How to connect to SharePoint
When you want to connect
NavSherpa to a site collection on
SharePoint, create a new
SharePoint Site Setup Card and fill-in basic properties on tab
General. The most important parameter is the
Server Name / URL of your
SharePoint site collection (e.g.
https://<your-tenant>.sharepoint.com/sites/<your-site-collection>).
Select OAuth2 as an authorization metod and start the Setup Access Token wizard.
Note: OAuth2 is the recommended authorization method for both SharePoint online and on-premise. If you do not see it, please upgrade NavSherpa at least to version 22.03.00, 23.02.00 or 24.01.00. The older OAuth method will be still supported for some time, but eventually will become deprecated.
Site URL
In the first step of the wizard enter the URL of your site collection (e.g. https://<your-tenant>.sharepoint.com/sites/<your-site-collection>) and click Next.
Certificate
In the next step, first set up a certificate that is needed for signing API requests to SharePoint. This certificate is set only once for each company and will be used for every site setup connection. If you already have a valid certificate, you can skip this step and just prepare the existing certificate public key (.cer) for the next steps. Otherwise create or upload new certificate first.
When creating a new certificate or replacing expired/expiring one, click on the assist edit button in the Certificate field. Select one of the following options and click OK.
-
Create self-signed certificate (recommended) –
NavSherpa will automatically create and save the certificate private key and you will be able to download the public key (.cer) for further use. Please store this file in a safe location.
-
Upload certificate – in some cases the self-signed certificate might not be enough, so there is an option to upload your own certificate. You will need to upload a .pfx file containing private key. If the certificate is password protected, please fill in the password to the
Cert. password field before upload.
-
Delete certificate – this option will delete existing certificate from
NavSherpa and disable all site setups with
OAuth2 authorization.
If the certificate creation or upload was successful, the Certificate will show as Valid and you will see the certification expiration date and thumbprint. When creating a self-singed certificate, you will be able to download the certificate public key (.cer).
For Business Central 14 there are two key differences:
-
There is no option to generate the certificate in NavSherpa. You must prepare your own certificate (self-signed is enough) and use the upload option.
-
When uploading the certificate, you will need to provide both private key in XML format (you can use online tools to convert other formats to XML, e. g.
https://the-x.cn/en-us/certificate/PfxToXml.aspx) and public key in standard .cer format.
The rest of the wizard is a bit different for SharePoint online and on-premises, so please skip to the relevant section of the guideline.
SharePoint online
For SharePoint online you will need to create new Microsoft Entra app registration, give it permissions on SharePoint and associate it with NavSherpa. Microsoft Entra website should open automatically, or you can open it with the Register App on Web action.
You can use the same app registration for multiple site collections (this is even recommended, because it simplifies the work when renewing expired certificate). If you already have one, just enter the Microsoft Entra Application (client) id into the Client ID field and click Next to test the connection.
If you do not have an app registration yet, go to the app registrations site and click New registration.
Enter the name of the application (this is just for your reference) and click Register.
From the Overview tab copy the Application (client) id into the Client ID field in the NavSherpa wizard. Plus you can check, if the Tenant ID is the same in both cases.
Next go to the Certificates & secrets tab. Select the first tab, Certificates, and upload the certificate public key (.cer) from the previous step. Check if the certificate Thumbprint in Microsoft Entra matches the Cert. thumbprint field in NavSherpa.
Lastly go to the API permissions tab to grant the permissions to SharePoint and click Add a permission.
From the list of applications select SharePoint.
Then choose Application permissions and select Sites.FullControl.All permission from the list. Confirm with Add permissions button.
Now you need to get admin consent for the permissions. For that use the action Grant admin consent for – if you are a tenant administrator, the consent will be granted automatically, otherwise it will send a request to the admin and he needs to confirm that.
With the permissions granted go back to the NavSherpa wizard and click Next to test the SharePoint connection.
The wizard will notify you if the connection was successful and you can use the Test Access function to doublecheck. Then click the Finish button to end the wizard.
SharePoint on-premise
For SharePoint on-premise you will need to create new app registration in your SharePoint site collection, give it some permissions and associate it with NavSherpa. Next you must register the certificate in your SharePoint on-premise farm.
The page for registering new app on SharePoint should open automatically, or you can open it with the Register App on Web action.
On the app registration page generate new Client Id and copy it to the corresponding field in the NavSherpa wizard. You will need to fill-in the rest of the fields too (you can generate the Client Secret), but they are there just for your reference and won't be used for the authorization. Then click Create on SharePoint and in NavSherpa proceed to the Next step.
Now you need to grant the permissions to the created app and register the certificate on the SharePoint farm (if not done already). The page for granting permissions on SharePoint should open automatically, or you can open it with Grant Permissions action.
Copy the Application ID to the App Id field on SharePoint and click Lookup to fill the rest of the app description. Then copy the Permission Request XML to the correspoding field on SharePoint and click Create.
Confirm the app permisions by clicking Trust It.
If not done already, you will need to register the certificate on your
SharePoint farm. Do it by running a following
PowerShell script on your
SharePoint server (change at least the path to the certificate).
Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue
#Get the certificate file and SharePoint tenant id
$publicCertPath = "<path-to-certificate>\navsherpa-certificate.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)
New-SPTrustedRootAuthority -Name "HNavSherpaCertificate" -Certificate $certificate
$realm = Get-SPAuthenticationRealm
# Change the specific issuer if needed
$specificIssuerId = "11111111-1111-1111-1111-111111111111"
$fullIssuerIdentifier = $specificIssuerId + '@' + $realm
$fullIssuerIdentifier
#Register the certificate on SP farm and restart the server
New-SPTrustedSecurityTokenIssuer -Name "NavSherpaCertificate" -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier -IsTrustBroker
iisreset
# Run these three lines for self-signed certificate only (they are not needed for certificate signed by an authority)
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()
If you changed the $specificIssuerId parameter, you need to copy the new value to the Specific Issuer ID field in NavSherpa. Then click Next to test the connection.
The wizard will notify you if the connection was successful and you can use the Test Access function to doublecheck. Then click the Finish button to end the wizard.
