How to configure SPO to do app-only auth with PFX private key?

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/244247

Question

We are trying to set up SharePoint online app-only access. We are writing a C# application using https://github.com/SharePoint/PnP-Sites-Core

The first thing we did was we (successfully) tested this login configuration endpoint that takes the following inputs:

siteUrl    Site for which the ClientContext object will be instantiated
appId    Application ID which is requesting the ClientContext object
appSecret    Application secret of the Application which is requesting the ClientContext object

(Reference https://www.c-sharpcorner.com/article/authenticate-sharepoint-using-pnp-authentication-manager/)

We were able to set up the application by doing these steps:

  • Go to https://apps.dev.microsoft.com/#/appList
  • Click "Add an app"

  • Enter the following:

    • The Application ID (also known as client_id) assigned by the app registration portal.
    • An Application Secret, either a password or a public/private key pair (certificate).
    • A Redirect URL for your service to receive token responses from Azure AD.
    • A Redirect URL for your service to receive admin consent responses if your app implements functionality to request administrator consent.
  • Give the app appropriate permissions.
  • Save. This now creates a client ID and app Secret you can use for auth with SPO.

This seems to work fine. Great!

But we noticed there is login configurations that take Private key, such as this login endpoint:

siteUrl    Site for which the ClientContext object will be instantiated
clientId    The Azure AD Application Client ID
Tenant    The Azure AD Tenant, e.g. mycompany.onmicrosoft.com
storeName    The name of the store for the certificate
storeLocation    The location of the store for the certificate
thumbprint    The thumbprint of the certificate to locate in the store
certificatePath    The path to the certificate (*.pfx) file on the file system
certificatePassword    Password to the certificate

It says:

Gets a sharepoint client context using Azure Active Directory App Only Authentication. This requires that you have a certificate created, and updated the key credentials key in the application manifest in the azure AD accordingly.

We can tell our app integrator customers are going to want this approach because PFX is in general more secure than a appSecret.

But we cannot find any documentation for setting up SPO App-only access with this type of login configuration.

Does anyone know what the steps are to configure your SPO to do this?

Was it helpful?

Solution

About the GetAppOnlyAuthenticatedContext method, an easier way to register for an app id and app secret is by registering an app (add-in) in SharePoint Online itself. This article should give more details: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

Now about your main question regarding the GetAzureADAppOnlyAuthenticatedContext method and using Azure AD App Only with a cert instead of an app secret, this walk-through should give you all the information: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

This is the preferred way of auth as you can easily authenticate with other Office 365 services besides SharePoint Online as well.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top