Skip to main content
Skip table of contents

Configuring Discovery Search with Microsoft Azure Active Directory

Connecting Discovery Search to Microsoft Azure Active Directory is required before connecting Microsoft SharePoint Online and Microsoft Exchange Online.

Connecting Discovery Search to Microsoft Azure Directory

Before configuring Azure AD in Discovery Search, administrators must register and authenticate the Discovery Search app with the Azure Portal.

Registering the Discovery Search App

  1. Open a browser and navigate to the Azure Portal (Microsoft Azure Portal)

  2. Select Azure Active Directory on the homepage

  3. Select App Registrations from the navigation panel in Azure AD

  4. Click + New Registration to add a new App Registration

  5. On the Register Page, you will need to provide the following information:

    1. Name: This is a display name for the application. It is used to identify what the application is used for, so make it descriptive.

    2. Supported Account Types: This should be Accounts in this organizational directory only (Single tenant). This limits logins to the organization that is using the SharePoint instance.

    3. Redirect URI: This is the URL that Azure should redirect to once the login is successful. Typically this should be your Discovery Search app’s fully qualified domain name. If you are using a load balancer, it should be the URI used to hit it, not the individual machines behind it.

  6. Click Register

Setting up Authentication

  1. Click the Authentication link on the navigation sidebar

    An image of the the page that is displayed after an administrator clicks the Authentication link.

  2. Make the following changes on the Authentication page:

    1. Redirect URIs: This should be the URI to the Discovery Search server, including the /azuread/success path (for example, https://search.domain.com/azuread/success)

    2. Select both Access tokens and ID tokens in the Implicit Grant and Hybrid Flows section

    3. Front-channel logout URL: This can remain empty

    4. Ensure Supported account types is set to Accounts in this organizational directory only (single tenant)

    5. Advanced settings - Allow public client flows: This should be set to No

  3. Save changes if required

Adding a Client Secret

This section describes how to add a secret to the app registration.

  1. From the App page, select Certificates & secrets from the navigation sidebar

  2. Click + New client secret on the Client secrets tab

  3. Provide the following information on the form

    1. Description: A descriptive name of the secret

    2. Expires: Provide how long the secret is valid. Note that, when it expires, the integration with Discovery Search stops working until a new secret is generated and updated in the Discovery Search web.config file

  4. Click Add at the bottom of the screen

Copy the value for the secret shown on the page for safekeeping. This is the only time you will be able to see it, and this will be needed as part of the configuration for Discovery Search.

Setting up API Permissions

This section describes how to set up the appropriate API permissions for this application. This will allow Discovery Search to access SharePoint Online as the delegated user to do a permissions check.

  1. Select API permissions from the App registration navigation sidebar

  2. Click + Add a permission

  3. Select Microsoft Graph and then select Delegated permissions (Your application needs to access the API as the signed-in user)

    1. offline_access: This is used to generate an OAuth refresh token so that users do not need to authenticate for each search request

    2. openid: Allows users to sign in to Azure AD

    3. profile: Allows users to sign into Azure AD

    4. User.Read: Allows users to sign into Azure AD

  4. Click Add permissions

  5. Click + Add a permission again

  6. Select SharePoint and then select Delegated permissions (Your application needs to access the API as the signed-in user)

    1. AllSites.Read: This allows signed-in users to view any sites and their contents to which they have access. This also allows Discovery Search to execute the permissions check.

  7. Click Add permissions

  8. Click Grant admin consent for <Organization Name>

The final result should look like this:

Configuring Azure Active Directory in Discovery Search

This section describes how to configure Discovery Search to authenticate against Azure AD, enabling the search of SharePoint Online and Exchange Online.

  1. Open Discovery Search Admin

  2. Select Application settings at the bottom of the navigation sidebar

  3. Select Microsoft® Online settings

  4. Fill in the following settings

    1. Azure AD client ID: This can be found on the overview page of the App registration in the Azure portal.

    2. Azure AD tenant ID: This can be found on the overview page of the App registration in the Azure portal.

    3. Azure AD secret: This is the value of the secret that was created above. If you did not copy it at the time, you will need to create a new one.

    4. Azure AD Redirect URL: This is the URL that Azure AD will redirect to once the user is authenticated properly. This should be in the form of http://server/azuread/success. This should match the one added to the Authentication page in the Azure portal as documented above.

  5. Save changes

  6. Restart the Discovery Search application in IIS

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close