Prerequisites
- The user granting these permissions must have Global Admin privileges.
Integration Approaches
Oleria currently supports three approaches. Follow the one that is most appropriate for your organization.- Authenticate via Microsoft (automated configuration via OAuth)
- Client Secret Authentication (manual configuration)
- Client Certificate Authentication (manual configuration)
Authenticate via Microsoft (OAuth)
Open the integration
- Select Microsoft Entra ID to integrate Entra ID, or
-
Select Microsoft SharePoint and OneDrive to integrate Entra ID, SharePoint, and OneDrive.


Choose permission scope

Select your Microsoft account
Complete the initial consent form

Complete the application consent form
-
Standard read-only permissions for Entra ID integration (without optional remediations)

-
Standard read-only permissions for SharePoint and OneDrive integration (without optional remediation)

-
Permissions for Entra ID integration with optional remediation capabilities (includes some write permissions)

-
Permissions for SharePoint and OneDrive integration with optional remediation capabilities (includes some write permissions)

Confirm the connection

Client Secret Authentication
Create an app registration in Entra ID

Configure the registration

Open API permissions

Add Microsoft Graph permissions

- Standard read-only permissions for Entra ID integration (without optional remediations)
- Standard read-only permissions for SharePoint and OneDrive integration (without optional remediation)
- Permissions for Entra ID integration with optional remediation capabilities (includes some write permissions)
- Permissions for SharePoint and OneDrive integration with optional remediation capabilities (includes some write permissions)
Grant admin consent

Confirm admin consent

Create a client secret

Copy the client secret value

Capture Client ID and Tenant ID

Open the integration in Oleria

Authenticate with Client Secret

Confirm the connection

Client Certificate Authentication
Client certificate authentication uses a certificate uploaded to your Oleria app registration in Entra ID and a base64-encoded private key stored by Oleria. Use this method when your security policy requires certificate-based service principal authentication instead of a client secret.Prepare your certificate files
certificate.pem- the public certificate in PEM formatprivate_key.txt- the matching unencrypted private key in PEM formatcertificate_chain.txt- the intermediate certificate chain in PEM format
New-SelfSignedCertificate on Windows) and export it in the formats above.private_key.txt is passphrase-protected, decrypt it first with openssl rsa -in private_key.txt -out private_key.txt (or the equivalent for your key type) before continuing.Generate the base64-encoded private key
- macOS or Linux
- Windows (PowerShell)
base64_generate_cert.pem is the value you will paste into Oleria in the final step.Upload the certificate to Entra ID
certificate.pem.
Open the integration in Oleria
- For a new integration, select Microsoft Entra ID or Microsoft SharePoint and OneDrive to open the side panel.
- To migrate an existing integration from client secret to client certificate, select Connected, then select the edit icon on your Entra ID integration to open the side panel.
Authenticate with the client certificate

Clean up generated files
generated_cert.pem and base64_generate_cert.pem both contain the unencrypted private key inline. Delete them from the working directory now that the integration is connected. Your original certificate.pem, certificate_chain.txt, and private_key.txt files are unchanged and can stay in your existing key store.- macOS or Linux
- Windows (PowerShell)
history -c on Bash or Zsh, Clear-History on PowerShell.How Oleria handles the private key
The Private Key field in the integration form is masked to prevent shoulder-surfing during entry. The value is transmitted to Oleria over TLS and persisted in AWS Secrets Manager, which provides encryption at rest with KMS-managed keys and audit logging on every access. Access to the secret is scoped to the Oleria service that authenticates to Entra ID; no human operator and no other Oleria service can read it. Oleria does not write the private key to application logs, databases, or temporary files. It is read from AWS Secrets Manager into process memory only when authenticating to Entra ID, and is held in memory only for the duration of that authentication.Check the Oleria App in Your Entra ID Instance
Find the Oleria app in Enterprise applications

View granted permissions


