If a SharePoint Online site is configured to require a multi-factor authentication, SpaceObServer will perform a browser based authentication (as known from other Azure AD apps).
To enable SpaceObServer to get authentication tokens from your Azure AD tenant, you have to register it in your Azure portal first and grant it permission to access Office 365 SharePoint Online:
Register SpaceObServer with your tenant
Please note that the following steps have to be done out of the scope of SpaceObServer. They may change with the ongoing development from Microsoft.
1.Sign in to the Azure portal.
2.Select on All services in the left-hand navigation, and choose App registrations (or use the search field in the top bar)
3.Select New application registration and create a registration with values like:
•Name: An application name of your choice to identify the registration in the Azure AD. We would propose to use SpaceObServer.
•Redirect URI: Sometimes reffered to as reply URL. Please select 'Public client/nativ' here. Because SpaceObServer uses MSAL for authentication, please either use the redirect URI provided for this purpose, or define your own according to the scheme "My URI"://auth, e.g. SpaceObServer://auth
4.Once the registration is completed, AAD will assign a unique Application ID to the app. Copy this value from the right pane, as it will be required for the next steps.
5.Depending on which authentication method you wish to use, please configure the necessary api permissions as described under Certificate-based authentication or User-based authentication. Without having the necessary permissions configured, the scan will not work.
Provide SpaceObServer with the configuration information
In order to use the app registration made above, the information has to be provided to SpaceObServer.
To do this, please add the values for the Application ID and the Redirection URI via the options dialog under "System > Service".
Alternatively, If you are an administrator and want to configure these settings for a group within your company, you can define a group policy object to roll them out. Otherwise, the entries can also be added directly to the registration. :
1.Open the Group Policy Management Console, and navigate to the GPO you want to contain the configuration or create a new one. Open User Configuration > Settings > Windows-Settings > Registry.
2.Or open the registry editor by typing regedit in the search box on the taskbar.
3.Add the two entries:
1.For the Application ID:
•Hive: Use HKEY_LOCAL_MACHINE
•Path: Set to SOFTWARE\JAM Software\SpaceObServer
•Name: Set to AADApplicationID
•Value type: REG_SZ
•Value data: Enter the Application ID obtained from the AAD
2.For the Redirect URI:
•Hive: Use HKEY_LOCAL_MACHINE
•Path: Set to SOFTWARE\JAM Software\SpaceObServer
•Name: Set to AADRedirectURI
•Value type: REG_SZ
•Value data: Enter the Redirect URI configured with the AAD
Problems with authentication
•In case you encounter any issues with the authentication via certificate file, please ensure that the executing user of SpaceObServer as well as the SpaceObServer scan service has read access to the certificate file.