MOVEit Automation supports multiple authentication options to connect to SharePoint Online. Each method is explained with step-by-step configuration instructions:
  • Certificate Access (Azure Active Directory (AAD) Certificate-based authentication)
  • User Access (SAML-based claims authentication)
  • App Access (legacy)

Certificate Access

SharePoint authentication is available as Azure Active Directory authentication through the Certificate Access option.

Azure Active Directory (Azure AD) is a service from Microsoft that helps manage user identities and access. When you connect it with SharePoint, it makes logging on easy and secure. Users can sign in to SharePoint Online using their Microsoft 365 or organizational credentials.

Azure AD makes it simple to control who can access SharePoint, provides single sign-on (SSO), and includes extra security features like multi-factor authentication (MFA) and conditional access.

Using Azure AD for authentication, users can access SharePoint resources in the cloud without needing separate logons. It manages identity and access rules, while SharePoint Online works with Azure AD to ensure secure access to files and sites.

Prerequisite

  • Azure Portal Admin Account.
    • You must have an Azure Portal Admin account to access and manage Azure AD settings.
  • Self-signed certificate. You can create a certificate using one of the following methods:
    • OpenSSL: Use the openssl command-line tool to generate a self-signed certificate.
    • PowerShell Script: Use the PowerShell script detailed in the Microsoft documentation.
    • MOVEit Automation: Use MOVEit Automation to create a self-signed certificate.
    Note:

    The minimum required key size for compatibility with MOVEit Automation is RSA 2048 bits.

    For Azure AD authentication, RSA 2048 bits is the recommended minimum key size for certificates. Larger key sizes can be used for enhanced security. Smaller key sizes are not supported by Azure AD.

Azure Active Directory set up
  1. Open the Microsoft Azure Portal. If it is the first time that you access the Azure portal with your account, you will have to register a new Azure subscription.
  2. Click Azure Active Directory > App registration, where you will find the list of Azure AD applications registered in your tenant.
  3. Click New registration, provide a name for your application and click Register.
  4. To add API permissions, click API permissions > Add a permission, and choose the permissions you want to grant to this application.For example SharePoint > Application permissions > Sites > Sites.FullControl.All

    To save the permissions, click Add permissions.

  5. In the Grant Consent section, click the Grant admin consent for organization name button and confirm the action by clicking the Yes button that appears at the top.
  6. To connect the certificate created in the prerequisites, click Certificates & secrets > Upload certificate. Select the .cer file you generated earlier and click add to upload it.
  7. To confirm that the certificate was successfully registered, click Manifest in the left menu and search for the keyCredentials property. It should be similar to this JSONexample:
      "keyCredentials": [
    {
      "customKeyIdentifier": "<$base64CertHash>",
      "endDate": "2021-05-01T00:00:00Z",
      "keyId": "<$guid>",
      "startDate": "2019-05-01T00:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": "<$base64Cert>",
      "displayName": "CN=<$name of your cert>"
     }
  ],
    Tip: If the certificate was created in MOVEit Automation, you will need to export only the public key of the certificate.
  8. To locate the Client (Application) ID and the Tenant (Directory) ID, navigate to Azure portal > Azure Active Directory > App registration > Overview.
MOVEit Automation Sharepoint AD Authentication
  1. Create a SharePoint host with authentication set to Certificate Access.
  2. Enter the client id and tenant id, which can be found in Azure Entra ID’s App registration overview menu.
  3. Add or link to the certificate that you want to use.
    • The certificate must be present in the Entra ID.
    • The certificate must be present in MOVEit Automation .
  4. Enter the details in the required and optional fields.
  5. Test to verify that you can list the selected document library.

User Access

SharePoint Server uses SAML 1.1 and WS-Federation for token-based authentication. This setup needs coordination with administrators either within your organization or with a partner. If you use Active Directory Federation Services (AD FS) 2.0, you’re in a SAML token-based environment.

The SAML token-based authentication includes an identity provider security token service (IP-STS) which issues SAML tokens for users. These tokens have information about the user, like their name and groups. An AD FS 2.0 server is an example of an IP-STS.

SharePoint Server uses these tokens to allow users access. An application that accepts SAML tokens is called a relying party STS (RP-STS). This application receives the SAML token and uses the claims to decide if the user can access the requested resource. In SharePoint Server, each web application using a SAML provider is added to the IP-STS server as a separate RP-STS entry. A SharePoint farm can have multiple RP-STS entries in the IP-STS.

Workflow example:
  1. Request a web page (anonymous)
  2. Obtain a logon page from the AD FS server.
  3. Request a SAML security token.
  4. Validate user credentials with the identity provider.
  5. Send a SAML security token.
  6. Send a new web page request containing the SAML security token.
  7. Create Sharepoint security token and send the requested web page.
MOVEit Automation requires the following fields:
  • Username: Username or email address of a SharePoint instance user.
  • Password: Password of a SharePoint instance user.

App Access (legacy)

To authenticate a SharePoint host on MOVEit Automation using the App Access, you must create a SharePoint App with appropriate permissions on Office 365 for use with MOVEit Automation .

Note: The following example demonstrates how to create and grant access to a document library on a SharePoint site from the SharePoint App. The access requirements and permission levels required by your organization may be different. For information about granting access, see Granting access using SharePoint App-Only. For detailed information about SharePoint permissions, see Add-in permissions in SharePoint.

Prerequisite

You must have a SharePoint instance in Microsoft Office 365 and access to the log on credentials.

To create the SharePoint App, complete the following steps:
  1. Log on to SharePoint, and navigate to https://tenant-name.sharepoint.com/sites/site-name/_layouts/15/appregnew.aspx

    Where tenant-name is the unique name that identifies your SharePoint instance

    Sites are created under /sites in this example

    site-name is the name of the site on your SharePoint instance.

  2. Generate a new Client Id and Client Secret.
  3. Enter the Title, App Domain, and Redirect URL information.
    • The Redirect URL can be left blank or include a dummy value. However, if the app is used for purposes other than MOVEit Automation workflows, the Redirect URL should point to a domain page owned by the user.
  4. Save the Client Id and Client Secret details. These are required to authenticate the SharePoint host.
  5. To save the App, click Create .
To grant access to a document library on a SharePoint site from the SharePoint app, complete the following steps:
  1. Navigate to https://tenant-name-admin.sharepoint.com/sites/site-name/_layouts/15/appinv.aspx
  2. Enter the App's Client ID and click Lookup.
  3. Confirm the Title, App Domain, and Redirect URL information.
  4. To grant permissions, insert the permission XML that describes the needed permissions in the App's Permission Request XML field. For example, for full control:
    <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
  5. To save your changes, click Create. You will be presented with a permission consent dialog. Click Trust It to grant the permissions.
  6. To set up the SharePoint Host, the Realm ID is required. To generate the Realm ID, select from one of the following options
    • Navigate to https://tenant-name.sharepoint.com/sites/site-name/_layouts/15/AppPrincipals.aspx.

      The Realm ID is the string following the @ symbol. For example, the Realm ID is highlighted in this string: i:0i.t|ms.sp.ext|bb2d5eb0-43b0-437b-9a7d-c02a2b7714a5@ db266a67-cbe0-4d26-ae1a-d0581fe03535