Certificate-Based Authentication
Certificate-based authentication provides a secure way to connect to SharePoint and supports both basic integration and permission sync functionality. Use certificate authentication when:- You need permission sync capabilities
- You prefer certificate-based security over client secrets
- Your organization requires certificate-based authentication
Setting up
Step 1: Create Azure App Registration
Open Azure Portal
Open App registrations
Create registration
Name and register app
Save IDs
Step 2: Generate and Upload Certificate
Option A: Generate Self-Signed Certificate
Option B: Use Organization Certificate
Obtain a certificate from your organization’s Certificate Authority (CA) following your internal security policies.Step 3: Upload Certificate to Azure
Open Certificates & secrets
Upload certificate
Select file
Add certificate
Step 4: Configure API Permissions
Open API Permissions
Add a permission
Basic Permissions (No Permission Sync)
If you are not planning to enable permission sync, you only need basic permissions:Choose Microsoft Graph
Select Sites.Read.All
- Advanced: If you want to limit the sites this app has access to, select Sites.Selected. However, if you do this, you will need to add the App you are currently registering to each site you want to index.
How to grant site-specific access
How to grant site-specific access
- PnP PowerShell (
Grant-PnPAzureADAppSitePermissioncmdlet) - Resource Specific Consent guide
Sign in
Consent to permissions
Get the site ID
{tenant} and YourSiteName:id from the response (format: gorbit.sharepoint.com,guid1,guid2).Grant Read permission
Verify
"roles": ["read"] appears for the Gorbit app.Add and grant
Extended Permissions (With Permission Sync)
If you plan to enable permission sync, you’ll need additional permissions:Add another permission
Microsoft Graph application permissions
- Directory.Read.All - Used to query the overall organizational directory structure, including how users, groups, organizational units, and other directory objects relate to each other.
- Group.Read.All - Used to read detailed group-specific information such as group properties, settings, types (Security vs Microsoft 365), and configurations.
- GroupMember.Read.All - Used to retrieve and expand all members within a group, including nested group memberships. This allows Gorbit to determine which users have access to SharePoint content through group membership.
- Member.Read.Hidden - Allows reading memberships of security groups that are marked as “hidden” in Entra ID.
- User.Read.All - Used to retrieve complete user profiles and enumerate all users in the directory. Click Add permissions.
Microsoft Graph delegated permission
- User.Read - This delegated permission allows the application to sign in on behalf of a user and read the signed-in user’s basic profile information. Unlike application permissions which work without a user context, this delegated permission is required when the app needs to establish an authenticated identity context for making API calls to Microsoft Graph and SharePoint. It provides the minimum required access for user authentication flows. Click Add permissions.
SharePoint application permissions
- Sites.FullControl.All - Despite the name, Gorbit only uses this to retrieve details about permissions. No write operations are performed. If you selected Sites.Selected and need to grant fullcontrol only for specific sites, see the Using Sites.Selected with Permission Sync section below.
- User.Read.All - Used to list all users within the directory for permission mapping. Click Add permissions.
Grant admin consent
Using Sites.Selected with Permission Sync
Using Sites.Selected with Permission Sync
- PnP PowerShell (
Grant-PnPAzureADAppSitePermissioncmdlet) - Resource Specific Consent guide
Sign in
Consent to permissions
Get the site ID
{tenant} and YourSiteName:id from the response (format: gorbit.sharepoint.com,guid1,guid2).Grant FullControl permission
Verify
"roles": ["fullcontrol"] appears for the Gorbit app.Step 5: Configure in Gorbit
Open SharePoint connector
Create Certificate credential
Enter credential details
- Application (client) ID from Step 1
- Directory (tenant) ID from Step 1
- Certificate File: Upload your certificate file (.pfx file)
- Certificate Password: Enter password which you used to export the certificate file
Save credentials
Step 6: Enable Permission Sync (Optional)
When creating your SharePoint connector with certificate authentication:Locate Permission Sync option
Enable Permission Sync
Permission Sync Details
When permission sync is enabled:- Document-level permissions: Gorbit will respect SharePoint document permissions
- Site-level permissions: Users will only see documents from sites they have access to
- Group permissions: SharePoint group memberships are synchronized
- Real-time sync: Permissions are updated regularly to reflect SharePoint changes