This guide will walk you through how to set up SWOOP for SharePoint with some unique custom configuration options:
- Limit the access for the SWOOP for SharePoint data-miner to selected SharePoint sites
(This is using the SharePoint permission sites.selected) - Limit the SWOOP for SharePoint JS Tracker to be installed only on selected SharePoint sites
Prerequisites required for you to follow these instructions
- Check that audit log function in M365 Admin has NOT been turned off. We use this, along with the Microsoft Graph and our JS Tracking app to gather the analytics in SWOOP for SharePoint.
- You need an M365 Global Admin available who can grant permissions to the SWOOP for SharePoint data-miner and the SWOOP for SharePoint analytics engine. The specific permissions required are outlined further below.
- You have a list of the SharePoint sites you want to include as your "Intranet". The list must consist of either the SharePoint site IDs or the site URLs.
- You need to have a person who can run PowerShell commands.
Before you start: Allow the SWOOP for SharePoint data-miner access to the SharePoint sites
Before you start the installation process, you will need to allow the SWOOP for SharePoint data-miner access to the specific SharePoint intranet sites. This is done in PowerShell. Follow the steps below to set up PowerShell and configure SharePoint so the selected intranet sites can be connected to the SWOOP data-miner.
Getting started using PowerShellYou will need the following:
This can be done locally or through a Docker container. With a local install, the login can be the Interactive login, with the Docker install (using the image m365pnp/powershell:latest) you have to use the Device login. To get a login working, you need an Entra app with delegated Sites.FullControl.All permission with custom redirect to http://localhost (Note: this is NOT the final app used by the miner). More information about the app can be found here: https://pnp.github.io/powershell/articles/registerapplication.html Running PowerShell PnP:
|
Grant the SWOOP Azure App permission to selected SharePoint intranet sites
-
In PowerShell, paste the following code, replacing the SharePoint site URL with the URL you wish to connect. Replacing the variables with appropriate values.
Note: the login requires an Azure application with delegated Sites.FullControl.All permission with a custom redirect to http://localhost. More information can be found on PnP GitHub. This application is NOT the final application the miner uses.
Connect-PnPOnline -Url $SITEURL -ClientID $CLIENTID -Tenant $DOMAINNAME.onmicrosoft.com -DeviceLogin
- You will be asked to login at https://microsoft.com/devicelogin
-
Paste the grant command and it will allow the Azure Application to connect with the Site.
Grant-PnPAzureADAppSitePermission -AppId "645db201-85c4-490b-a5a8-3054feef2f91" -DisplayName "SWOOP for SharePoint Site Access" -Permissions Read
- Repeat the above steps for each site URL.
1. Start the installation process
Click on the Manual Miner Permission option to start the installation process, NOTE: you will need Global Admin permission beyond this point to correctly add the enterprise app to your tenant:
2. Complete the setup form
Add the details of what you want your SWOOP site to be named, along with your organisational details.
Once completed, check your tenant details and click 'Next'.
3. Grant permissions to the SWOOP for SharePoint data-miner
It may take a few minutes to process before you are asked to consent to the miner being activated.
Clicking on the Start Consent Process for Data Miner will open a new tab with a url of:
https://miner-[your_org].swoopanalytics.com/
where [your-org] is the name of the site you entered in the setup form.
In the new tab, you will need to log in to M365 using a Global Admin account and accept the permissions when asked:
Here is an overview of the permissions that are granted to the SWOOP for SharePoint data-miner:
| Permission | API | Permission Type |
| Sites.Selected | Microsoft Graph | Application |
| User.Read | Microsoft Graph | Delegated |
| User.Read.All | Microsoft Graph | Application |
| Sites.Selected | SharePoint API | Application (via SWOOPcert) |
| ActivityFeed.Read | O365 Management API | Application |
4. Add the sites you want to include in SWOOP for SharePoint
Refer to your list of the SharePoint sites you would like to add to SWOOP for SharePoint. Copy/paste either the site ID or the site URL. Then click 'Add site':
Pro-tip: If you have multiple sites, then use the 'Upload CSV' button to upload a list of your SharePoint sites.
Once you've added the sites, click 'Save'.
5. Generate a token
Click the 'Generate Token' button. You will see a block of text appear in the SharePoint Configuration box, which you will be using later on to set up the JS Tracking app so it only includes the selected SharePoint sites.
This is a one-time step, and you do not need to repeat this, even if you need to add additional SharePoint sites at a later stage.
6. Set up the SWOOP for SharePoint JS Tracker app
The SWOOP JS Tracker App is required to be installed to each site which is to be monitored, this can be set up in multiple ways depending if it is available to be added from the SharePoint store or not, and if it is added to all sites or not (read more about this further below).
This app sends information from the user's browser to SWOOP via a Azure ServiceBus queue system, it monitors their movements through the SharePoint intranet pages on the sites which it has been configured to monitor only, no sensitive user information is gathered and most of the data is in ID format related to the internal SharePoint page and site ID’s.
The SWOOP JS Tracker App is available in the SharePoint store:
Go to the Microsoft Admin Center, and from there access the SharePoint Admin Center. In the SharePoint Admin Center click More Features / Apps / SharePoint Store
In the SharePoint Store, search for "SWOOP" to find the SWOOP Analytics For SharePoint JS Tracker. Click to open.
Click 'Add to Apps site':
You will now be asked to "Confirm data access":
There are two options:
- Only enable this app - This will make the app available for all SharePoint sites. However, a SharePoint admin will need to manually enable the extension on each site before continuing to the next step.
- Enable this app and add it to all sites (recommended) - This will make the JS Tracker work on all sites, and is the simplest. Note that ONLY sites you add via the JS Tracker app in SharePoint (see below) will be tracked by SWOOP Analytics.
Follow the instructions below for either of these options.
| OPTION 1: Only enable this app | |
|
Go to each of the SharePoint sites you are adding to SWOOP for SharePoint and click ‘Settings’, then click “Add an app”. Then add the SWOOP Analytics JS tracker to the site. Repeat for each SharePoint intranet site. PowerShell, log in to the SharePoint site using this command:
Copy the SharePoint config data and in run this command (replace $CONFIG with the copied content).
To check if the command has been successfully run use: (Get-PnPApplicationCustomizer -ClientSideComponentId "5a4e7bf2-53af-456e-abd7-e3a64f9cd46f" -Scope Site).ClientSideComponentProperties IMPORTANT: If you see more than one " Get-PnPApplicationCustomizer (To get the IDs)
|
|
| OPTION 2: Enable this app and add it to all sites | |
|
Click 'Add' to enable the SWOOP for SharePoint JS Tracker to all sites. In this step, we will be taking the JSON configuration data from the SWOOP data-miner, and we will add that to the JS Tracker app in SharePoint, so it knows which SharePoint intranet sites to track. Copy the SharePoint Configuration JSON text from the SWOOP data miner:
Go to the SharePoint Admin Center. Click More Features / Apps / More Features / Tenant wide extensions and click 'Open':
Click 'Edit this list' to edit, and edit the 'Component properties' field. Paste the JSON text in this field: Click 'Stop editing this list' to save your changes. Note: SWOOP will ONLY track sites that are included during this step. No data will be transferred unless they are included in the JSON configuration.
|
IMPORTANT - Add SWOOP to the Trusted Script Sources
Regardless of whether you have chosen option 1 or 2 you need to complete this part of the setup.
Microsoft implement Content Security Policies (CSP) for SharePoint. This prevents scripts from running unless they are trusted.
Once you have added the app, you need to go to the Trusted Script Sources found in SharePoint Online Admin Center > Advanced > Script sources.
Click on add a source and paste in the SWOOP domain:
https://*.swoopanalytics.comClick on add.
Switch back to the SWOOP Data Miner for the next step.
7. Allow users access to SWOOP for SharePoint
Now visit the site name you claimed in step 2 e.g. https://[your site name].swoopanalytics.com
You will see a request to grant consent for everyone in your organisation to be able to log into the SWOOP interface using their M365 credentials.
Your SWOOP for SharePoint site will open in a new tab and it will request you log into Microsoft. You need to log in as a M365 Global Admin to grant the consent. Tick the 'Consent on behalf of your organisation' box and then 'Accept'.
SWOOP for SharePoint will be provided with these permissions:
| Permission | API | Permission Type |
| User.Read | Microsoft Graph | Delegated |
| User.ReadBasic.All | Microsoft Graph | Delegated |
| profile | Microsoft Graph | Delegated |
| openid | Microsoft Graph | Delegated |
| People.Read | Microsoft Graph | Delegated |
8. Set up is complete. Initial data-mining is in progress
You will get a confirmation in the SWOOP for SharePoint site that the setup is complete. It will take anywhere from 2-12 hours for the initial mining to complete.
The setup process is now complete and users can access the reports through the URL set up in Step 5.