|
Operating System: Windows |
|
Required Permissions: User, IT Admin |
Note
This article is relevant for you if you want to use the SharePoint/OneDrive Excel link feature of empower® Charts and Chart Creation in a version < 9.6.
|
Furthermore, the following information is only relevant to you if your company uses a SharePoint online instance. The information in this document is not relevant if your company uses a SharePoint on-premises instance. There are scenarios where the configuration described below is not required, even though users work with online Excel files. These scenarios can be summarized as follows: |
|
|
|
|
If users in your company only work according to the scenarios outlined above, the information in this article is not relevant for you. |
|
Hereafter, this article covers those Excel link scenarios that require a SharePoint login. |
|
|
Example: A user wants to update a chart that is linked to an online Excel file which is not currently open on the user’s computer. |
|
|
When working with online Excel files, empower® requires a SharePoint login. This is due to the fact that the Excel files in those cases are exclusively available via an online source and must therefore be downloaded by empower®. Access to such an online source requires the user to authenticate. |
|
To perform authentication, empower® uses the Microsoft Authentication Library (MSAL). |
Note
For further information regarding MSAL, see Overview of the Microsoft Authentication Library (MSAL).
|
When using MSAL, users are authenticated against the Microsoft Entra ID tenant in which the respective accounts were created. This is usually your company’s Microsoft Entra ID. In order for empower® to be allowed to request such authentication, you need a so-called app registration. The way MSAL works requires empower® to use the aforementioned app registration to identify itself to the Microsoft Identity Platform as an app which is authorized to accept authentication tokens for users from your company’s Microsoft Entra ID. In order to create a connection between the app registration and your company’s Microsoft Entra ID, it is necessary to register empower® as a so-called Service Principal. This is the standard procedure prescribed by Microsoft. You can find more information about Service Principals under the following links: |
|
|
Application and service principal objects in Microsoft Entra ID |
|
|
Next, the Service Principal must be granted the read permissions requested by the empower® App Registration. This can either be done by all users individually upon their first login or by an Azure admin on a company-wide level. |
|
Depending on how your company's Microsoft Entra ID is configured, the Service Principal is either registered automatically when the very first user logs in via empower®, or the registration must be performed manually by an Azure admin. The Service Principal is always registered in your company’s Microsoft Entra ID when a user grants permissions to the empower® App Registration. From the perspective of the users, only the requested permissions are displayed while the Service Principal is automatically registered by Microsoft in your company’s Microsoft Entra ID. |
Note
For further information regarding granting permissions, see Consent experience for applications in Microsoft Entra ID.
|
Permissions, also called scopes in the context of Microsoft Entra ID, are embedded in authentication tokens when they are issued. Since empower® Chart Creation will subsequently use these authentication tokens to retrieve the requested Excel files, it is necessary that the tokens contain certain read permissions. All required permissions are already configured in the empower® App Registration. The configured scopes are the following: |
|
|
|
|
All permissions used by the empower® App Registration are so-called delegated permissions. Microsoft's permission system works by creating an intersection of the permissions of the currently active user and the permissions requested by the empower® App Registration. This means that when using empower® Chart Creation, users will never gain access to any files that they do not have access to. |
Note
For further information regarding delegated permissions, see Understanding delegated access.
|
When a user logs in for the first time, a window opens. The name of the app registration as well as the requested permissions are exemplary. This window displays the name of the app registration, its publisher, and the requested permissions. If the user clicks on the button Accept, the empower® App Registration is automatically registered as a Service Principal in your company’s Microsoft Entra ID and the requested permissions are granted for the current user. |
|
Note
To simplify the process for the users, an Azure admin may grant company-wide permission.
As a result, individual users would not have to go through the aforementioned steps.
For further information, see below.
|
If the users are not authorized to grant the permissions themselves, or if the permissions are to be granted company-wide for other reasons, an Azure admin can grant the permissions via one of the following ways. |
|
To grant company-wide permissions during your own login, follow the steps below: |
|
|
|
|
The empower® App Registration will be registered in your company's Microsoft Entra ID and permission will be granted for all users company-wide. |
|
To grant company-wide permissions via a browser link, follow the following steps: |
|
|
Note
The app registration for empower® is also required if you host on-premises.
Comments
0 comments
Article is closed for comments.