Azure AD Configuration

<< Click to Display Table of Contents >>

Navigation:  Using TreeSize >

Azure AD Configuration

If a SharePoint Online site is configured to require a multi-factor authentication, TreeSize will perform a browser based authentication (as known from other Azure AD apps).

To enable TreeSize to get authentication tokens from your Azure AD tenant, you have to register it in your Azure portal first and grant it permission to access Office 365 SharePoint Online:

Register TreeSize with your tenant

Please note that the following steps have to be done out of the scope of TreeSize. They may change with the ongoing development from Microsoft.

1.Sign in to the Azure portal.

2.Select on All services in the left-hand navigation, and choose App registrations (or use the search field in the top bar)

3.Select New application registration and create a registration with values like:

Name: An application name of your choice to identify the registration in the Azure AD. We would propose to use TreeSize.

Redirect URI: Sometimes reffered to as reply URL. Please select 'Public client/nativ' here. Because TreeSize uses MSAL for authentication, please either use the redirect URI provided for this purpose, or define your own according to the scheme "My URI"://auth, e.g. treesize://auth

4.Once the registration is completed, AAD will assign a unique Application ID to the app. Copy this value from the right pane, as it will be required for the next steps.

5.If you are using a user-based login, select API Permissions in the left navigation list and click Add Permission. For authentication by certificate, please see point 7.

Select SharePoint as the API

Under Delegated Permissions, configure the permissions you want the user to delegate to TreeSize, and confirm the changes using the Done button.

oIf a permission has not been granted here, the user may not use TreeSize to perform the affiliated action, even though he would be allowed to do so with the web interface.

oIf a permission has been granted here, but not to the actual user, an affiliated action would still fail (the user won't become any more privileges).

oTo access SharePoint pages, the allSites.Manage permission is required.

oIf you want to restrict the access to document libraries only, the AllSites.Read permission is sufficient.

oTo scan all site collections connected to a site, the privilege 'Run search queries as a user' is required.

oTo allow the user to upload files, the privileges 'Read and write user files' and 'Read and write items and lists in all site collections' may be required.

Click on Grant permissions to apply the changed permissions to your account.

Depending on which permissions you selected, the changes need to be approved by an administrator (grant admin consent)

6.In order to use the SSO for domain-joined Windows (Windows Integrated Auth Flow) or the user credentials entered via TreeSize, the option Allow public client flows under Authentication -> Advanced settings needs to be enabled.


7.If you want to use a certificate to allow TreeSize to identify itself to the authentication service, instead of using user-related login information you will first need to create a self-signed certificate. To do so, please read here. You need to add the *.cer file created in the process to your app registration under Certificates & Secrets.You can then use the *.pfx file to log in via TreeSize. Now add the Sites.Selected permission under API Permissions > Add Permission > SharePoint > Application Permissions. The shared site collections must be configured on your SharePoint beforehand. Please contact your SharePoint administrator for this purpose

Provide TreeSize with the configuration information

In order to use the app registration made above, the information has to be provided to TreeSize. There are three options available how to achieve this:


If you want to configure these settings for a single user/computer only, e.g. to evaluate and test the settings, you can do so in the options dialog or you can pass the values to TreeSize via the command line.

oTo configure the registration in the options:

1.Ensure the View -> Display -> Application Mode is set to Expert

2.Set the values at General -> SharePoint Online - Multi factor authentication

oTo configure the values from the command line, run TreeSize with the following parameters. TreeSize will remember these values, so you would have to configure them only once.

/AADApplicationID followed by the Application ID assigned by the Azure Portal, e.g. /AADApplicationID xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx, and

/AADRedirectURI followed by the Redirect URI specified during the registration assigned, e.g. /AADRedirectURI TreeSize://auth


If you are an administrator and want to configure these settings for a group within your company, you can define an define a group policy object to roll them out:

1.Download and install the administrative templates for TreeSize.

2.Open the Group Policy Management Console, and navigate to the GPO you want to contain the configuration or create a new one.

3.Configure the entries at Administrative Templates > JAM Software > TreeSize > Defaults

User permissions and permission levels in SharePoint Server
In order for a user to be able to scan SharePoint pages using TreeSize , the user must be granted certain permissions in SharePoint.

A user needs a permission level on the pages he is allowed to scan, which contains the website permission "Browse directories".

If the standard permission levels are to be used, the user needs at least the permission level "Contribute" on these pages.

Please note that the "SharePoint admin" role does not automatically grant a user access to all websites. If a SharePoint admin should be able to use TreeSize to scan SharePoint sites, please check the assigned permission levels here as well.

Problems with authentication

If a user is not able to connect to SharePoint via TreeSize despite the assigned permissions, please check if this user has a valid Office 365 license with access to the Microsoft Graph-API (e.g. Office 365 E3).