MFA SharePoint Application Account Setup

Initial Setup

PLEASE FOLLOW THE INSTRUCTIONS BELOW:

Check the field length for the Token attribute for IPM Settings is 400 and if not update it.

Replace "ipmglobal365" with a correct name in the URL below:

https://ipmglobal365.sharepoint.com

and open it

You must log into your Sharepoint as a user with Admin (full) rights

Replace "ipmglobal365" with a correct name in the URL below:

https://ipmglobal365.sharepoint.com/_layouts/15/appregnew.aspx

then open it

 

Click "Generate" buttons to generate new "Client Id" and "Client Secret" values (must be different for all clients)

COPY, PASTE AND KEEP HANDY THE NEW "Client Id" and "Client Secret" values

Enter the following values (must be the same for all sites):

Title: IPM

App Domain: ipmazureweb.ipmglobal.net

Redirect URI: https://ipmazureweb.ipmglobal.net

Click "Create" button

Replace "ipmglobal365" with a correct name in the URL below:

https://ipmglobal365-admin.sharepoint.com

then open it

 

Replace "ipmglobal365" with a correct name in the URL below:

https://ipmglobal365-admin.sharepoint.com/_layouts/15/appinv.aspx

then open it

 

Paste previously generated ClientId into "App Id" field

Click "Lookup" button => it should pre-fill Title, App Domain, Redirect URL fields

Paste the following XML into "App's Permission Request XML" field (don't change anything):

<AppPermissionRequests AllowAppOnlyPolicy="true">

<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

</AppPermissionRequests>

Click "Create" button

Then click "Trust It" button

A process now needs to be run using the IPM Configuration Manager using the ApplicationUserID and the Secret. This will update the security token in IPM Settings. This token needs to be sent to IPM Support to update the Azure IPM Servers.

 

Renewing then SharePoint Client Secret

The secret associated with the SharePoint AppID or ClientID will expire after 12 months. In order to renew it you must run some scripts in PowerShell. You must connect to the Online Organisation Azure Tenancy and run the following script.

 

1: To check if you have the Azure AD PowerShell module already installed, use the following: "Get-Module AzureAD -ListAvailable"

2: If you dont have it installed, run PowerShell as Administrator and Type “Install-Module AzureAD” and hit Enter. You’ll be asked to confirm the installation from the PSGallery. Type “A” to select “Yes to All” and hit the Enter key

3: If you have the Azure AD Powershell module installed and want o update to the latest version type "Update-Module -Name AzureAD"

4: The next step is to connect to Azure AD from PowerShell. Type "Connect-AzureAD" cmdlet and hit the enter key. You’ll be prompted to login to Azure AD, which is Multi-factor authentication (MFA) aware. Ensure you have administrator access to Azure Active Directory before executing these cmdlets

5: After successfully connecting to AzureAD you can run the scripts below to re-generate a new App Password

$clientId = 'enter the original AppId here inside single quotes'

$AzureAdCred = Get-Credential

Connect-AzureAD -Credential $AzureAdCred

$endDate = (Get-Date).AddYears(1)

$app = Get-AzureADServicePrincipal -Filter "AppId eq '$clientId'"

$objectId = $app.ObjectId

$base64secret = New-AzureADServicePrincipalPasswordCredential -ObjectId $objectId -EndDate $endDate

New-AzureADServicePrincipalKeyCredential -ObjectId $objectId -EndDate $endDate -Type Symmetric -Usage Verify -Value $base64secret.Value

New-AzureADServicePrincipalKeyCredential -ObjectId $objectId -EndDate $endDate -Type Symmetric -Usage Sign -Value $base64secret.Value

[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($base64secret.Value))

$base64secret.EndDate # Print the end date.

6: Copy the password generated and run the IPM Configuration Manager using the ApplicationUserID and the Secret, in the configuration screen ensure that you only update the IPM Settings, enter the existing SharePoint Appid and newly generated password in the SharePoint section

 

7: After this process has completed go to CRM  IPM Settings Ipm Settings, clear the IPM Cache, Refresh the screen, and copy the Token value and send it to IPM Support so that it can be updated in our Azure IPM servers

 

 

You can also refer to this Microsoft KB for more information :- Replace Expiring Secret