Azure AD Configuration

<< Click to Display Table of Contents >>

Navigation:  Using TreeSize >

Azure AD Configuration

If a SharePoint Online site is configured to require a multi-factor authentication, TreeSize will perform a browser based authentication (as known from other Azure AD apps).

To enable TreeSize to get authentication tokens from your Azure AD tenant, you have to register it in your Azure portal first and grant it permission to access Office 365 SharePoint Online:

Register TreeSize with your tenant

Please note that the following steps have to be done out of the scope of TreeSize. They may change with the ongoing development from Microsoft.

1.Sign in to the Azure portal.

2.Select on All services in the left-hand navigation, and choose App registrations (or use the search field in the top bar)

3.Select New application registration and create a registration with values like:
AzureADNewRegistration

Name: An application name of your choice to identify the registration in the Azure AD. We would propose to use TreeSize.

Redirect URI: Sometimes reffered to as reply URL. Please select 'Public client/nativ' here. Because TreeSize uses MSAL for authentication, please either use the redirect URI provided for this purpose, or define your own according to the scheme "My URI"://auth, e.g. treesize://auth

4.Once the registration is completed, AAD will assign a unique Application ID to the app. Copy this value from the right pane, as it will be required for the next steps.

5.Navigate to API Permissions in the left list, and choose Add a permission.

Select SharePoint as the API

Under Delegated Permissions, configure the permissions you want the user to delegate to TreeSize, and confirm the changes using the Done button.

oIf a permission has not been granted here, the user may not use TreeSize to perform the affiliated action, even though he would be allowed to do so with the web interface.

oIf a permission has been granted here, but not to the actual user, an affiliated action would still fail (the user won't become any more privileges).

oTo access SharePoint pages, the allSites.Manage permission is required.

oIf you want to restrict the access to document libraries only, the AllSites.Read permission is sufficient.

oTo scan all site collections connected to a site, the privilege 'Run search queries as a user' is required.

oTo allow the user to upload files, the privileges 'Read and write user files' and 'Read and write items and lists in all site collections' may be required.

Click on Grant permissions to apply the changed permissions to your account.

Depending on which permissions you selected, the changes need to be approved by an administrator (grant admin consent)

6.In order to use the SSO for domain-joined Windows (Windows Integrated Auth Flow) or the user credentials entered via TreeSize, the option Allow public client flows under Authentication -> Advanced settings needs to be enabled.

    Azure_advanced_settings

7.If you want to use a certificate to allow TreeSize to identify itself to the authentication service, instead of using user-related login information you will first need to create a self-signed certificate. To do so, please read here. You need to add the *.cer file created in the process to your app registration under Certificates & Secrets.You can then use the *.pfx file to log in via TreeSize.

Provide TreeSize with the configuration information

In order to use the app registration made above, the information has to be provided to TreeSize. There are two options available how to achieve this:

 

If you want to configure these settings for a single user/computer only, e.g. to evaluate and test the settings, you can simply pass them to TreeSize using the following command line parameters. TreeSize will remember these values, so you would have to configure them only once.

o/AADApplicationID followed by the Application ID assigned by the Azure Portal, e.g. /AADApplicationID xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx, and

o/AADRedirectURI followed by the Redirect URI specified during the registration assigned, e.g. /AADRedirectURI TreeSize://auth

 

If you are an administrator and want to configure these settings for a group within your company, you can define an define a group policy object to roll them out:

1.Open the Group Policy Management Console, and navigate to the GPO you want to contain the configuration or create a new one.

2.Under User Configuration > Settings > Windows-Settings > Registry add two new entries

1.For the Application ID:

Hive: Use HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER

Path: Set to SOFTWARE\JAM Software\TreeSize

Name: Set to AADApplicationID

Value type: REG_SZ

Value data: Enter the Application ID obtained from the AAD

2.For the Redirect URI:

Hive: Use HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER

Path: Set to SOFTWARE\JAM Software\TreeSize

Name: Set to AADRedirectURI

Value type: REG_SZ

Value data: Enter the Redirect URI configured with the AAD

User permissions and permission levels in SharePoint Server
In order for a user to be able to scan SharePoint pages using TreeSize , the user must be granted certain permissions in SharePoint.

A user needs a permission level on the pages he is allowed to scan, which contains the website permission "Browse directories".

If the standard permission levels are to be used, the user needs at least the permission level "Contribute" on these pages.

Please note that the "SharePoint admin" role does not automatically grant a user access to all websites. If a SharePoint admin should be able to use TreeSize to scan SharePoint sites, please check the assigned permission levels here as well.

Problems with authentication

If a user is not able to connect to SharePoint via TreeSize despite the assigned permissions, please check if this user has a valid Office 365 license.