Create Cognitive Search Service indexer for SharePoint data source on behalf of user: Unable to get connected to your resource

Macháček Martin 211 Reputation points
2023-11-08T12:14:40.2733333+00:00

I've created a Cognitive Search service and enabled the managed identity.

The data source is a SharePoint site from another tenant. In another tenant I've created an Entra app with delegated permissions Sites.Read.All and Files.Read.All. All permissions have been granted.

JSON definition for the data source is

{
    "name": "sharepoint-datasource",
    "type": "sharepoint",
    "credentials": {
        "connectionString": "SharePointOnlineEndpoint=https://<tenant_name>.sharepoint.com/sites/<site_name>;ApplicationId=<application_id>;TenantId=<tenant_id>"
    },
    "container": {
        "name": "defaultSiteLibrary",
        "query": null
    }
}

JSON definition for the indexer is

{
    "name" : "sharepoint-indexer",
    "dataSourceName" : "sharepoint-datasource",
    "targetIndexName" : "sharepoint-index",
    "parameters": {
      ...
      "configuration": {
        "indexedFileNameExtensions" : ".pdf, .docx",
        "excludedFileNameExtensions" : ".png, .jpg",
        "dataToExtract": "contentAndMetadata"
      }
    },
    "schedule" : { },
    "fieldMappings" : [
        { 
          "sourceFieldName" : "metadata_spo_site_library_item_id", 
          "targetFieldName" : "id", 
          "mappingFunction" : { 
            "name" : "base64Encode" 
          } 
         }    
    ]
}

Once I clicked on Save button, I sent a request to get a status of the indexer.

The status and the error message indicates that I need to authenticate

"status": "transientFailure", "errorMessage": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CBJXPDJY3 to authenticate"

I've opened the page, entered the device code and authenticated.

enter image description here

It looks promising, but in Azure Portal I see that indexer is still saving and nothin happens. After several minutes it fails with the error.

Error with data source: Unable to get connected to your resource. If your administrator has not given consent, use this link to grant administrative consent. https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=%3C%3CapplicationId%3E%3E&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&scope=.default. Please adjust your data source definition in order to proceed.

The administrator has already given consent, so it's confusing what can be the real issue and how to resolve it.

Start believing that the issue is not on my side.

When using application secret in data source's connection string then the indexer is created.

Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
994 questions
0 comments No comments
{count} votes

Accepted answer
  1. SnehaAgrawal-MSFT 21,506 Reputation points
    2023-11-10T03:59:41.2433333+00:00

    @Macháček Martin Thanks for reaching here!

    We would like to inform you about a known issue and authentication behavior change with the Azure Cognitive Search SharePoint indexer (preview) when using user delegated permissions only.

    This issue has been acknowledged by the Product Team and it affects:

    a) The creation of a Cognitive Search service indexer for SharePoint data sources

    b) Scheduled indexers

    Issue: Creation of a Cognitive Search service indexer for SharePoint data sources is not possible when utilizing user delegated permissions

    Our team is actively addressing the issue with a sense of urgency. However, we regret to inform you that we are currently unable to provide an estimated time for its resolution.

    Suggested workaround- In the meantime, we recommend using application permissions as a workaround, rather than user delegated permissions. This change should enable to create new indexers until the hotfix is implemented.

    We sincerely apologize for any inconvenience this may have caused and for the disappointing news. We appreciate your understanding and patience as we work to resolve these issues.

    Please let us know if you have any further query on this. Thank you.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.