Como usar o Sharepoint

NOTE: for projects using Adobe’s Sharepoint (https://adobe.sharepoint.com) please continue here.

If you use sharepoint as your content source we use a registered Microsoft Azure application to do so. This application has delegated permissions defined that allow the service to access sharepoint on behalf of a user. This user needs to be registered to the project that is using sharepoint.

Alternatively, the services can also authenticate as an application and use application permissions to access the sites. This needs additional setup by a sharepoint site administrator that can grant the permissions for the application.

Setting up sharepoint involves the following steps:

  1. Create a folder within sharepoint that will be the website root.
  2. Create or define the (technical) user that will access the sharepoint content
  3. Share the website root folder with that user.
  4. Configure the fstab.yaml with the respective folder
  5. Register the user with the service
  6. Alternative: Register the Application

1. Create the website root folder

Navigate to your desired location in sharepoint and create a root folder that will be your website root. It is best to not use a sharepoint list root directly, so that you have a shared space for your authors to put collateral documents, for example a drafts folder, or how-to-author documentations.

An example file structure might look like this, using the website folder as the root:

2. Create or define the user

It is best practice to use a generic (or technical) user to access the content on behalf of the service. This is better than using an employee user account because the exact scope of the files the user can access can be defined. Furthermore, there is no risk losing access to the files, should that employee leave the company.

Every company has different procedures to create technical users, so ask your IT department on how to do this.

3. Share the website root folder

NOTE: for projects using Adobe’s Sharepoint (https://adobe.sharepoint.com) please see here.

Ensure that the service user has edit rights on the website root folder. This can be achieved easily by clicking on the … ellipsis menu and selecting “Manage Access”.

And then add the generic (or technical) user user via the “Direct access” option.

4. Configure the fstab.yaml

The next step is to configure the mountpoint in the fstab.yaml to point to the website root. It usually has the form of

https://<tenant>.sharepoint.com/sites/<sp-site>/Shared%20Documents/website

But this might vary depending on how you create the sharepoint site and lists. In order to obtain the url, the simplest way is to copy-past the first part from the browser address, eg:

And then add the rest manually (Note, that copying the sharelink via the UI adds unnecessary information and it is better to use a canonical representation of the url). Once you composed the url, you can test it by entering it again in the browser. You should end up in the folder view of your website root.

After that, update the fstab.yaml accordingly.

For example:

mountpoints:
  /: https://adobeenterprisesupportaem.sharepoint.com/sites/hlx-test-project/Shared%20Documents/website

To finalize the configuration, commit the fstab.yaml back to the main branch.

5. Register the user

Overview

In order for the AEM service to access the authored content it needs a couple of information and setup. The AEM service (a cloud function) accesses the MS Graph API on behalf of a configured user. In order to do so, it needs to authenticate first in the context of an Application. This is important because the scopes given to the application define what permission the service has on the MS Graph API. For example, it should be allowed to read and write documents, but not to alter access control.

An application is represented as an “Enterprise Application” in the respective Active Directory of a tenant. The permissions given to that enterprise application ultimately define what the service can access in that tenant’s resources. Certain permissions need to be approved by an Active Directory administrator before a user can use the application. This so-called “admin consent” is a mechanism to verify and control which permissions apps can have. This is to prevent dubious apps from tricking users into trusting an app that is not official. Having the extra admin consent step allows IT security to control which apps the employees can use.

Access the Service Setup UI

To get started, open the Admin Service Setup UI and enter the GitHub URL of your project:

Then you need to “Sign In” with your personal user that has access to the website root. This is to verify that only people with sufficient credentials can manage the user registration.

The first time you login, you probably see the “Permission Requested” screen. This is to inform you about which permissions the “Franklin Service” application will have:

If you are not an AD admin, you probably don’t have the “Consent on behalf of your organization” checkbox. And the login will fail. At this point an AD admin needs to consent to the application.

The application will show up in your Azure Console / Enterprise Applications Blade:

Opening the application details, and selecting the “Permission” Blade will show that there are not admin consented permissions.

Once an AD admin opens the “Grant admin consent …” link, it will be presented with the “Permissions Requested” screen:

After that, the permissions blade will show the consented permissions:

Connect the technical User

With the permission properly granted, you should be able to login properly to the Franklin Service Setup UI:

Click on “Connect User” and you should see a new login window, where you want to login with your technical user. After the login process, the UI should show the connected user information:

Once the user is registered, you should be able to preview a page.

Important

Changing the user’s password will invalidate the grant that is established when connecting the user. This will eventually cause an error in the sidekick. In order to prevent this, you need to reconnect the user, by clicking the disconnect button then connect it again.

6. Alternative: Register the Application with Sites.Selected permissions

Follow the steps above from Step 5, but instead of connecting a user, click on “Connect Application”. You probably see an error message:

Make sure the enterprise application in Azure has the “Sites.Selected” permission granted:

In addition, the sharepoint site that contains the mounted directory needs to have “write” permissions added for the Franklin Service application. In order to do this, follow the instructions https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http

Example POST:


POST https://graph.microsoft.com/v1.0/sites/03cc3587-0e4d-405e-b06c-ffb0a622b7ac/permissions

{
    "roles": [
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "83ab2922-5f11-4e4d-96f3-d1e0ff152856",
                "displayName": "Franklin Service"
            }
        }
    ]
}

Note: in order to get the sharepoint siteId, login to your sharepoint site, and append _api/site/id and copy the value of the `<d:id>`xml tag.

For example:

GET https://example.sharepoint.com/sites/my-franklin-project/_api/site/id
<d:Id
  xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
  xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
  xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"
  m:type="Edm.Guid"
>6957250f-27c6-4996-bfd7-b8592f7d3b31</d:Id>

Once everything is setup correctly, you should see the registration summary:

recommendation-more-help
fbcff2a9-b6fe-4574-b04a-21e75df764ab