Granting Permissions in Azure for all SharePoint Online Connections Created in Nintex Automation Cloud

Topic

Objectives:

• Create the 'Nintex Connector - SharePoint Online' Enterprise Application
• Apply the following permissions to the Enterprise Application for all users
  • Microsoft Graph: openid
  • Microsoft Graph: email
  • Microsoft Graph: profile
  • Microsoft Graph: offline_access
  • Office 365 SharePoint Online: AllSites.FullControl
  • Office 365 SharePoint Online: AllSites.Manage
  • Office 365 SharePoint Online: User.Read.All

Note: Necessary permissions will inherently be applied by creating 2 different connection types, specified in the Instructions.
 

Instructions 

Prerequisites:

• Azure Credentials for an account with the Global Administrator role.
  • You can validate an Azure account's role by doing the following:
    • Navigate to portal.azure.com and login
    • Select, or search for, 'Users'
    • In the search bar (immediately above the list of users), search for the account in question
    • Select the account
    • Select 'Assigned Roles'
    • Confirm 'Global Administrator' is applied.
• Nintex Automation Cloud (NAC) account with at least the minimum required role according to Settings > Connection Settings in your NAC tenant. When in doubt, use at least an Administrator account.

Steps:  

1. In Nintex Automation Cloud, navigate to the 'Automate' (top-right corner) > Connections (left-hand side)
2. Select '+Add Connection'
3. In the Connector drop-down menu, select 'SharePoint Online'
4. In the User authentication method, select 'SharePoint Online: Query user profile'
5. Select 'Next'
6. In the Connection settings
   1. Connection name: enter a value of your choice
   2. SharePoint Online tenant URL: Enter your tenant URL as per the example https://[YourTenantName].sharepoint.com
7. Select 'Connect'
8. A Microsoft Login prompt appears; follow the prompts to enter the credentials for the Azure Global Administrator account.
9. A 'Permissions requested' prompt appears; check the box for 'Consent on behalf of your organization' and select 'Accept'.

Result: The 'Nintex Connector - SharePoint Online' Enterprise Application has been created in your Azure tenant with the following permissions granted by admin consent:

Microsoft Graph: openid
Microsoft Graph: email
Microsoft Graph: profile
Microsoft Graph: offline_access
Office 365 SharePoint Online: AllSites.Manage
Office 365 SharePoint Online: User.Read.All

 

10. On the Connections page, select '+Add Connection'
11. In the Connector drop-down menu, select 'SharePoint Online'
12. In the User authentication method, select 'SharePoint Online: Site collection administration'
13. Select 'Next'
14. In the Connection settings
    1. Connection name: enter a value of your choice
    2. SharePoint Online tenant URL: Enter your tenant URL as per the example https://[YourTenantName].sharepoint.com
15. Select 'Connect'
16. A Microsoft Login prompt appears; follow the prompts to enter the credentials for the Azure Global Administrator account.
17. A 'Permissions requested' prompt appears; check the box for 'Consent on behalf of your organization' and select 'Accept'.

Result: The Nintex Connector - SharePoint Online Enterprise Application has been granted the following permission by admin consent:

Office 365 SharePoint Online: AllSites.FullControl

Additional Information

At this point, the Enterprise application has been created, all necessary permissions have been granted via admin consent for all users, and future Connections created for SharePoint Online should not prompt any user for permissions. If desired, delete the Connections created in steps 1 – 17 as these Connections don't need to exist to maintain the Enterprise Application permissions that have been granted. All new SharePoint Online Connections made can use individual user credentials or a service account if desired.

The permissions applied to the Nintex Connector – SharePoint Online Enterprise Application are of the type ‘Delegated’, meaning that each connection will only have permission to access sites, lists, items, etc. that the credentials provided are granted. A user cannot otherwise subvert SharePoint permissions.

What to Expect when Using Connections (Example Scenario):

John Doe creates a new SharePoint Online Connection using his own credentials. He receives no prompt for permissions and the Connection configuration completes upon entering his password.

John Doe creates a new workflow and proceeds to configure a ‘SharePoint Online – Query a list’ action to use his new Connection. This Query a list action will only allow John to query a site/list/item that he has access to.

John Doe proceeds to configure a ‘SharePoint Online – Update items’ action to use his Connection. Any update items that occur via this action will show that ‘John Doe’ last modified the item.