Maintaining Brimstone's cloud infrastructure
Microsoft automation
Authentication & renewing certificates
We are currently using application certificates for authentication against the Microsoft APIs. This is notably used by our SharePoint clients.
Relevant docs: https://learn.microsoft.com/en-us/graph/auth-register-app-v2.
Procedure to renew a certificate:
- You will likely need admin rights over SharePoint and/or the MS Graph API
- Head to https://portal.azure.com/#home
- Go into "App registrations" (or search for it)
- Go into the target application ("Stoneware" and "Stoneware Dev" are the ones used for our SharePoint clients)
- Go into Manage > Certificates & secrets. Make sure you are on the "Certificates" tab.
- Create a self-signed certificate
- Windows: follow the official instructions
- MacOS/Linux:
openssl req -x509 -sha256 -nodes \
-days 365 \
-newkey rsa:2048 \
-keyout privateKey.key \
-out selfsigncert.crt \
-subj "/C=US/ST=California/L=Oakland/O=Brimstone/CN=Stoneware/emailAddress=erwin@brimstone.com"
- Upload the resulting .crt file to the Azure portal
- Set up the following secrets in Doppler:
SHAREPOINT_CERT: private key generaed in previous stepSHAREPOINT_THUMBPRINT: certificate thumbprint (available Azure after uploading)SHAREPOINT_CLIENT_ID: application client ID, available in "Overview" page for the Azure AD app
API permissions
- SharePoint client API permissions
- Microsoft Graph (
SharePointClientV2)- Directory.ReadWrite.All
- Files.ReadWrite.All
- Sites.FullControl.All
- SharePoint (
SharePointClient)- Sites.FullControl.All
- TermStore.ReadWrite.All (not sure this is needed?)
- Microsoft Graph (