Prerequisites
Before you install the HaloSHARE, there are a few things that you need.
Registering an Application in Microsoft Entra ID
This section will guide you through the steps of registering an application, obtaining the Client ID and Directory ID, and assigning permissions to the application.
Microsoft documentation
Registering an application in Microsoft Entra ID establishes a trust connection between your application and the identity provider, the Microsoft identity platform.
The information in the Microsoft documentation overrides any information published in this section. For a comprehensive description, refer to Microsoft documentation.
Prerequisite: You must have sufficient permissions to register an application with your Microsoft Entra ID tenant.
Create an Application
Follow these steps to register the application:
Log in to the Microsoft Entra admin center using an account that has administrator privileges.
If you have access to multiple tenants, click the Settings icon in the top menu and select the tenant for which you want to register the application from the Directories + subscriptions menu.
You will be directed to the homepage.
Selecting Microsoft Entra ID
On the left side of the navigation pane, click Identity > Applications > App registrations.
On the App registrations page, click the New registration page or Register an Application button (this button appears only if no applications have already been created).
New application registration
On the Register an application page, enter the registration details for your application.
Application details
In the Name field, enter an appropriate application name.
Under Supported account types, select the option Accounts in this organizational directory only (single tenant). As of now, HaloSHARE Service only supports a single tenant.
Under Redirect URI: Select Web, and then type a valid redirect URI for your application. For example,
https://localhost.When finished, click Register.
The home page of the new application is created and displayed.
Application ID and Tenant ID
The following values are shown on the portal once registration is complete. To copy and save the ID value in a text editor, hover your cursor over it and click the Copy to clipboard icon.
Application ID – It is also referred to as Client ID.
Directory ID – It is also referred to as Tenant ID.
Save the authentication parameters
In a text editor (such as Notepad), copy the value of Application (client) ID and Directory (tenant) ID, and save it for initializing the HaloSHARE.
Add Required Permissions
To protect content with MIP SDK, you must provide the necessary API permissions to the application created in the previous section.
In the sidebar of the application page, select API permissions. The API permissions page for the new application registration page appears.
Click Add a permission button. The Request API permissions page appears.
Under the Select an API setting, select APIs my organization uses. A list appears containing the applications in your directory that expose APIs.
In the search box, type in the name of the permission indicated in the "Required Permissions" table below. Alternatively, you could scroll to find the API.
For example, type Microsoft Information Protection Sync Service into the search box. The following figure shows how the API is listed:
API selection
Now, click on the displayed API. You can see two permissions on the page − Delegated permissions and Application permissions.
Click Application permissions button and then under the Permission section, select the check box against Read all unified policies of the tenant"
Adding permission
Click Add permissions.
Repeat the steps above to add the other required permissions listed in the “Required permissions” table below.
You will be taken back to the API permissions page, where the permissions have been saved and added to the table with the status Not granted.
Required API Permissions
Click Grant admin consent for your company button. You will be prompted to accept the consent confirmation; click Yes to the question.
After accepting the admin consent, the Status will change to Granted.
API Permissions with admin consent
The following table lists the required permissions.
API / Permission Name | Display Name | Type | Description |
|---|---|---|---|
Microsoft Graph |
| Delegated | Sign in and read the user profile. This API permission is added by default, but HaloSHARE does not use it. |
Azure Rights Management Services (Microsoft Rights Management Services) |
| Application | Create protected content on behalf of a user |
| Application | Create protected content | |
Microsoft Information Protection Sync Service |
| Application | Read all unified policies of the tenant |
Required permissions #1
Additional Permission (Only for Relabeling)
The above-mentioned permissions are adequate for applying the MPIP label to a file. In addition, HaloSHARE requires the following superuser privilege to relabel a file.
API / Permission Name | Display Name | Type | Description |
|---|---|---|---|
Azure Rights Management Services (Microsoft Rights Management Services) |
| Application | Read all protected content for this tenant in the Azure portal |
Required permissions #2
Upload the Certificate in Azure Portal
HaloSHARE is based on certificate authentication, so you must enter your certificate information into the registered application.
Prerequisites:
Certificate:
Make sure to have a valid certificate that contains keys such as
-KeyExportPolicy Exportableand-KeySpec Signature.And that can also be a self-signed certificate. Note: As a best practice and for security reasons, we recommend using a self-signed certificate in a test environment and NOT recommended for a production environment.
Install the certificate:
Make sure to install this certificate on a Windows Server machine where the HaloSHARE is going to be installed.
Certificate Store can either be Current User or Local Computer.
If it is a self-signed certificate, then it should also be installed in Trusted Root Certification Authorities.
If the certificate is signed, then the root CA authority and intermediate CA authority (if any) should also be installed in the respective trusted store.
To upload the public key of certificate, follow the below steps:
In the sidebar of the new application page, select Certificate & secrets.
Under the Certificate section, click Upload certificate. The Upload certificate dialog appears as shown in the below figure:
Upload certificate #1
Click on the icon folder icon to select the certificate and click Open. For illustration purposes, the file
DESKTOP001.ceris used.
Now, click Add. The certificate will get uploaded and its thumbprint will be displayed on the page as shown in the below figure:
Upload certificate #2
You are now ready to install the HaloSHARE.
Create and Configure the Sensitivity Labels
As an administrator, you can create, configure, and publish sensitivity labels for various levels of content sensitivity based on your organization's classification taxonomy. Use names or terms that are familiar to your users. Consider starting with label names like Personal, Public, General, Confidential, and Highly Confidential if you don't already have a taxonomy in place. For more details, please refer to Microsoft online documentation.
Others
To install the service, you must have local administrator privileges.
To run the service, you can use a user account with administrative privilege or non-administrative privilege.
The user who initializes the service should have appropriate permissions on the source and destination folders. In addition, the user who is running the service should have access to that network location in the format of an IP address. For example,
\\10.0.0.138\foldernameWatermarking CAD files:
Make sure that CAD applications such as Revit or AutoCAD are available on the system where HaloSHARE will be installed. This check is necessary because the HaloSHARE installer will only install the required watermarking files if the relevant CAD application-related files are present.
Make sure the SharePoint folder is set to sync with the local mapped drive. Files marked Always keep on this device have a green circle with a white checkmark
. This ensures that files are downloaded on your machine automatically.
Make sure you have a machine certificate to preserve the watermarked files. Install this certificate on a Windows Server machine where the HaloSHARE will be installed. Certificate Store can either be Current User or Local Computer.
A self-signed certificate: It should also be installed in Trusted Root Certification Authorities. Note: As a best practice and for security reasons, we recommend using a self-signed certificate in a test environment and NOT recommended for a production environment.
A root CA (certificate authority) signed certificate: The root CA and intermediate CA authority (if any) should also be installed in the respective trusted store.
Before you begin, make sure that the user who is running the service or a specific group that the user belongs to is not to the Deny log on as a service policy (Local Security Policy > Security Settings > Local Policies > User Rights Assignment). If the user(s) exist, the Error 1069: The Service did not start due to a logon failure message will appear while running the HaloSHARE.
Watermark in Revit application: The RevitLookup tool is required to view the custom properties (metadata) in the Revit application. After applying the watermark, navigate to Revit Lookup > Dashboard > Schemas > HaloMetadataInfo > GetElements > GetEntity (Schema) > Get ().