Documentation forAccess Rights Manager

Required accounts and permissions for a SharePoint scan

For a SharePoint scan, two accounts are to be configured:

Process Account

The "Process account" is used to execute the scan process on the selected collector. This account must have local administrative rights and interactive logon privileges on the collector. Recommended: You can leave the input blank and ARM will use the service account from the base configuration.

 

Scan Account

The "scan account" is used for the actual scan.

 

SharePoint on-premise

This account must always be the same as the owner account registered for the site collection (= primary site collection administrator). The corresponding user account is defined when a site collection is created and can only be viewed or changed via the SharePoint central administration.

Navigate in the Central Administration to:

application management -> site collections -> Change site collection administrators -> Selection of the site collection -> Primary site collection administrator

 

SharePoint Online

To access SharePoint Online, you can use either a registered app (recommended) or a service account.

 

Access SharePoint Online via registered app

To access SharePoint Online via a registered app, you need to follow the steps as described in the following Microsoft guide: Granting access using SharePoint App-Only (© 2022 Microsoft, https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, obtained April 5, 2022).

You then use the App ID created in this way as the username and the Client Secret Value as the password for the scan account.

You can use these credentials in the SharePoint change configuration.

 

Please note that the Client Secret has an expiration date and is by default valid for 1 year.

To renew the Client Secret or set a longer validity period, you can use the following PowerShell script:


# Scripts are not supported under any SolarWinds support program or service.
# Scripts are provided AS IS without warranty of any kind. SolarWinds further
# disclaims all warranties including, without limitation, any implied warranties
# of merchantability or of fitness for a particular purpose. The risk arising
# out of the use or performance of the scripts and documentation stays with you.
# In no event shall SolarWinds or anyone else involved in the creation,
# production, or delivery of the scripts be liable for any damages whatsoever
# (including, without limitation, damages for loss of business profits, business
# interruption, loss of business information, or other pecuniary loss) arising
# out of the use of or inability to use the scripts or documentation.
#
# generate new client-secret
$username = "TenantAdminUserName"
$password = "TenantAdminPassword"
$appId = 'app id for which a new client secret should be created'
$validYears = 3; # number of years, how long the client secret should be valid for
# install required module
Install-Module MSOnline -Force -Confirm:$false
# connect to  Azure Active Directory (please use tenant admin credentials here)
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
Connect-MsolService -Credential $cred
# generate new client-secret
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears($validYears)
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
$newClientSecret

For more information, see the article Replace an expiring client secret in a SharePoint Add-in (© 2022 Microsoft, https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in, obtained on September 7, 2022).

 

Access SharePoint Online via service account

The scan account requires Site admin permissions.

Screenshots property of © 2020 Microsoft.

You can set the permissions in the SharePoint Online admin center.