Microsoft 365 Authentication Configuration Section
For TQ Data Foundation to connect to Microsoft 365 services such as SharePoint, a Microsoft 365 administrator must register the Data Foundation application on Microsoft’s Entra ID platform, and provide the registration details to Data Foundation.
Two permissions models are supported, and can be configured independently in Data Foundation: Delegated Permissions and App Permissions.
App Permissions (OAuth 2 Client Credentials or ROPC Flow)
With this permission model, all Data Foundation users access Microsoft 365 using the same permissions. The taxonomy and corpus integrations will use this model. Excel integration will use this model if Delegated Permissions are not configured.
One of two different authentication methods must be chosen for App Permissions:
OAuth 2 Client Credentials Flow. Data Foundation receives full access to documents on SharePoint sites and the SharePoint term store. A Client Secret must be generated in Entra ID for the application registration.
OAuth 2 Resource Owner Password Credentials (ROPC) Flow. Data Foundation uses the credentials for an Entra ID user account (service account) to authenticate to Microsoft 365. Data Foundation receives the permissions of that user account. The account must have multi-factor authentication disabled. The setting Allow public client flows must be enabled for the app registration in Entra ID.
Warning
Resource Owner Password Credentials Flow is no longer considered secure and is deprecated by Microsoft. Support will be removed in a future release of Data Foundation.
The registration in Entra ID must be granted the following API permissions:
Sites.Read.All- always requiredTermStore.ReadWrite.All- required for taxonomy integrationFiles.ReadWrite.All- required for corpus integration and Excel integration
If Client Credentials Flow is used, the permissions must be granted as Application Permissions. If ROPC Flow is used, the permissions must be granted as Delegated Permissions.
Product Configuration Parameters
Parameter |
Description |
|---|---|
Application ID (Delegated) |
For Delegated Permissions only: The application ID generated when the Data Foundation application was registered in Entra ID. |
Directory ID (Delegated) |
For Delegated Permissions only: The ID of the Microsoft 365 tenant that the application was registered in. |
Client Secret (Delegated) |
For Delegated Permissions only: The client secret generated for the application registration. This field is editable only if the two previous fields are set. |
Application ID (App) |
For App Permissions only: The application ID generated when the application was registered in Entra ID. |
Directory ID (App) |
For App Permissions only: The ID of the Microsoft 365 tenant that the application was registered in. |
Client Secret (App) |
For App Permissions with Client Credentials Flow: The client secret generated for the application registration. This field is editable only if the two previous fields are set. |
Service Account Username |
For App Permissions with ROPC Flow: The user name for the service account used to authenticate. |
Service Account Password |
For App Permissions with ROPC Flow: The password for the service account used to authenticate. This field is editable only if the Application ID (App) and Service Account Username fields are set. |
See Also
Further Reading on TQ Data Foundation