August Platform Walkthrough

Set up a Microsoft SharePoint connector

ConductorOne provides identity governance and just-in-time provisioning for SharePoint. Integrate your SharePoint instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

ResourceSyncProvision
Accountsℹ️
Sites
SharePoint groups
Security principals

ℹ️ This connector must pull account information from another connector. You’ll configure this relationship when setting up the connector.

Gather SharePoint credentials

Each setup method requires you to pass in credentials generated in SharePoint. Gather these credentials before you move on.

A user with at least the Cloud Application Administrator permission in Azure must perform this task.

Create a new application

  1. In Microsoft Entra admin center, navigate to App registrations.

  2. Click New registration.

  3. Give the application a name, such as “ConductorOne,” and select the relevant supported account type. You do not need to set a redirect URI.

  4. Click Register.

  5. The new app is created. Carefully copy and save the Application (client) ID and the Directory (tenant) ID shown on the application summary page.

  6. Next, we’ll generate a client secret for this app. Click Certificates & secrets.

  7. Click + New client secret.

  8. Give the client secret a description and set its expiration.

  9. Click Add.

  10. The client secret is generated. Carefully copy and save the Secret Value.

Give the new application API permissions

  1. Click API permissions.

  2. Click + Add permissions > Microsoft Graph.

  3. Click Application permissions and select Sites.Read.All.

  4. Click + Add permissions > Microsoft SharePoint.

  5. Click Application permissions and select Sites.FullControl.All. (You can use Sites.Read.All here if you do not need to sync special SharePoint groups such as “SharePointHome Org Links”.)

  6. Save your changes.

Create and upload a self-signed certificate

Next, you’ll create a self-signed certificate and a private key in PEM format using OpenSSL. The commands to create the certificate are the same regardless of your operating system.

  1. Use the following command to create both a private key and a self-signed certificate. Be sure to replace your_domain_name with your actual domain or a descriptive name.

    openssl req -x509 -newkey rsa:4096 -keyout your_domain_name.key -out your_domain_name.crt -sha256 -days 365

  2. Next, you’ll be prompted to enter details for the certificate. The most crucial field here is the Common Name.

    For the Common Name, enter your domain (such as example.com).

  3. Once the process is complete, two files will be created in your current directory:

    • your_domain_name.key: This is your private key
    • your_domain_name.crt: This is your self-signed certificate in PEM format

  4. Upload the certificate to your application by navigating to Certificates & secrets > Certificates.

That’s it! Next, move on to the connector configuration instructions.

Configure the SharePoint connector

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of SharePoint credentials generated by following the instructions above

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

  1. In ConductorOne, navigate to Admin > Connectors and click Add connector.

  2. Search for SharePoint and click Add.

    Don’t see the SharePoint connector? Reach out to support@conductorone.com to add SharePoint to your Connectors page.

  3. Choose how to set up the new SharePoint connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. Find the Settings area of the page and click Edit.

  7. Paste the client ID into the Client ID field.

  8. Paste the client secret into the Client secret field.

  9. Paste the tenant ID into the Tenant ID field.

  10. Enter your domain for the Microsoft Graph API in the Graph domain field. The default is graph.microsoft.com.

  11. Upload your self-signed certificate to the PEM certificate field.

  12. Upload the key for your certificate in the PEM key field.

  13. Enter your SharePoint domain in the SharePoint domain field.

  14. Click Save.

  15. Finally, tell the connector where to find the identities that will be used for this app in ConductorOne.

    1. In the Shared identity source area of the page, click Edit.

    2. Select the connector from which you want to pull identities.

    3. Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.

    4. Click Save.

  16. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your SharePoint connector is now pulling access data into ConductorOne.

Follow these instructions to use the SharePoint connector, hosted and run in your own environment.

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Configure the SharePoint connector

  1. In ConductorOne, navigate to Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose how to set up the new SharePoint connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. In the Settings area of the page, click Edit.

  7. Click Rotate to generate a new Client ID and Secret.

    Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your SharePoint connector deployment:

Secrets configuration 

# baton-sharepoint-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-sharepoint-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # SharePoint credentials
  BATON_AZURE_CLIENT_ID: <Azure client ID>
  BATON_AZURE_CLIENT_SECRET: <Azure client secret>
  BATON_AZURE_TENANT_ID: <Azure tenant ID>
  BATON_AZURE_GRAPH_DOMAIN: <Microsoft Graph API domain (default is graph.microsoft.com)>
  BATON_PEM_CERTIFICATE: <Base-64 encoded PEM certificate>
  BATON_PEM_CERTIFICATE_KEY: <Base-64 encoded private key>
  BATON_SHAREPOINT_DOMAIN: <SharePoint domain>
  BATON_EXTERNAL_SYNC_MODE: true
  BATON_EXTERNAL_RESOURCE_C1Z: <The path to the c1z file to sync external Baton resources with>
  BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER: <Optional. The entitlement that external users, groups must have access to sync external Baton resources>

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration 

# baton-sharepoint.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-sharepoint
  labels:
    app: baton-sharepoint
spec:
  selector:
    matchLabels:
      app: baton-sharepoint
  template:
    metadata:
      labels:
        app: baton-sharepoint
        baton: true
        baton-app: sharepoint
    spec:
      containers:
      - name: baton-sharepoint
        image: ghcr.io/conductorone/baton-sharepoint:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-sharepoint-secrets

Step 3: Deploy the connector

  1. Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

  2. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the SharePoint connector to. SharePoint data should be found on the Entitlements and Accounts tabs.

That’s it! Your SharePoint connector is now pulling access data into ConductorOne.