Application Registration for eShare
This document describes the steps to register a custom eShare application in Microsoft Entra (Azure AD) portal. At a high level, the steps involved are:
- Application Registration
- Modify Application Manifest – replyUrlsWithType
- Modify Application Manifest – requiredResourceAccess
- Review API permissions and complete consent
- Upload application certificate
- Collect items required to update eShare admin portal with the registered application
App Registration
- To register the custom single tenant app for eShare, login to Microsoft Entra console (https://entra.microsoft.com) and navigate to Applications > App Registrations.
- In “App registrations” page, click on “+ new registration” button in top menu bar.
- Input a recognizable unique name for the custom eShare app and click on “Register” button at bottom of the page.
In a few moments, a shell application is created and ready for further configuration.
Modify Application Manifest - replyUrlsWithType
- In the newly registered application page, navigate to Manage > Manifest tab.
- In the applications’ manifest, look for "replyUrlsWithType": [],
- Replace the above string (including the comma at the end) with the below text.
"replyUrlsWithType": [
{
"url": "https://login.ncryptedcloud.com/oauth2_openid/consume/personal_graphAPI",
"type": "Web"
},
{
"url": "https://www.n11d.com/oauth2_openid/consume/graphAPI",
"type": "Web"
},
{
"url": "https://login.ncryptedcloud.com/oauth2_openid/consume/graphAPI",
"type": "Web"
},
{
"url": "https://login.ncryptedcloud.com/cloudwebportal/onedrive/auth/endpoint/business/",
"type": "Web"
},
{
"url": "https://login.ncryptedcloud.com/oauth2_openid/consume/adgraph",
"type": "Web"
},
{
"url": "https://login.ncryptedcloud.com/oauth2_openid/consume/sharepoint_search",
"type": "Web"
},
{
"url": "https://*.sharepoint.com/_forms/default.aspx",
"type": "Spa"
},
{
"url": "https://www.ncryptedcloud.com/oauth2_openid/consume/labels",
"type": "Web"
},
{
"url": "https://www.ncryptedcloud.com/oauth2_openid/consume/personal_graphAPI",
"type": "Web"
}
],
Modify Application Manifest - requiredResourceAccess
- In the same application manifest, look for the below text:
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
},
{
"id": "98830695-27a2-44f7-8c18-0c3ebc9698f6",
"type": "Role"
},
{
"id": "883ea226-0bf2-4a8f-9f9d-92c9162a727d",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
}
],
- Click on “Save” button in top menu bar.
Review API permissions and complete consent
- For the saved application, navigate to “Manage > API permissions” tab
- Remove API permissions that may not be necessary for your eShare tenant configuration. Please refer to the API permissions spreadsheet for details of the API permissions required for various eShare modules and features and remove API permissions that your do not plan to enable for your eShare tenant.
- When done, click on “Grant admin consent for <tenant name>” in top of the API permissions table
- Confirm when prompted.
Upload application certificate
- Option 1: Purchase a certificate from well-known certificate authority, extract the private and public portions of the certificate. Upload the public portion in Azure portal for the application and upload the private key in your eShare admin console (or provide the private key to your eShare admin).
- Option 2: Create a self-signed certificate by following instructions available at https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.
- A short summary of the above instructions are below:
# Create a self-signed certificate in PowerShell
$mycert = "eShareApp"
$mycert = New-SelfSignedCertificate -DnsName "eShareApp" -Subject "CN=eShareApp" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(50) -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath eShareApp.pfx -Password $(ConvertTo-SecureString -String "myp@55W0rd" -AsPlainText -Force)
# Extract .key file using OpenSSL
openssl pkcs12 -in eShareApp.pfx -nocerts -nodes -out eShareApp.key
# Extract crt from pfx using OpenSSL
openssl pkcs12 -in eShareApp.pfx -clcerts -nokeys -out eShareApp.crt
- When appropriate certificate portions are available, navigate to “Manage > Certificates & secrets”
- In “Certificates” tab, click on “Upload certificate” button. Upload the CRT file from the above steps and click on “Add” at bottom of the open pane.
Collect items required to upload your eShare tenant
- M365 Tenant ID: Navigate to “Identity > Overview” tab of the Entra admin console, copy the “Tenant ID” and save it
- Application ID: Navigate to “Overview” tab of the application, copy the “Application (client) ID” and save it
- Certificate Thumbprint: For the certificate used during application registration process, copy the certificate thumbprint and save it
- Private Key: The private key (.key file from above steps) for the certificate uploaded in Entra portal for the application registration.
Grant eShare Application Permissions to SharePoint and OneDrive Sites
How to get SharePoint Site ID
Please refer to the following documentation for how to get the Site ID for a SharePoint site Get a SharePoint Site - Microsoft Graph v1.0 | Microsoft Learn
How to get Personal Site ID for User’s OneDrive
Endpoint: https://graph.microsoft.com/v1.0/users/<user_upn>/drive/SharePointIds
Method: GET
Sample Response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('ericf%40apharmacorp.com')/drive/sharePointIds",
"listId": "6c90b104-b67a-4c8d-9854-378eaaf97c88",
"listItemId": null,
"listItemUniqueId": null,
"siteId": "3421cee4-76b0-4952-8525-05b9e55367d8",
"siteUrl": "https://apharmacorp-my.sharepoint.com/personal/ericf_apharmacorp_com",
"tenantId": "abe04a8b-c24b-4e4c-87ba-a07aa5bde8bb",
"webId": "79ada273-efc6-4d84-ba93-8f1efd7afd8c"
}
How to Grant eShare Application Permission to Sites
Endpoint: https://graph.microsoft.com/v1.0/sites/<your_site_id>/permissions
Method: POST
Body:
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "<your_eshare_app_id>",
"displayName": "<your_eshare_app_name>"
}
}
]
}
Sample Response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('af1038a9-1db8-4b7a-9dbb-1b0cab9c66e9')/permissions/$entity",
"id": "aTowaS50fG1zLnNwLmV4dHw4M2EzZGM1MC04MmFkLTRhNzItOGVmYy1mMDk3ZTg4MWQ0NTNAYWJlMDRhOGItYzI0Yi00ZTRjLTg3YmEtYTA3YWE1YmRlOGJi",
"roles": [
"write"
],
"grantedToIdentitiesV2": [
{
"application": {
"displayName": "eShare GRAPH App",
"id": "83a3dc50-82ad-4a72-8efc-f097e881d453"
}
}
],
"grantedToIdentities": [
{
"application": {
"displayName": "eShare GRAPH App",
"id": "83a3dc50-82ad-4a72-8efc-f097e881d453"
}
}
]
}