Obtain an Azure app ID for the BEMS-Docs component service
Azure
app ID for the BEMS-Docs
component serviceWhen your environment is configured for
Microsoft
SharePoint Online
, Microsoft OneDrive for Business
, or Microsoft
Azure
-IP you must register the BEMS
component services in Azure
. You can register one or more of the services in Azure. In this task, the Docs
services and Microsoft
Azure
-IP are registered in Azure.To grant permissions, you must use an account with tenant administrator permissions.
- Sign in to portal.azure.com.
- In the left column, clickAzure Active Directory.
- ClickApp registrations.
- ClickNew registration.
- In theNamefield, enter a name for the app. For example, AzureAppIDforBEMS.
- Select a supported account type.
- In theRedirect URIdrop-down list, selectWeband enterhttps://localhost:8443.
- ClickRegister.
- Record theApplication (client) ID.This is used as theBEMS Service Azure Application IDvalue for the Docs > Settings service in theBEMSdashboard.
- In theManagesection, clickAPI permissions.
- ClickAdd a permission.
- Complete one or more of the following tasks:ServicePermissionsIf you configureBEMS-Docsto useMicrosoft SharePoint OnlineorMicrosoft OneDrive for Business
- Search for and clickSharePoint.
- Set the following permissions:
- In application permissions, clear all of the permissions.
- ClickApplication permissions.
- Click expand all. Make sure that all options are cleared.
- In delegated permissions, select theRead and write items and item lists in all site collectionscheckbox. None. Clear the check boxes for all options.
- Delegated permissionsSelect theRead and write items and lists in all site collectionscheckbox. (AllSite > AllSites.Manage)
- ClickAdd permissions.
If you useMicrosoft Azure-IP- ClickMicrosoft Graph. IfMicrosoft Graphis not listed, addMicrosoft Graph.
- Set the following permissions:
- In application permissions, select theRead directory datacheckbox (Directory > Directory.Read.All).
- In delegated permissions, select theRead directory datacheckbox (Directory > Directory.Read.All).
- ClickUpdate permissions.
- Add a permission.
- In theSelect an APIsection, clickAzure Rights Management Services. Set the following permissions:
- In application permissions, select all of the permissions.
- ClickApplication permissions.
- Make sure that all Content options are selected.
- In delegated permissions, select theuser_impersonationcheckbox.
- ClickAdd permissions.
- ClickAdd a permission.
- In theSelect an APIsection, clickAPIs my organization uses.
- Search for and clickMicrosoft Information Protection Sync Service. Set the following permission:
- In delegated permissions, select theRead all unified policies a user has access tocheckbox (UnifiedPolicy > UnifiedPolicy.User.Read).
- ClickAdd permissions.
- Wait a few minutes, then clickGrant admin consent. ClickYes.This step requires tenant administrator privileges.
- To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
- In theManagesection, clickAuthentication.
- Under theAllow public client flowssection, selectYestoEnable the following mobile and desktop flows.
- ClickSave.
- Define the scope and trust for this API. In theManagesection, clickExpose an API. Complete the following tasks.TaskStepsAdd a scopeThe scope restricts access to data and functionality protected by the API.
- ClickAdd a scope.
- ClickSave and continue.
- Complete the following fields and settings:
- Scope name: Provide a unique name for the scope.
- Who can consent: ClickAdmins and user.
- Admin consent display name: Enter a descriptive name.
- Admin consent description: Enter a description for the scope.
- State: ClickEnabled. By default, the state is enabled.
- ClickAdd Scope.
Add a client applicationAuthorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.- ClickAdd a client application.
- In theClient IDfield, enter the client ID that you recorded in step 9 above.
- Select theAuthorized scopescheckbox to specify the token type that is returned by the service.
- ClickAdd application.
- In theManagesection, clickCertificates & secretsand add a client secret. Complete the following steps:
- ClickNew client secret.
- In theDescriptionfield, enter a key description up to a maximum of 16 characters including spaces.
- Set an expiration date (for example, In 1 year, In 2 years, Never expires).
- ClickAdd.
- Copy the keyValue.The Value is available only when you create it. You cannot access it after you leave the page.This is used as theBEMS Service Application Keyin theBEMS-Docsservice in theBEMSDashboard.