Setting up authentication for SharePoint Lists

There are two methods to authenticate. The first method is Interactive mode, which requires user interaction each time a data source is imported. Because of this, import tasks using Interactive mode cannot be scheduled in Dataedo Scheduler. The second method is Service Principal, which uses a client secret from Azure Application Registration and does not require user interaction during import.

When using the Interactive authentication type without Advanced authentication settings, the only prerequisite is that the user you are connecting with has the appropriate permissions. However, when using the Interactive authentication type with Advanced authentication settings or the Service Principal authentication type, you must first have an Azure Application Registration created.

Interactive authentication type

In this authentication workflow, we are using user impersonation against Azure Application Registration. In default mode, we are using Dataedo’s Application Registration, but when clicking Advanced authentication settings, it is possible to provide connection details for your own Azure Application Registration.

Required permissions

The user must have the Sites.Read.All scope.

Interactive authentication using default settings

To use interactive authentication, Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be unchecked.

Power BI

SharePoint Lists

Azure Data Factory

When you click Connect or select some details (Site), your default browser will be opened with Microsoft login screen. After successful login, you can close the browser and start import. In some cases, for the first time use there will be Azure Administrator consent required and there will be Administrator action needed as explained in Adding Azure Administrator consent to Azure Application Registration section below.

Interactive authentication using advanced authentication settings

To use interactive authentication using advanced authentication settings. Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be checked. Then please enter your Application Registration Client Id to Client Id textbox. How to create Azure Application Registration and where is Application Registration Client Id is explained in Creating Azure Application Registration section below. When you are using not default settings in Application Registration or Azure Cloud Instance other than Azure Public please select proper values in Authority, Cloud Instance and Audience fields.

Power BI

SharePoint Lists

Azure Data Factory

Creating Azure Application Registration

To create an Azure Application Registration:

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. From the toolbar, on the App registrations page, click + New registration.
4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.
   
5. Click Register.
6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo.
   
7. On the left sidebar of your created application page click on Manage and then click API permissions to assign proper permissions to the application.
   
8. In API permissions page click Add a permission.
9. On the right sidebar Request API permissions click on Azure Services Management.
   
10. On the permissions list which will appear after clicking on Azure Service Management check the checkbox user_impersonation and click Add Permissions
    

Adding Azure Administrator consent to Azure Application Registration

In some Azure subscription configurations, Admin consent may be required for using Application Registration.

If the user encounters a screen like this, it means that requesting Admin consent is disabled for your Azure subscription:

To resolve this, the user needs to see a screen like this, where they can send a request for approval to the Azure Admin:

To enable sending Admin consent requests, the Azure Administrator needs to take the following steps in Azure Portal:

1. Open Enterprise applications in the Azure portal.
2. In the left sidebar, go to Security and click on the Consent and permissions menu.
   
3. In Consent and permissions, click Admin consent settings in the left sidebar and select YES for "Admin consent requests – Users can request admin consent to apps they are unable to consent to." Select one or more users, groups, or roles that can consent to applications.
   

Once consent requests are enabled, the user can send a request for approval:

After the request is sent, the Azure Administrator will see the request for review under Enterprise applications in the Azure Portal, within the Activity → Admin consent requests menu. After reviewing and approving the requested permissions, the user will be able to log in and import the Power BI workspace with the Dataedo application.

Service Principal authentication type

To use the service principal authentication type, please select Service Principal in Authentication Type dropdown and fill Client Id, Client Secret and Tenant Id with proper values from your Azure Application Registration. How to create Azure Application Registration and where those values available are explained in Creating Azure Application Registration section below.

Power BI

SharePoint Lists

Azure Data Factory

Creating Azure Application Registration

To create an Azure Application Registration:

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. From the toolbar, on the App registrations page, click + New registration.
4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.
   
5. Click Register.
6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo and Tenant Id into Tenant Id in Dataedo.
   
7. From the left menu of your created application registration page, click Certificates & secrets.
   
8. On the Certificates & secrets page, under Client secrets, click + New client secret.
   
9. In the Add client secret screen, enter the description, expiry and click Add
10. On the certificates & secrets page, under Client secrets click the clipboard icon to copy it and paste it in Client secret field in Dataedo.

Setting up Service Principal authentication for SharePoint Lists

To set up SharePoint Lists import using service principal authentication in addition to application registration, it is required to assign proper permissions to that application as explained in Assigning permissions to application registration for SharePoint Lists. After setting it up, you are ready to import SharePoint Lists using service principal authentication.

Assigning permissions to application registration for SharePoint Lists

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. Choose application registration which will be used for authentication.
4. On the left sidebar of your application page, click on Manage and then click API permissions to assign proper permissions to the application.
   
5. Click Add a permission
6. Click on Application permissions
   
7. In search bar under Select permissions caption enter "Site".
8. Check the checkbox with Sites.Read.All and Sites.Read.Selected scopes.
9. Click Add permissions.
   
10. In API permissions page click Add a permission.