CrushFTP supports both SharePoint REST API V1 and SharePoint REST API V2 (SharePoint with Microsoft Graph API).
1. Sharepoint Microsoft Graph REST API-based integration.
#
More info about Microsft Graph REST API: Link
Remote item name: Sharepoint
!!! Proxy Configuration: If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow authentication and Microsoft Graph API access:
• login.microsoftonline.com
• graph.microsoft.com
Open the Microsoft Azure Portal: Link
Application registration: Navigate to App registrations in the Azure Portal. Click on New registration to create a new application.
The Redirect URL must end with "register_microsoft_graph_api/".
http://localhost:9090/register_microsoft_graph_api/
or
https://your.crushftp.domain.com/register_microsoft_graph_api/
Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!
Configure API permission: You must also grant permissions for Microsoft Graph. Go to the API Permissions section, click Add a permission, and select Microsoft Graph. To learn more about Microsoft Graph permissions—including the difference between Application and Delegated permissions—refer to the official documentation: Link
1.1 Application Permission:
#
Application permissions are used when an application runs without a signed-in user, such as in server-to-server connections.
a.) Files.ReadWrite.All: Grants the application read and write access to all files the signed-in user can access, across all user drives and document libraries (including SharePoint sites and OneDrive for Business).
This includes the ability to:
• List, read, update, create, and delete files and folders
• Upload/download documents
• Modify file metadata
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Application Permission. Search for Files and check the flag Files.ReadWrite.All permission.
b.) Sites.FullControl.All: Grants the application full control over all site collections in the tenant without user interaction. ( More info -> Link
)This permission allows the app to:
• Read and write all files in all SharePoint Online site collections
• Manage lists, document libraries, subsites, and site permissions
• Perform site-level actions across the entire tenant
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Application Permission. Search for Sites and check the flag Sites.FullControl.All permission.
c.) Sites.Selected: Grants the application no access to SharePoint sites by default. However, you can explicitly grant access to specific sites by using the Microsoft Graph API. More information is available at the following link: Managing SharePoint Site Access for Applications Using Sites.Selected Permission.
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Application Permission. Search for Sites and check the flag Sites.Selected permission.
Grant Admin consent for the newly added permission.
Client id: See at App Registration -> Overview -> Application (client) ID
Sharepoint VFS item configuration:
Select the Application Permission radio button, then click Application Permission. Enter the Client ID (See at App Registration -> Overview -> Application (client) ID), Client Secret (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the value field, not the ID, and Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID), then click OK. This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.
Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer.
Provide the SharePoint-specific settings. See under the 1.3.Sharepoint-specific settings. (Link
)
1.2 Delegated Permission:
#
Delegated permissions are used when an application makes API calls as the signed-in user. The app is delegated the user’s permissions and can only access resources that the user is authorized to access.
a.) Files.ReadWrite.All: Grants the application read and write access to all files the signed-in user can access, across all user drives and document libraries (including SharePoint sites and OneDrive for Business).
This includes the ability to:
• List, read, update, create, and delete files and folders
• Upload/download documents
• Modify file metadata
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Delegated Permission. Search for Files and check the flag Files.ReadWrite.All permission.
b.) Sites.FullControl.All: Grants the application full control over all site collections in the tenant without user interaction. ( More info: Link
)This permission allows the app to:
• Read and write all files in all SharePoint Online site collections
• Manage lists, document libraries, subsites, and site permissions
• Perform site-level actions across the entire tenant
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Delegated Permission. Search for Sites and check the flag Sites.FullControl.All permission.
c.) Sites.Selected: Grants the application no access to SharePoint sites by default. However, you can explicitly grant access to specific sites by using the Microsoft Graph API. More information is available at the following link: Managing SharePoint Site Access for Applications Using Sites.Selected Permission.
Configure API Permission: Navigate to API Permissions. Click on Add a permission button. Select Microsoft Graph. Then select Delegated Permission. Search for Sites and check the flag Sites.Selected permission.
Grant Admin consent for the newly added permission.
Client id : You can find it at Azure portal -> App Registration -> Overview:
SharePoint remote item settings:
!!! Note: To obtain the Refresh Token, the CrushFTP WebInterface’s host and port must match the Redirect URL specified in the Azure App Registration. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/
Select the Delegated Permission radio button, then click Get Refresh Token.
Enter the Client ID (See at App Registration -> Overview -> Application (client) ID), Client Secret (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the value field, not the ID, and Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID).
Proceed with the authentication and authorization process.
!!! Note: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above.
This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.
Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer.
Provide the SharePoint-specific settings. See under the 1.3.Sharepoint-specific settings. ( Link
)1.3.Sharepoint-specific settings:
#
Site id: The SharePoint domain name.
Site Path: The relative path of the SharePoint site without the domain. It should start and end with a slash (/).
Examples:
/sites/SiteS1/
/teams/SiteS1/SiteS2/
Drive name: Each SharePoint site has a Document Library where the site-related files are stored. See SharePoint: Documents and Libraries Description Link
Provide the name of this document library.Folder: Relative path of the document library of the SharePoint site.
Conflict Behaviour (Only for the SharePoint remote VFS item type — not available for SharePoint2)):
- Rename the file/folder if already exits
- Replace the file/folder if already exits
- Fail if the file/folder already exists
2. SharePoint REST service API-based integration
#
!!! Remote item name: Sharepoint2
More info: SharePoint REST Service Link
!!! Proxy Configuration: If your server accesses the internet through a proxy, make sure to whitelist the following domains:
• login.microsoftonline.com
• <yourtenant>.sharepoint.com — for accessing SharePoint site collections
2.1 Azure: App Registration for SharePoint REST API Access
#
Open the Microsoft Azure Portal: Link
Application registration: Navigate to the App registrations and click on New registration. Select platform: Web and Configure the Redirect URL.
The Redirect URL must end with "register_microsoft_graph_api/". Examples:
http://localhost:9090/register_microsoft_graph_api/
or
https://your.crushftp.domain.com/register_microsoft_graph_api/
API Permissions:
Only Delegated permission types are supported. CrushFTP only supports authentication using a client secret — certificate-based authentication is not supported.
a.) SharePoint.AllSites.FullControl: Grants an application full control over all site collections in SharePoint Online across the entire tenant. This is the highest level of SharePoint permission available for applications and enables full administrative access to both content and site settings.
Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for AllSites and check the flag AllSites.FullControl.
b.) SharePoint.AllSites.Manage: Grants an app manage-level access to all site collections in SharePoint Online. This includes the ability to read and write content, as well as manage lists and libraries, but not full administrative control (e.g., cannot manage site permissions or site settings).
This permission allows the app to:
• Access all SharePoint sites in the tenant.
• Create, read, update, and delete
• Files and folders
• Lists and list items
• Libraries and site content structures
Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for AllSites and check the flag AllSites.Manage.
c.) SharePoint.Sites.Selected: The Sites.Selected permission allows an app to access only the specific SharePoint sites you explicitly authorize. More information is available at the following link: Managing SharePoint Site Access for Applications Using Sites.Selected Permission.
Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for Sites and check the flag Sites.Selected.
Grant Admin consent for the newly added permission.
Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!
SharePoint2 remote item settings:
!!! Note: To obtain the Refresh Token, the CrushFTP WebInterface’s host and port must match the Redirect URL specified in the Azure App Registration. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/
Click on Get Refresh Token.
Enter the Client ID (See at App Registration -> Overview -> Application (client) ID), Client Secret (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the value field, not the ID, and Tenant ID (See at App Registration -> Overview -> Directory (tenant) ID).
Proceed with the authentication and authorization process.
!!! Note: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above.
This will automatically configure the username and password in the VFS item settings. After that, proceed with the SharePoint site-specific configuration.
Tennant: See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer.
Provide the SharePoint-specific settings. See under the 1.3.Sharepoint-specific settings. ( Link
)
2.2 Sharepoint: Custom Application APP Authentication (Deprecated)
#
!!!Constraint: On newer Sharepoint (after 2019) Grant App permission as it is disabled by default. To enable Custom Application APP Authentication run the following PowerShell commands:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell $adminUPN="<SharePoint administrator account>" $orgName="<name of your Office 365 organization>" $userCredential = Get-Credential -UserName $adminUPN -Message "Type the password." Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential get-spotenant | Select DisableCustomAppAuthentication set-spotenant -DisableCustomAppAuthentication $false
Or
$creds = Get-Credential $orgName="<name of your Office 365 organization>" Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $creds get-spotenant | Select DisableCustomAppAuthentication set-spotenant -DisableCustomAppAuthentication $false
Advantage(Compared with MSGraph API Delegated Permission): Stream upload supported. There is no temporarily stored local file during the upload.
1. Register Add-In
Navigate and log in to the SharePoint online site. Got to the Register Add-In page by entering the URL as:
https://<sitename>.sharepoint.com/<<site path>>/_layouts/15/appregnew.aspx
Click the Generate button.
Store the Client ID and Client Secret and click on Create button.
2. Grant Permissions to Add-In
Navigate to:
https://<sitename>.sharepoint.com/<<site path>>/_layouts/15/appinv.aspx
This will redirect to the Grant permission page. Enter the Client ID(generated earlier), in the AppId textbox and click the Lookup button.
Provide the permission Request xml and click on Create button.
Permission Request XML content:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl"/></AppPermissionRequests>
SharePoint2 remote item settings:
User name : The created Client ID
Password : The created Client Secret
Site id : The SharePoint domain name.
Site Path: The path of the SharePoint site. It should start and end with a slash.
Drive name: Each SharePoint site has a Document Library where the site-related files are stored. See SharePoint: Documents and Libraries Description Link Provide its name
Folder: Relative path of the document library of the SharePoint site.
Add new attachment
Only authorized users are allowed to upload new attachments.
List of attachments
| Kind | Attachment Name | Size | Version | Date Modified | Author | Change note |
|---|---|---|---|---|---|---|
png |
app_inv_permission.png | 64.3 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
app_permission_admin_consent.p... | 85.3 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
app_permission_vfs_item.png | 111.7 kB | 3 | 01-May-2025 02:48 | krivacsz | |
png |
app_reg_new.png | 57.5 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
app_reg_new_success.png | 58.7 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
client_id.png | 93.9 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
ms_graph_app_permission.png | 85.0 kB | 1 | 01-May-2025 02:20 | krivacsz | |
png |
new_registration.png | 83.3 kB | 3 | 05-Dec-2023 05:32 | krivacsz | |
png |
new_secret.png | 81.9 kB | 2 | 05-Dec-2023 05:32 | krivacsz | |
png |
permission_final.png | 165.2 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
permission_microsoft_graph.png | 182.9 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
register_app.png | 230.6 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
remote_item_done.png | 92.4 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
remote_item_settings.png | 107.4 kB | 2 | 01-May-2025 05:18 | krivacsz | |
png |
remote_item_sharepoint_specifi... | 22.8 kB | 1 | 05-Dec-2023 05:32 | krivacsz | |
png |
secret_value.png | 88.6 kB | 2 | 03-May-2025 02:37 | krivacsz | |
png |
sharepoint2_refresh_token_vfs_... | 203.1 kB | 1 | 01-May-2025 15:04 | krivacsz | |
png |
sharepoint2_vfs.png | 165.8 kB | 1 | 05-Dec-2023 05:32 | krivacsz |
«
This page (revision-220) was last changed on 09-May-2025 02:42 by krivacsz
G’day (anonymous guest)
Log in
CrushFTP11 | What's New
- WebInterface
- Server Admin
- User Manager
- Client Apps
- CrushBalance Load Balancer
- High Availability
- Self Registration
- Preferences
- Email Templates
- Restrictions
- Replication
- Banning
- Logging
- Encryption
- Alerts
- Folder Monitor
- Tunnels
- Syncs
- User Config
- Search Config
- Preview
- Misc
- Plugins
- Manage Shares
- PGP
- Telnet
- FAQ
- API
- Linux Install
- Virtual Linux Server
- Server Variables
- Google Authenticator and Microsoft Authenticator
- AS2 EDI
JSPWiki