Documentation forAccess Rights Manager

Required accounts and permissions for a SharePoint scan

To perform a SharePoint scan, configure the process and scan accounts.

Process Account

This account is used to execute the scan process on the selected collector. This account must have local administrative rights and interactive log in privileges on the collector. SolarWinds recommends that you leave the input blank. ARM will use the service account from the base configuration.

Scan Account

This account is used for the actual scan.

SharePoint on-premise

This account must always be the same as the owner account registered for the site collection (also known as the primary site collection administrator). The corresponding user account is defined when a site collection is created and can only be viewed or changed using the SharePoint central administration.

You can access Navigate in the Central Administration at Application Management > Site Collections > Change site collection administrators > Selection of the site collection > Primary site collection administrator.

SharePoint Online

To access SharePoint Online, you can use either a registered app (recommended) or a service account.

Access SharePoint Online using a registered app

To access SharePoint Online using a registered app, follow the steps as described in the following Microsoft guide: Granting access using SharePoint App-Only (© 2022 Microsoft, https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, obtained April 5, 2022).

Use the App ID created in this way as the username and the Client Secret Value as the password for the scan account.

You can use these credentials in the SharePoint change configuration.

The Client Secret has an expiration date. By default, the account is valid for 1 year.

To renew the Client Secret or set a longer validity period, you can use the following PowerShell script:


# Scripts are not supported under any SolarWinds support program or service.
# Scripts are provided AS IS without warranty of any kind. SolarWinds further
# disclaims all warranties including, without limitation, any implied warranties
# of merchantability or of fitness for a particular purpose. The risk arising
# out of the use or performance of the scripts and documentation stays with you.
# In no event shall SolarWinds or anyone else involved in the creation,
# production, or delivery of the scripts be liable for any damages whatsoever
# (including, without limitation, damages for loss of business profits, business
# interruption, loss of business information, or other pecuniary loss) arising
# out of the use of or inability to use the scripts or documentation.
#
# generate new client-secret
$username = "TenantAdminUserName"
$password = "TenantAdminPassword"
$appId = 'app id for which a new client secret should be created'
$validYears = 3; # number of years, how long the client secret should be valid for
# install required module
Install-Module MSOnline -Force -Confirm:$false
# connect to  Azure Active Directory (please use tenant admin credentials here)
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
Connect-MsolService -Credential $cred
# generate new client-secret
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears($validYears)
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $appId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
$newClientSecret
		

For more information, see the article Replace an expiring client secret in a SharePoint Add-in (© 2022 Microsoft, https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in, obtained on September 7, 2022).

Access SharePoint Online using a service account

The scan account requires Site admin permissions, as shown below.

(Screenshots property of © 2020 Microsoft Corporation)

You can set the permissions in the SharePoint Online admin center.