and Redirect URL to glean.com and https://glean.com respectively.
  • For Permission Request XML, paste the following:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>
  • Click Save in Glean to save the app credentials.

Additionally, for client secret setups, if the tenant was recently created (starting from 2020 onwards), you must disable custom app authentication for your Sharepoint tenant (reference).

Remediation Steps

In PowerShell, run the following commands:

Connect-PnPOnline -Url https://<sharepointdomain>-admin.sharepoint.com
Set-PnPTenant -DisableCustomAppAuthentication $false

For additional assistance, please contact Glean Support at https://support.glean.com