Answer Engine (Lucy) Azure Indexing Application Setup

Prerequisites

Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization.

To grant tenant-wide admin consent, you need:

A Microsoft Entra user account with one of the following roles:

Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
Cloud Application Administrator or Application Administrator, for granting consent for apps
A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.

The user should also at least be a member of the SharePoint Site to which he/she is trying to give the read access to

Visual Guide

Lucy Application Creation in Azure AD

The following steps enable our clients’ IT partners to create an application within their Azure Portal, allowing Lucy to index content from SharePoint or PowerBI.

If required to limit access to select sites, please navigate to the Application Creation (Sites.Selected) steps below.

Application Creation (Sites.Read.All)

1. Go to the App Registrations in the Azure Portal and create a new application.

Figures 1 & 2 – Steps to Register a New Application.

Figure 3 – Azure Application Registration.

2. Once the app is created, the following application permissions are required for Lucy’s indexing process to begin: Sites.Read.All

Figures 4 & 5 – Application Permissions for Indexing SharePoint.

For a Power BI integration, the following permissions are required: Reports.Read.All,

Dashboad.Read.All, App.Read.All, Workspace.Read.All. These permissions are available under the PowerBI Service option.

Figures 6 & 7 – Application Permissions for Indexing PowerBI.

In addition, for PowerBI to access the dashboards we want to add a redirect URL of our core to successfully receive the auth token to index. Visit Authentication inside the app: <CORE_URL>/connect/powerbi/callback.

3. Add the client secret. Tenant Id, Client Id, and Client Secret are required to make connections to SharePoint.

Figure 8 – Creating Client Secret.

Lucy Sites.Selected Application Creation in Azure AD

The following steps enable our clients’ IT partners to create an application within their Azure Portal, specifically when Sites.Selected permissions are required.

Application Creation (Sites.Selected)

To work with only Sites.Selected permission, below are the steps required to give the read permission only to specific sites.

Go to Microsoft Azure and search App Registrations

Figure 9 – Application Registration in Azure.

2. Click on New registration

Figure 10 – New Application Registration.

3. Give this application a name and hit Register.

Figure 11 – New Application Name.

Save name for later in the event additional scopes or sites need to be added.

4. Once the app is created go to API Permissions and then on Add a permission button

Figure 12 – Add Permissions to Application.

5. Select Microsoft Graph in the sidebar and then select Application permissions

Figure 13 & 14 – Apply Microsoft Graph Permissions to Application.

6. Search for Sites in the search box and select Sites.Selected and then click on Add permissions button

Figure 15 – Apply Sites.Selected Permission.

7. Grant admin consent to the application to enable ability to index

Depending on your organizations settings, Lucy's indexing application will likely need to provide the admin consent to enable indexing.

This option should be enabled for anyone with the right level of access (Privileged Role Administrator, for granting consent for apps requesting any permission, for any API OR Cloud Application Administrator or Application Administrator, for granting consent for apps OR A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.)

Figures 16 & 17 – Grant Application Admin Consent.

8. After this go to Certificates & secrets and generate a client secret.

The secret value needs to be shared with the Lucy team for indexing along with Application (client) ID and Directory (tenant) ID (You can find these 2 values in the Overview section).

Figures 18, 19 & 20 – Share Certificates & Secrets with Capacity Customer Success Manager.

The following steps enable our clients’ IT partners to assign the read permissions of a specific SharePoint site to the newly created application.

Assign Read Permissions to Application

1. Get the Site ID of the respective site you want to index (to get the site id follow the steps below)

Go to the respective SharePoint Site which needs to be indexed. Note: It should be in the format https:://example.sharepoint.com/sites/sitename
Append _api/site/id to the end of this sharepoint url. Example: https:://example.sharepoint.com/sites/sitename/_api/site/id
Grab the value which is inside Edm.Guid This value is your site id

Figure 21 – Obtain SharePoint Site ID to Grant Access.

2. Go to Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph and sign as a user that is authorized to consent on behalf of the organization.

Important: The user should also be at least a member to the SharePoint site he/she is trying to give the read access to the Sites Selected app

Figure 22 – Sign In to Grant Consent.

3. Put the site_id gathered in Step 1 and below json in the Request body tab.

Note: In this json the id is the Application (client) ID which we grabbed while creating the app and displayName is the name of the app.

{
    "roles": [
        "read"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "b1c5d135-d48c-4bab-8191-a7c3b47e9fdc",
                "displayName": "LucyIndexAppTest"
            }
        }
    ]
}

Figures 23 & 24 – Use Microsoft Graph Explorer to Grant the Application Access to the Site.

4. Hit Run query button

Once successful, the 201 status code should display.

Figure 25 – Confirm Application Successfully Granted Access.

Related Material:

Microsoft Documentation on Permissions: Create Permissions - Microsoft Graph v1.0
We have found that Microsoft’s Azure online portal which can be used to run the Graph queries: Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph. This explorer could be used to assign the read permission to a specific site for an entra app which has Sites.Selected (Application) permission.

Sample Requests

Use the below curl request to give the read access to the App created to be used for Ingestion:

POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions
Content-Type: application/json{ 
 "roles": ["read"],
 "grantedToIdentities": [{
    "application": {
      "id": "89ea5c94-7736-4e25-95ad-3fa95f62b66e",  //Target Application’s Client Id
      "displayName": "Contoso Time Manager App"       //Target Application’s Display name
    }
  }]
}

[Optional] to search for a specific site use the site name and query below:

curl --location 'https://graph.microsoft.com/v1.0/sites?search=example' \ --header 'Content-Type: application/json' \ --header 'Authorization: <Bearer Token>'

Siteid represents the id of the site for which read access is requested to be provided.

For the above request, the Bearer Token may be required. This token can be generated with another curl request which is shared below:

curl --location --globoff 'https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'SdkVersion: postman-graph/v1.0' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id={client_id}' \ --data-urlencode 'client_secret={client_secret}' \ --data-urlencode 'scope=https://graph.microsoft.com/.default'

Client ID, Tenant Id, and Secret represent the values created for the administrative application detailed in step 1.

Was this article helpful?