Configure Shinydocs Pro Control Center for Microsoft Sources (OneDrive, Teams, SharePoint Online, Exchange Online)

By integrating with Microsoft Azure, the Shinydocs Pro software can operate with Microsoft SharePoint Online and/or Exchange Online — maintaining secure and compliant access to this cloud application with policy-based access controls.

The following document describes how to enable Azure authentication for Microsoft SharePoint Online.

Note that this process does require certificates, which are used by Azure to prove the Shinydocs application’s identity when requesting a token. You need two files, a .cer file with the public key which you upload to Azure, and a .pfx file with the private key that you add to the Shinydocs software.

These files are often provided by an organization’s IT or Network team.

A self-signed certificate can be used but is not advised depending on your organization’s infrastructure and security policies.

For the Microsoft PowerShell script to create a self-signed certificate, please visit https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

• Internet access to reach Microsoft Online
  • If the server cannot have direct internet access, ensure firewall rules are setup to allow HTTPS traffic to the following on port 443:
    • login.microsoftonline.com
    • graph.microsoft.com
• Azure/Entra permission to create application registrations and grant admin consent
• A certificate used to authenticate (Azure requires the .cer and Shinydocs Pro requires the .pfx)

If you already have a process internally for creating these certificates, please follow your organizations best practices. If not, you can use the script below.

The first step of the process is to register your Shinydocs software with Azure, so that it can access SharePoint Online or Exchange Online data.

You only need to register one application for Shinydocs software. Permissions to supported repositories can be configured the one registration.

1. Open Microsoft Azure.
2. In the upper left corner dropdown menu, navigate to Azure Active Directory.

   Opens image in full screenOpen

3. From the sidebar menu, select App registrations

   Opens image in full screenOpen

4. Select + New registration

   Opens image in full screenOpen

5. Enter a name for the application. In this case, we used “Shinydocs Pro” as the application name.
6. Select who, within your organization, can use or access the application. In most cases, the first option (Single tenant) will be selected (see below).
7. The optional Redirect URl is not needed in this case.
8. Select Register to continue.

   Opens image in full screenOpen

Upload Authentication Certificate to Azure

These steps require a .cer file.

1. From the sidebar menu, select Certificates & secrets
2. Select Certificates
3. Select Upload certificate

   Opens image in full screenOpen

4. Select the folder icon to browse for your certificate (.cer). Optionally, add a description to let other administrators know what this certificate is used for.

   Opens image in full screenOpen

5. Select Add
6. Verify that the certificate was uploaded successfully by confirming the certificate is shown Certificates

   Opens image in full screenOpen

7. Still in Certificates & secrets, click the Client secrets tab.
8. Click + New client secret
   1. In the Add a client secret panel, add a description of your choice
   2. Set it to expire in 12 months or longer.
      This is a good time to schedule a reminder for the expiry, as Shinydocs Pro will also need the new secret key when this one expires.
   3. Click Add.
   4. Copy the secret key to a safe location, as you will not be able to retrieve it later.
9. In the left-hand menu, open Overview

   Opens image in full screenOpen

10. Note/save the following information for configuring Shinydocs Pro in later steps.

• Application (client) ID: ___________________________________________________
• Directory (tenant) ID: ___________________________________________________
• Secret key: ___________________________________________________

Authentication

Still in the Azure portal Shinydocs application registration, now you will set up the redirect URIs for authentication.

1. Navigate to the Authentication tab in the application registration

   Opens image in full screenOpen

2. Web > Redirect URIs
   1. This set up will be for the server running Shinydocs Pro Search using it’s hostname. You can update these settings later when/if you set up your fully qualified domain name in your DNS.
   2. Click Add URI, and add the following
      1. https://<shinydocs pro server host name>/azuread/success
         1. e.g. https://shinyvm/azuread/success
      2. https://<shinydocs pro server host name>/api/v1/oidc/signin-callback
         1. e.g.https://shinyvm/api/v1/oidc/signin-callback
      3. https://<shinydocs pro server host name>/oauth/authorized
         1. e.g. https://shinyvm/oauth/authorized
      4. https://localhost:9701/azuread/success
      5. https://localhost:9701/api/v1/oidc/signin-callback
      6. https://localhost:9701/oauth/authorized

If you connect to more than one Microsoft content source, there will be overlapping permissions due to the design of SharePoint, Teams, etc.

Your Shinydocs Control Center app registration only needs one copy of the permission.

Permissions for SharePoint Online Content

Now that the Shinydocs Application has been registered with Azure, it’s time to apply permissions to access content within SharePoint Online.

1. From the sidebar menu, select API permissions

   

2. Select + Add a permission

   

3. Select Microsoft Graph:

   

4. Then, select Delegated permissions

   

5. Add the following delegated permissions
   1. User.Read
      Type: Delegated
   2. offline_acccess
      Type: Delegated
   3. openid
      Type: Delegated
   4. profile
      Type: Delegated
6. Click Add permissions
7. Back in API permissions page, click + Add a permission again. Select SharePoint:

   

8. Then select Delegated permissions

   

9. Add the following permission:
   1. Allsites.Read
      Type: Delegated
10. Click Add permissions
11. Now, we are going to set application level permission. Back in API permissions page, click + Add a permission again. Select SharePoint
12. Then, select Application permissions

    

13. Add the following permission:
    Sites.Read.All
    Type: Application
14. Next, select Grant admin consent for [Tenant Name].

    

15. Select Yes to grant consent for the requested permissions for all accounts in [Directory Name].

    

16. At the top of the page, there will be a notification that admin consent for the requested permissions was successfully granted.

Using Sites.Selected instead of Sites.Read.All/AllSites.Read

Shinydocs recommends using Sites.Read.All(application) and AllSites.Read (delegation) for simplicity and completeness of scope. If you organization will not allow that level of API access, there is an alternative with Sites.Selected.

Your administrator must use the PowerShell PnP module (compatible only with PowerShell 7+) to connect and set permissions for Sites.Selected. Microsoft’s UI does not support this.

1. From the sidebar menu, select API permissions

   

2. Select + Add a permission

   

3. Select Microsoft Graph:

   

4. Then, select Delegated permissions

   

5. Add the following delegated permissions
   1. User.Read
      Type: Delegated
   2. offline_acccess
      Type: Delegated
   3. openid
      Type: Delegated
   4. profile
      Type: Delegated
   5. Sites.Selected
      Type: Delegated
6. Click Add permissions
7. Back in API permissions page, click + Add a permission again. Select SharePoint:

   

8. Then select Application permissions
9. Add the following permissions:
   1. Sites.Selected
      Type: Application
   2. User.Read.All
      Type: Application
10. You will need to have an Admin grant Admin consent for Sites.Selected and User.Read.All.
11. Your permissions should look like this:

    

12. Once this is configured, your administrator will be able to grant read or write (if you are planning on disposing of content with Shinydocs Pro) permission to this app registration. This must be done with PowerShell 7 and the PnP PowerShell module.
    IMPORTANT:
    Use of the PnP module requires that your administrator already has an app registration for PnP! You cannot connect with PnP without first having a separate app registration allowing PnP to make the required changes. Administrators who use PnP should already have this configured. If you do not, here is a quick way to create one:
    1. Create an application registration in Azure (you only need to provide it a name like PnP PowerShell Admin, no certificates or secrets).
       1. Note the application client ID
    2. Assign it the SharePoint AllSites.FullControl (required to change site permissions)

       

    3. Grant admin consent for the changes made.
13. Now you can connect via PnP in PowerShell and set the permissions
    1. Install the module if you do not have it already
       CODE

       Install-Module PnP.PowerShellCopy

    2. Then import the module for use in your session
       CODE

       Import-Module PnP.PowerShellCopy

    3. Connect your PowerShell session with PnPOnline
       CODE

       Connect-PnPOnline -Url "https://<tenant>.sharepoint.com" -ClientId "<PnP_PowerShell_Admin_client_id" -InteractiveCopy

    4. Now you can assign the Shinydocs App registration to the specific site(s) you want with the level of permissions you want to give (read/write)
       CODE

       Grant-PnPAzureADAppSitePermission -AppId "<Shinydocs_app_client_id>" -DisplayName "clandry-spo-selected-test" -Permissions <Read or Write> -Site "https://<tenant>.sharepoint.com/sites/<sitename>"Copy

    5. If no errors are displayed, the change is successful.

Permissions for Exchange Online

Now that the Shinydocs Application has been registered with Azure, it’s time to apply permissions to access content within Exchange Online.

1. From the sidebar menu, select API permissions

   

2. Select + Add a permission

   

3. Select Microsoft Graph:

   

4. Select Application permissions

   

5. Add the following Application permissions:
   1. User.Read.All
      Type: Application
   2. Mail.Read
      Type: Application
6. Click Add permissions at the bottom of the page.
7. The API permissions should now be updated to include Graph.

   

8. Click Add permissions again > Graph > Delegated

   

9. Add the following Delegated permissions:
   1. Directory.AccessAsUser.All
      Type: Delegated
   2. email
      Type: Delegated
   3. EWS.AccessAsUser.All
      Type: Delegated
   4. Files.Read.All
      Type: Delegated
   5. Group.Read.All
      Type: Delegated
   6. Mail.Read.All
      Type: Delegated
   7. Mail.Read.Shared
      Type: Delegated
   8. offline_access
      Type: Delegated
   9. openid
      Type: Delegated
   10. profile
       Type: Delegated
   11. User.Read
       Type: Delegated
10. Click Add permissions at the bottom of the page.
11. Next, select Grant admin consent for [Tenant Name].

    

12. Select Yes to grant consent for the requested permissions for all accounts in [Directory Name].

    

13. At the top of the page, there will be a notification that admin consent for the requested permissions was successfully granted.

Permissions for Teams

Now that the Shinydocs Application has been registered with Azure, it’s time to apply permissions to access content within Teams.

1. From the sidebar menu, select API permissions

   

2. Select + Add a permission

   

3. Select Microsoft Graph:

   

4. Select Application permissions

   

5. Add the following Application permissions:
   1. Channel.ReadBasic.All
      Type: Application
   2. ChannelMember.Read.All
      Type: Application
   3. ChannelMessage.Read.All
      Type: Application
   4. ChannelSettings.Read.All
      Type: Application
   5. Chat.Read.All
      Type: Application
   6. Chat.ReadBasic.All
      Type: Application
   7. ChatMessage.Read.All
      Type: Application
   8. Files.Read.All
      Type: Application
   9. Team.ReadBasic.All
      Type: Application
   10. User.Read.All
       Type: Application
6. Click Add permissions at the bottom of the page.
7. Click + Add a permission again > Graph > Delegated
8. Add the following Delegated permissions:
   1. offline_access
      Type: Delegation
   2. openid
      Type: Delegation
   3. profile
      Type: Delegation
   4. User.Read
      Type: Delegation
   5. Files.Read.All
      Type: Delegation
   6. Sites.Read.All
      Type: Delegation
   7. Directory.Read.All
      Type: Delegation
   8. Channel.ReadBasic.All
      Type: Delegation
   9. ChannelMember.Read.All
      Type: Delegation
   10. Chat.Read
       Type: Delegation
   11. Group.Read.All
       Type: Delegation
   12. Team.ReadBasic.All
       Type: Delegation
   13. TeamSettings.Read.All
       Type: Delegation
9. Click Add permissions at the bottom of the page.
10. Next, select Grant admin consent for [Tenant Name].

    

11. Select Yes to grant consent for the requested permissions for all accounts in [Directory Name].

    

12. At the top of the page, there will be a notification that admin consent for the requested permissions was successfully granted.

Permission to access OneDrive

Now that the Shinydocs Application has been registered with Azure, it’s time to apply permissions to access content within OneDrive.

1. From the sidebar menu, select API permissions

   

2. Select + Add a permission

   

3. Select Microsoft Graph:

   

4. Select Application permissions

   

5. Add the following Application permissions:
   1. Files.Read.All
      Type: Application
   2. Directory.Read.All
      Type: Application
6. Click Add permissions at the bottom of the page.
7. Click + Add a permission again > Graph > Delegated
8. Add the following Delegated permissions:
   1. offline_access
      Type: Delegation
   2. openid
      Type: Delegation
   3. profile
      Type: Delegation
   4. User.Read
      Type: Delegation
   5. Files.Read.All
      Type: Delegation
   6. Directory.Read.All
      Type: Delegation
9. Click Add permissions at the bottom of the page
10. Next, select Grant admin consent for [Tenant Name].

    

11. Select Yes to grant consent for the requested permissions for all accounts in [Directory Name].

    

12. At the top of the page, there will be a notification that admin consent for the requested permissions was successfully granted.

The following configurations are performed in the Shinydocs Control Center’s + Add source feature.

SharePoint Online

These steps can be followed once Shinydocs Pro has been installed.
You will need the .pfx file from your certificate.

Moving the .pfx after setting the Certificate file location will cause any related tasks to fail.

If the .pfx file is moved, you will need to update the Certificate file location to the new path.

In Shinydocs Control Center (either in quick-start or + Add source):

1. Select Microsoft SharePoint Online as your new or existing source

   

   1. Tenant URL: enter the root URL of the Sharepoint site (https://acmecorp.sharepoint.com/)
   2. Application ID: enter the Application (client) ID previously noted
   3. Tenant ID: enter the Directory (tenant) ID previously noted
   4. Certificate file location: enter the path of the .pfx file
      1. Do not use double quotes around the path
   5. Certificate password: enter the password for the .pfx file. If your .pfx file does not have a password, leave this field blank
   6. Search Authentication Type: select Protected - OAuth2

      

      1. Enter the Client ID from your application registration
      2. Enter the Client Secret (key) from your application registration
      3. For Login/Authorize Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/authorize
      4. For Token Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/token
2. Click Next. A validation check is performed to make sure the information entered is correct. If an error occurs, the error should indicate the issue at hand.
3. Site, if you want to crawl specific sites, enter the URL for the site like this:
   CODE

   https://acmecorp.sharepoint.com/sites/ACMEhomeCopy

   Otherwise leave it blank to analyze all sites.

More options

In Shinydocs Pro 26.1+, administrators can now by default select which analysis tools will run on the source.

• Extracting digital and image content reads file contents, including images, for analysis.
  • Digital fingerprint (Hash): creates a unique identifier for each file to detect exact duplicates.
  • Text Extraction: extracts readable text from documents for searching and analysis (includes OCR).
• Tag duplicate: marks files as duplicates based on their digital fingerprint across all Shinydocs Pro sources.
• Identifying people, places and organizations: detects mentions of people, locations, and organizations within document content.
• Identifying content with personal information: scans for personally identifiable information like names, addresses, and social insurance/security numbers (PII).
• Identifying non-valuable content: flags redundant, obsolete, or trivial (ROT) content to identify cleanup candidates.
• AI Analysis Tool (license dependent, requires setup before use): employs AI for deeper content classification beyond rules.
• Schedule: controls how often analysis tasks run. "Daily" runs them once per day.

Click Start Analysis

Congratulations! You should now be crawling your organization’s SharePoint content.

Exchange Online

These steps can be followed once Shinydocs Pro has been installed.
You will need the .pfx file from your certificate.

Moving the .pfx after setting the Certificate file location will cause any related tasks to fail.

If the .pfx file is moved, you will need to update the Certificate file location to the new path.

In Shinydocs Control Center (either in quick-start or + Add source):

1. Select Microsoft Exchange Online as your new or existing source

   

   1. Application ID: enter the Application (client) ID previously noted
   2. Tenant ID: enter the Directory (tenant) ID previously noted
   3. Certificate file location: enter the path of the .pfx file
      1. Do not use double quotes around the path
   4. Certificate password: enter the password for the .pfx file. If your .pfx file does not have a password, leave this field blank
   5. Search Authentication Type, select Protected - OAuth2

      

      1. Enter the Client ID from your application registration
      2. Enter the Client Secret (key) from your application registration
      3. For Login/Authorize Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/authorize
      4. For Token Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/token
2. Click Next. A validation check is performed to make sure the information entered is correct. If an error occurs, the error should indicate the issue at hand.
3. Email addresses, if you want to crawl a specific account(s), enter the email addresses like this:
   CODE

   sketchum@shinydocs.comCopy

   Otherwise leave it blank to analyze all accounts.

More options

In Shinydocs Pro 26.1+, administrators can now by default select which analysis tools will run on the source.

• Extracting digital and image content reads file contents, including images, for analysis.
  • Digital fingerprint (Hash): creates a unique identifier for each file to detect exact duplicates.
  • Text Extraction: extracts readable text from documents for searching and analysis (includes OCR).
• Tag duplicate: marks files as duplicates based on their digital fingerprint across all Shinydocs Pro sources.
• Identifying people, places and organizations: detects mentions of people, locations, and organizations within document content.
• Identifying content with personal information: scans for personally identifiable information like names, addresses, and social insurance/security numbers (PII).
• Identifying non-valuable content: flags redundant, obsolete, or trivial (ROT) content to identify cleanup candidates.
• AI Analysis Tool (license dependent, requires setup before use): employs AI for deeper content classification beyond rules.
• Schedule: controls how often analysis tasks run. "Daily" runs them once per day.

Click Start Analysis

Congratulations! You should now be crawling your organization’s Exchange email content

Teams

When crawling a specific user(s), only the users Direct Messages (DMs) will be analyzed. For a complete analysis, leave the user field empty.

These steps can be followed once Shinydocs Pro has been installed.
You will need the .pfx file from your certificate.

Moving the .pfx after setting the Certificate file location will cause any related tasks to fail.

If the .pfx file is moved, you will need to update the Certificate file location to the new path.

In Shinydocs Control Center (either in quick-start or + Add source):

1. Select Microsoft Teams as your new or existing source

   

   1. Application ID: enter the Application (client) ID previously noted
   2. Tenant ID: enter the Directory (tenant) ID previously noted
   3. Certificate file location: enter the path of the .pfx file
      1. Do not use double quotes around the path
   4. Certificate password: enter the password for the .pfx file. If your .pfx file does not have a password, leave this field blank
   5. Search Authentication Type: select Protected - OAuth2

      

      1. Enter the Client ID from your application registration
      2. Enter the Client Secret (key) from your application registration
      3. For Login/Authorize Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/authorize
      4. For Token Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/token
2. Click Next. A validation check is performed to make sure the information entered is correct. If an error occurs, the error should indicate the issue at hand.
3. User Ids or Teams Ids, if you want to crawl a specific account(s), enter the email address like this:
   CODE

   sketchum@shinydocs.comCopy

   Otherwise leave it blank to analyze all accounts.

More options

In Shinydocs Pro 26.1+, administrators can now by default select which analysis tools will run on the source.

• Extracting digital and image content reads file contents, including images, for analysis.
  • Digital fingerprint (Hash): creates a unique identifier for each file to detect exact duplicates.
  • Text Extraction: extracts readable text from documents for searching and analysis (includes OCR).
• Tag duplicate: marks files as duplicates based on their digital fingerprint across all Shinydocs Pro sources.
• Identifying people, places and organizations: detects mentions of people, locations, and organizations within document content.
• Identifying content with personal information: scans for personally identifiable information like names, addresses, and social insurance/security numbers (PII).
• Identifying non-valuable content: flags redundant, obsolete, or trivial (ROT) content to identify cleanup candidates.
• AI Analysis Tool (license dependent, requires setup before use): employs AI for deeper content classification beyond rules.
• Schedule: controls how often analysis tasks run. "Daily" runs them once per day.

Click Start Analysis

Congratulations! You should now be crawling your organization’s Microsoft Teams content

OneDrive

These steps can be followed once Shinydocs Pro has been installed.
You will need the .pfx file from your certificate.

Moving the .pfx after setting the Certificate file location will cause any related tasks to fail.

If the .pfx file is moved, you will need to update the Certificate file location to the new path.

In Shinydocs Control Center (either in quick-start or + Add source):

1. Select Microsoft OneDrive as your new or existing source

   

   1. Application ID: enter the Application (client) ID previously noted
   2. Tenant ID: enter the Directory (tenant) ID previously noted
   3. Certificate file location: enter the path of the .pfx file
      1. Do not use double quotes around the path
   4. Certificate password: enter the password for the .pfx file. If your .pfx file does not have a password, leave this field blank
   5. Search Authentication Type: select Protected - OAuth2

      

      1. Enter the Client ID from your application registration
      2. Enter the Client Secret (key) from your application registration
      3. For Login/Authorize Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/authorize
      4. For Token Endpoint, replace “common” with your Tenant ID
         1. e.g. https://login.microsoftonline.com/42abc123-a76a-4j03-bf1e-4e51c696d65d/oauth2/v2.0/token
2. Click Next. A validation check is performed to make sure the information entered is correct. If an error occurs, the error should indicate the issue at hand.
3. User Id, if you want to crawl a specific account(s), enter the email address like this:
   CODE

   sketchum@shinydocs.comCopy

   Otherwise leave it blank to analyze all accounts.

More options

In Shinydocs Pro 26.1+, administrators can now by default select which analysis tools will run on the source.

• Extracting digital and image content reads file contents, including images, for analysis.
  • Digital fingerprint (Hash): creates a unique identifier for each file to detect exact duplicates.
  • Text Extraction: extracts readable text from documents for searching and analysis (includes OCR).
• Tag duplicate: marks files as duplicates based on their digital fingerprint across all Shinydocs Pro sources.
• Identifying people, places and organizations: detects mentions of people, locations, and organizations within document content.
• Identifying content with personal information: scans for personally identifiable information like names, addresses, and social insurance/security numbers (PII).
• Identifying non-valuable content: flags redundant, obsolete, or trivial (ROT) content to identify cleanup candidates.
• AI Analysis Tool (license dependent, requires setup before use): employs AI for deeper content classification beyond rules.
• Schedule: controls how often analysis tasks run. "Daily" runs them once per day.

Click Start Analysis

Congratulations! You should now be crawling your organization’s Microsoft OneDrive content.

• Previous page:
  Configure Shinydocs Pro Control Center for File System/File Shares
• Next page:
  Configure Shinydocs Pro Control Center in iManage