Connecting Microsoft apps to Zeta Alpha
Step-by-Step Instructions
1. Sign in to Microsoft Entra
Sign in to https://entra.microsoft.com/.
2. Click on Applications
3. Click on App registrations
Go to the Invite users page by clicking the blue button in the top right corner.
4. Click on New registration
5. Enter the name of the application
For example "Zeta Alpha Connector"
6. Click on Register
7. Click on API permissions
8. Click on Add a permission
9. Click on Microsoft Graph
10. Click on Application permissions
11. Add all required permissions by repeating steps 12-14 for each
In Zeta Alpha, we practice the principle of least privilege, unfortunately Microsoft Graph API minimum permissions scopes are excessive for only reading data. The following permissions are required for the Zeta Alpha applications in order to read data from Sharepoint, OneDrive and Teams:
ChannelMessage.Read.All
ChannelSettings.Read.All
Chat.Read.All
Team.ReadBasic.All
TeamMember.Read.All
User.Read.All
Files.Read.All
Sites.Read.All
Even though this permissions are broader for only reading data, Zeta Alpha will only read data that is explicitly allowed by the connector configuration.
Alternative: Add selected sites only
If you want to limit the access to selected SharePoint sites only, then the only permission the add is
Sites.Selected
Then, after creating the application, you need to grant access to the specific SharePoint sites that you want Zeta Alpha to crawl. Please refer to the step 18 Grant access to specific sites below.
12. Enter the permission name
13. Click on Expand or collapse group
14. Click on the checkbox if not selected
15. Click on Add permissions
16. Click on Grant admin consent for MSFT
17. Click on Yes
18. (Required only for "Sites.Selected" permissions) Grant Read permissions to the specific sites
This step is required only if you selected the "Sites.Selected" permission in step 11, otherwise skip to step 19.
Identify the Site ID of the SharePoint site you want to grant access to.
You can find the Site ID in the SharePoint admin center or by using the Microsoft Graph Explorer. Common queries to get the Site ID and WebUrl are:
- Get All sites:
GET https://graph.microsoft.com/v1.0/sites/microsoft.graph.getAllSites()
- Get root site:
GET https://graph.microsoft.com/v1.0/sites/root
- Get Sites at root level:
GET https://graph.microsoft.com/v1.0/sites/root/sites
- Get user's OneDrive WebUrl:
GET https://graph.microsoft.com/v1.0/users/{userPrincipalName}/drive/root/site
- Get Site by WebUrl:
GET https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{site-path}
SiteId should look like this:
contoso.sharepoint.com,12345678-90ab-cdef-1234-567890abcdef,abcdef12-3456-7890-abcd-ef1234567890
Also take note of the WebUrl of the site, you will need it to configure the connector later.
Once you have the Site ID, use the following command in Microsoft Graph Explorer or any HTTP client to grant read permissions to the application:
POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
Content-Type: application/json
{
"roles": ["read"],
"grantedToV2": {
"application": {
"id": "{Connector applicationID}",
"displayName": "{Connector Name}"
}
}
}
Replace {site-id} with the actual Site ID of the SharePoint site, {application-id} with the Application (client) ID (step 24 and 25), and the Connector Name (step 5) of your registered application.
19. Click on Certificates & secrets
20. Click on New client secret
21. Type the name of the secret
For example "Zeta Alpha Secret"
22. Select the maximum expiration date and click on Add
23. Click on the Copy to clipboard button
24. Click on Overview
25. Copy the values of Application (client) ID and Directory (tenant) ID
26. Send info to Zeta Alpha
The following values need to be sent to the Zeta Alpha platform
- Client Secret
- Application (client) ID
- Directory (tenant) ID
In case Zeta Alpha is managing your Sharepoint connector, please also send the list of SharePoint Site URLs (WebUrl) that you want to crawl.
What's next?
If applicable, set up the Zeta Alpha Teams and SharePoint connectors!