Sharepoint & OneDrive
Requirements
Within Azure, an Entra App was created and configured as described here
Within Teleskope, you have a Teleskope Account with the Admin role
Integration
To automate the following steps, see Scripted enrollment.
Grant the Teleskope App Microsoft Graph API scopes
Navigate to your App Registration, then Manage -> API Permissions, and assign the following Graph API scopes via Application Permissions:
Directory.Read.All – read users, groups, directories to map identities
ExternalUserProfile.Read.All – identify guest/external users
Files.Read.All – read files for discovery/scanning/classification
Group.Read.All – list groups to analyze access
GroupMember.Read.All – enumerate membershjip for permission inheritance
RoleManagement.Read.All – understand privileged roles
SharePointTenantSettings.Read.All – inspect tenant-wide settings (e.g., sharing rules)
Sites.Read.All – enumerate SharePoint sites to index and crawl content
User.Read.All – get user properties
Optional Permissions to enable features in 'Policy Maker'
InformationProtectionPolicy.Read.All – read Purview labels/policies
Files.ReadWrite.All – enable remediation such as quarantining or deletion
Lastly, grant admin consent to all of the permissions.
Grant the Teleskope App Sharepoint API scopes
Sites.Manage.All – understand site-level permissions
Sites.Read.All – read site collections & content metadata
TermStore.Read.All – read taxonomy/metadata store
User.Read.All – get user properties in SharePoint context
Optional Permissions to enabled features in 'Policy Maker' and extra 'Data Access' Information.
Sites.FullControl.All – provides admin-level control of sites such as access revocation
Follow these instructions and enable Metered API and Services for Azure
Generate a certificate
Create an Azure certificate with a public key by following the Microsoft instructions to Create and export your public certificate
Base64 encode the .pfx file. For example, in PowerShell, run the following command:
$fileBytes = [System.IO.File]::ReadAllBytes("example.txt") $base64 = [Convert]::ToBase64String($fileBytes) $base64
Go to Certificates & secrets.
Go to the Certificates tab and then click Upload certificate, and upload the certificate (.cer file) you generated
Follow Microsoft's instructions to Export your public certificate with its private key
(If using MacOS) Please use the certificate.sh script to generate the credentials mentioned in the docs above.
Scripted enrollment
The following scripts can be used to automate the app registration and generate everything you need for enrollment:
Prerequisites
Azure CLI installed & logged in
Authenticate with
az login(oraz login --tenant <tenant‑id> --subscription <sub‑id>if you manage multiple subscriptions).
Administrator role
You need Application Administrator (or Cloud Application Administrator/ Global Administrator) in Azure AD, plus Contributor on the target subscription (so you can register providers and create resource groups).
PowerShell execution policy (Windows only)
If you haven’t run unsigned scripts before, in an elevated PowerShell window run:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Steps
Install prerequisites
On macOS:
brew install azure-cli jq opensslOn Windows:
Use PowerShell Version 7+
Ensure you have Azure CLI and OpenSSL.
Download the scripts into a working folder (right click → save as).
Edit the Config section
Open the script and replace all the
<PLACEHOLDERS>(<RESOURCE_GROUP>,<YOUR_REGION>,<YOUR_SUBSCRIPTION_ID>,<PFX_PASSWORD>) with your values.
Make executable (macOS only)
chmod +x ./sharepoint_enrollment_macOS.shRun the script
macOS:
./sharepoint_enrollment_macOS.shWindows: open PowerShell in the script folder and run
.\sharepoint_enrollment_windows.ps1
Verify output
Look for the generated
teleskope-app-details.txt(or your chosen filename) and confirm it contains Tenant ID, Client ID/Secret, PFX Base64, etc.
Enroll Sharepoint in Teleskope (see final step of Integration)
Last updated
Was this helpful?