----
Remote item name: __SharePoint2__\\
\\
More info: [SharePoint REST Service Link|https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom]\\
----
__⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains:\\
• __login.microsoftonline.com__\\
• __<yourtenant>.sharepoint.com__ — for accessing SharePoint site collections\\
----
!!! Azure: App Registration for SharePoint REST API Access\\
Open the __Microsoft Azure Portal__: [Link|https://azure.microsoft.com/en-us/features/azure-portal]\\
\\
__Application registration__: Navigate to the __App registrations__ and click on __New registration__. Select platform: __Web__ and Configure the Redirect URL.\\
\\
[SharePoint Integration/new_registration.png]\\
\\
In the Redirect URI section, for Platform configuration, select __Web__. The Redirect URL must end with __register_microsoft_graph_api/__. Examples:\\
\\
{{{
    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/
}}}\\
\\
__API Permissions:__\\
\\
!!!1. Application Permission - Certificate Based:\\
\\
Application permissions are used when an application runs without a signed-in user, such as in server-to-server connections.\\
\\
__ App Registration SharePoint Scopes__:\\
\\
[SharePoint REST service API/app_registration_sharepoint permissions.png]\\
\\
__a.) SharePoint.AllSites.FullControl__: Grants an application full control over all site collections in SharePoint Online across the entire tenant. This is the highest level of SharePoint permission available for applications and enables full administrative access to both content and site settings.\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Application Permission__. Search for AllSites and check the flag __AllSites.FullControl__.\\
\\
----
__b.) SharePoint.AllSites.Manage__: Grants an app manage-level access to all site collections in SharePoint Online. This includes the ability to read and write content, as well as manage lists and libraries, but not full administrative control (e.g., cannot manage site permissions or site settings).\\
\\
This permission allows the app to:\\
• Access all SharePoint sites in the tenant.\\
• Create, read, update, and delete\\
• Files and folders\\
• Lists and list items\\
• Libraries and site content structures\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Application Permission__. Search for AllSites and check the flag __AllSites.Manage__.\\
\\
----
__c.) SharePoint.Sites.Selected__: The __Sites.Selected__ permission allows an app to access only the specific SharePoint sites you explicitly authorize. __⚠️ Important:__ The application must first be registered in Azure AD with the Sites.Selected application permission. More information is available at the following link: [Managing SharePoint Site Access for Applications Using Sites.Selected Permission|CrushTaskExample19].\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Application Permission__. Search for Sites and check the flag __Sites.Selected__.\\
----
\\
__Certificates__:\\
\\
[SharePoint Integration/azure_app_registrations_certificates.png]
\\
!!! 1.1 SharePoint2 VFS item configuration: Application Permission - Certificate Based:\\
\\
[attachments|vfs_sharepoint2_cert_based.png]\\
\\
Select the __Application Permission (cert based)__ radio button, then click __Application Permission cert based__ button.\\
\\
[SharePoint Integration/app_permission_cert_based_form.png]\\
\\
Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID).\\
\\
__Thumbprint__: (See at App Registration -> Manage -> Certificates & secrets) Select __Certificates__.\\
__Private Key__: This is your application's unique digital credential, which pairs with the public certificate you uploaded in Azure Portal. It allows the system to securely access SharePoint without a password. We accept the __PKCS#8__ key text format (often starting with -----BEGIN PRIVATE KEY-----).\\
\\
__Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the __username__ and __password__ in the [VFS] item settings. After that, click the __OK__ button and proceed with the SharePoint site-specific configuration. See under the [3.Sharepoint-specific settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SharePoint%20REST%20service%20API#section-SharePoint+REST+service+API-3.SharepointSpecificSettings]\\ 
\\

!!! 2. Delegated Permission:\\
\\
Delegated permissions are used when an application makes API calls as the signed-in user. The app is delegated the user’s permissions and can only access resources that the user is authorized to access.\\
\\
__Redirect URL__: The Redirect URL must end with __register_microsoft_graph_api/__. Examples:\\
\\
{{{
    http://localhost:9090/register_microsoft_graph_api/
    or
    https://your.crushftp.domain.com/register_microsoft_graph_api/
}}}\\
\\
[SharePoint REST service API/app_registration_redirect_url.png]\\
\\
__App Registration SharePoint Scopes__:\\
----
__a.) SharePoint.AllSites.FullControl__: Grants an application full control over all site collections in SharePoint Online across the entire tenant. This is the highest level of SharePoint permission available for applications and enables full administrative access to both content and site settings.\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Delegated Permission__. Search for AllSites and check the flag __AllSites.FullControl__.\\
\\
----
__b.) SharePoint.AllSites.Manage__: Grants an app manage-level access to all site collections in SharePoint Online. This includes the ability to read and write content, as well as manage lists and libraries, but not full administrative control (e.g., cannot manage site permissions or site settings).\\
\\
This permission allows the app to:\\
• Access all SharePoint sites in the tenant.\\
• Create, read, update, and delete\\
• Files and folders\\
• Lists and list items\\
• Libraries and site content structures\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Delegated Permission__. Search for AllSites and check the flag __AllSites.Manage__.\\
\\
----
__c.) SharePoint.Sites.Selected__: The __Sites.Selected__ permission allows an app to access only the specific SharePoint sites you explicitly authorize. __⚠️ Important:__ The application must first be registered in Azure AD with the Sites.Selected application permission. More information is available at the following link: [Managing SharePoint Site Access for Applications Using Sites.Selected Permission|CrushTaskExample19].\\
\\
Navigate to __API Permissions__. Click on __Add a permission__ button. Select __SharePoint__. Then select __Delegated Permission__. Search for Sites and check the flag __Sites.Selected__.\\
\\
[CrushTaskExample19/app_permission_sharepoint_site_selected.png]\\
----
\\
⚠️ Warning __Admin consent__ for the newly added permission.\\
\\
[SharePoint Integration/app_permission_admin_consent.png]\\
\\
__Secret key__: A new client secret must be created. Go to __Certificates & secrets__, and generate a new client secret by clicking on __New client secret__. ⚠️ Ensure you copy over the __value__ immediately!\\
\\
[SharePoint Integration/new_secret.png]\\
\\
[SharePoint Integration/secret_value.png]\\
\\
!!! 2.1 SharePoint2 remote item settings (Delegated Permission):\\
\\
__⚠️ Warning__: To obtain the __Refresh Token__, the CrushFTP WebInterface’s host and port must match the __Redirect URL__ specified in the __Azure App Registration__. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\
\\
Click on __Get Refresh Token__.\\
\\
Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID), __Client Secret__ (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the __value__ field, not the ID, and __Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID).\\
\\
Click the __OK__ button and proceed with the authentication and authorization process.\\
\\
__⚠️ Warning__: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above.\\
This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.\\
\\
Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer.\\
\\
Provide the SharePoint-specific settings. See under the [Sharepoint-specific settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SharePoint%20REST%20service%20API#section-SharePoint+REST+service+API-3.SharepointSpecificSettings]\\
\\
[SharePoint Integration/sharepoint2_refresh_token_vfs_item.png]\\
\\
----
!!!3.Sharepoint-specific settings:\\
\\
[SharePoint Integration/remote_item_sharepoint_specific_settings.png]\\
\\
__Site id__: The SharePoint domain name.\\
__Site Path__: The relative path of the SharePoint site without the domain. It should start and end with a slash (/).\\
Examples:\\
 /sites/SiteS1/\\
 /teams/SiteS1/SiteS2/\\
__Drive name__: Each SharePoint site has a Document Library where the site-related files are stored. See [SharePoint: Documents and Libraries Description Link|https://support.microsoft.com/en-us/office/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872] Provide the name of this document library.\\
__Folder__: Relative path of the document library of the SharePoint site.\\
\\
__Conflict Behaviour__ (Only for the SharePoint remote VFS item type — not available for SharePoint2)): \\
- __Rename__ the file/folder if already exits\\
- __Replace__ the file/folder if already exits\\
- __Fail__  if the file/folder already exists\\
\\
----
Back to [SharePoint Integration]\\
----