The feature is available under the early adopter program. You can write to aem-forms-ea@adobe.com from your official email id to join the early adopter program and request access to the capability.
Configure SharePoint Site with limited access using authorization scope
The purpose of limited or restricted access is to enhance security management by allowing administrators to control user access to a particular SharePoint Site or a group of SharePoint Sites. The permission level is useful when you need to grant a user or group access to a specific Site without allowing them to view any other non-allowed SharePoint Sites.
Advantages to configure SharePoint Site with the limited access
Advantages to provide limited access to SharePoint Site:
-
Enhanced security: By limiting access, you can ensure that only authorized personnel have the ability to view or manipulate sensitive information, reducing the risk of unauthorized access.
-
Principle of least privilege: It provides users with the minimum levels of access—or permissions—needed to perform their job functions. This minimizes each user’s exposure to sensitive parts of the network, which can protect against potential internal threats.
-
Data protection: Restricted access helps in safeguarding critical data against exposure. It ensures that only users who need to see the data can access it, which is essential for complying with data protection regulations.
-
Accidental data loss prevention: With fewer people able to modify content, the chances of accidental deletions or alterations of important data is significantly reduced.
-
Controlled Data Flow: It helps in controlling the flow of information within and outside the organization, ensuring that data does not end up in the wrong hands.
Configure SharePoint with limited access using authorization scope
Follow the steps below to configure SharePoint Sites with limited access using authorization scopes:
Create an application with the limited permission in the Azure portal
Create an application in Microsoft Azure portal with the Sites.Selected permission scope in Microsoft’s Graph API.
For information on how to retrieve Client ID, Client Secret and Tenant ID for OAuth URL, see Microsoft® Documentation.
- In the Microsoft® Azure portal, add the Redirect URI as
https://[author-instance]/libs/cq/sharepoint/content/configurations/wizard.html. Replace[author-instance]with the URL of your Author instance. - Add the
offline_accessandSites.Selectedpermissions scope in Microsoft’s Graph API to provide restricted access to Sites. - For OAuth URL:
https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize. Replace<tenant-id>with thetenant-idof your app from the Microsoft® Azure portal.
To use the Sites.Selected API permission requires an application registered in the Azure portal with the appropriate permissions set for SharePoint Online Sites. This setup ensures that the application has the necessary authorization to interact with the SharePoint Site within the defined scope, thereby providing the required limited access.
Refer to the blog article - Develop Applications that use Sites.Selected permissions for SPO sites for instructions on developing applications that use Sites.Selected permissions for SharePoint Online Sites.
Set the authorization scope at AEM instance
To provide limited access to a Microsoft SharePoint Site, it is essential to set the authorization scope correctly. To set the authorization scope and connect AEM Forms to your Microsoft® SharePoint storage:
-
Go to your AEM Forms Author instance > Tools > Cloud Services > Microsoft® SharePoint.
-
Once you select the Microsoft® SharePoint, you are redirected to SharePoint Browser.
-
Select a Configuration Container. The configuration is stored in the selected Configuration Container.
-
Click Create > SharePoint Document Library from the drop-down list. The SharePoint configuration wizard appears.
-
Specify the Title, Client ID and Client Secret. For information on how to retrieve Client ID and Client Secret, see Microsoft® Documentation.
-
Use OAuth URL as
https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize. Replace<tenant-id>with thetenant-idof your app from the Microsoft® Azure portal.note note NOTE The client secret field is mandatory or optional depends upon your Azure Active Directory application configuration. If your application is configured to use a client secret, it is mandatory to provide the client secret. -
Add the
offline_access Sites.Selectedin theAuthorization Scopefield. When you add theoffline_access Sites.Selectedscope in theAuthorization Scopetextbox field, theSharePoint Site IDtextbox becomes visible on the screen. -
Specify the SharePoint Site ID. To learn how to retrieve the SharePoint Site ID, refer to the Extra Bytes section.
-
Click Check Site Connection. On a successful connection, the
Connection Successfulmessage appears. -
Now, select SharePoint Site > Document Library > SharePoint Folder, to save the data.
note note NOTE - By default,
forms-ootb-storage-adaptive-forms-submissionis present at selected SharePoint Site. - Create a folder as
forms-ootb-storage-adaptive-forms-submission, if not already present in theDocumentslibrary of the selected SharePoint Site by clicking Create Folder.
- By default,
Now, you can use this SharePoint Sites configuration for the submit action in an Adaptive Form.
Extra Bytes
To retrieve the value of the SharePoint Site ID:
-
Go to the Microsoft Graph Explorer APIs.
-
In the left pane, under the
SharePoint SitesAPIs, clickSearch for a SharePoint site by keyword. -
Replace the placeholder
contosowith the actual name of your SharePoint Site to fetch the corresponding Site ID.
Upon clicking the Run Query button, the Site ID is displayed on the screen.