Skip Navigation

Obtain an
Azure
app ID for the
BEMS-Docs
component service

When your environment is configured for
Microsoft SharePoint Online
,
Microsoft OneDrive for Business
, or
Microsoft Azure
-IP you must register the
BEMS
component services in
Azure
. You can register one or more of the services in Azure. In this task, the
Docs
services and
Microsoft Azure
-IP are registered in Azure.
To grant permissions, you must use an account with tenant administrator permissions.
  1. Sign in to portal.azure.com.
  2. In the left column, click
    Azure Active Directory
    .
  3. Click
    App registrations
    .
  4. Click
    New registration
    .
  5. In the
    Name
    field, enter a name for the app. For example, AzureAppIDforBEMS.
  6. Select a supported account type. 
  7. In the
    Redirect URI
    drop-down list, select
    Web
    and enter
    https://localhost:8443
    .
  8. Click
    Register
    .
  9. Record the
    Application (client) ID
    .
    This is used as the
    BEMS Service Azure Application ID
    value for the Docs > Settings service in the
    BEMS
    dashboard.
  10. In the
    Manage
    section, click
    API permissions
    .
  11. Click
    Add a permission
    .
  12. Complete one or more of the following tasks:
    Service
    Permissions
    If you configure
    BEMS-Docs
    to use
    Microsoft SharePoint Online
    or
    Microsoft OneDrive for Business
    1. Search for and click
      SharePoint
      .
    2. Set the following permissions:
      • In application permissions, clear all of the permissions.
        1. Click
          Application permissions
          .
        2. Click expand all. Make sure that all options are cleared.
      • In delegated permissions, select the
        Read and write items and item lists in all site collections
        checkbox.  None. Clear the check boxes for all options.
      • Delegated permissions
        Select the
        Read and write items and lists in all site collections
        checkbox. (
        AllSite > AllSites.Manage
        )
    3. Click
      Add permissions
      .
    If you use
    Microsoft Azure
    -IP
    1. Click
      Microsoft Graph
      . If
      Microsoft Graph
      is not listed, add
      Microsoft Graph
      .
    2. Set the following permissions:
      • In application permissions, select the
        Read directory data
        checkbox (
        Directory > Directory.Read.All
        ).
      • In delegated permissions, select the
        Read directory data
        checkbox (
        Directory > Directory.Read.All
        ).
    3. Click
      Update permissions
      .
    4. Add a permission
      .
    5. In the
      Select an API
      section, click
      Azure Rights Management Services
      . Set the following permissions:
      • In application permissions, select all of the permissions.
        1. Click
          Application permissions
          .
        2. Make sure that all Content options are selected.
      • In delegated permissions, select the
        user_impersonation
        checkbox.
    6. Click
      Add permissions
      .
    7. Click
      Add a permission
      .
    8. In the
      Select an API
      section, click
      APIs my organization uses
      .
    9. Search for and click
      Microsoft Information Protection Sync Service
      . Set the following permission:
      • In delegated permissions, select the
        Read all unified policies a user has access to
        checkbox (
        UnifiedPolicy > UnifiedPolicy.User.Read
        ).
    10. Click
      Add permissions
      .
  13. Wait a few minutes, then click
    Grant admin consent
    . Click
    Yes
    .
    This step requires tenant administrator privileges.
  14. To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
    1. In the
      Manage
      section, click
      Authentication
      .
    2. Under the
      Allow public client flows
      section, select
      Yes
      to
      Enable the following mobile and desktop flows
      .
    3. Click
      Save
      .
  15. Define the scope and trust for this API. In the
    Manage
    section, click
    Expose an API
    . Complete the following tasks.
    Task
    Steps
    Add a scope
    The scope restricts access to data and functionality protected by the API.
    1. Click
      Add a scope
      .
    2. Click
      Save and continue
      .
    3. Complete the following fields and settings:
      • Scope name: Provide a unique name for the scope.
      • Who can consent: Click
        Admins and user
        .
      • Admin consent display name: Enter a descriptive name.
      • Admin consent description: Enter a description for the scope.
      • State: Click
        Enabled
        . By default, the state is enabled.  
    4. Click
      Add Scope
      .
    Add a client application
    Authorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.
    1. Click
      Add a client application
      .
    2. In the
      Client ID
      field, enter the client ID that you recorded in step 9 above.
    3. Select the
      Authorized scopes
      checkbox to specify the token type that is returned by the service.
    4. Click
      Add application
  16. In the
    Manage
    section, click
    Certificates & secrets
    and add a client secret. Complete the following steps:
    1. Click
      New client secret
      .
    2. In the
      Description
      field, enter a key description up to a maximum of 16 characters including spaces.
    3. Set an expiration date (for example, In 1 year, In 2 years, Never expires). 
    4. Click
      Add
      .
    5. Copy the key
      Value
      .
      The Value is available only when you create it. You cannot access it after you leave the page.
      This is used as the
      BEMS Service Application Key
      in the
      BEMS-Docs
      service in the
      BEMS
      Dashboard.