Resolve SIDs into User and Group Names

To generate the Access Control Lists (ACLs) that are necessary to support mapped security, the connector might need to resolve SIDs into user and group names.

  • If your users and groups are managed in an on-premise Active Directory, the connector can resolve SIDs automatically. If the connector is running on a machine in an untrusted domain, set the parameter ResolveGroupSystemName so that the connector uses a different machine for resolving the SIDs.
  • If you are using SharePoint Online with users and groups from Microsoft Azure Active Directory, the connector can resolve SIDs through the Microsoft Graph API. To use the Microsoft Graph API you must create an OAuth application to represent the connector, and run the OAuth configuration tool to obtain the OAuth tokens that the connector needs to authenticate with the API.

Use the Graph API

To use the Microsoft Graph API, you must go to the Azure portal and register an application to represent the connector. Full instructions about how to create an application are available in the Microsoft documentation.

The SharePoint Remote Connector has the following requirements:

  • Register an application > Redirect URI. Configure the redirect URI to match the value that you use with the OAuth configuration tool (by default, http://localhost:7878/oauth). The "type" of the redirect URI should be "Web".
  • Client ID and Secret. After you register the application, make a note of the Application (client) ID. Then, go to the Certificates & secrets page and generate a client secret. You will need these to configure OAuth authentication.
  • API Permissions. The connector requires the following delegated permissions:

    • Directory.Read.All
    • offline_access

To resolve SIDs through the Graph API

  1. Open the folder where you installed the connector.
  2. Open the file oauth_tool.cfg in a text editor.
  3. In the [Default] section, specify any SSL or proxy settings required to access the Graph API:

    SSLMethod The version of SSL/TLS to use.
    ProxyHost The host name or IP address of the proxy server to use.
    ProxyPort The port of the proxy server to use.
  4. In the [OAuthTool] section, set the following parameters:

    AppKey The application key you obtained when you created the application to represent the connector.
    AppSecret The application secret you obtained when you created the application to represent the connector.

    NOTE: If you are using a single-tenant Azure Active Directory you might need to specify your tenant ID in the AuthorizeUrl and TokenUrl parameters (replace the value "common").

  5. Save and close the file.
  6. Open a command-line window and run the following command:

    oauth_tool.exe oauth_tool.cfg OAuthTool

    Your default web browser opens to the Microsoft web site.

  7. Authorize the application to access the API.

    Microsoft provides the OAuth tokens, and the OAuth configuration tool creates a file named oauth.cfg. This contains the tokens that the connector requires to authenticate.

  8. Include the OAuth tokens in each of your fetch tasks. For example, you can modify the connector configuration file as follows:

    [MyTask1] < "oauth.cfg" [OAUTH]

    For more information about including parameters from another file, see Include an External Configuration File. The OAuth tool also prints the parameters it has set to the command-line window so that you can set these directly in the connector's configuration file if you prefer.

  9. To access the Graph API, set the following configuration parameters for each of your fetch tasks.

    ProxyHost The host name or IP address of the proxy server.
    ProxyPort The port of the proxy server.
    SSLMethod The version of SSL/TLS to use.

    TIP: Connections to SharePoint use the proxy settings in the [Connector] section of the configuration file. However, connections to the Microsoft Graph API do not use those settings so you must configure proxy server information in the task section.

  10. Save and close the configuration file.