OneDrive Connector
Documentation
Version: 9
Documentation
Authentication

Application Credentials with Certificate (Sign JWT with Private Key)


Description

Similar to Assplication-only access but with JWT sign with Private Key [API reference]

Instructions

Follow these simple steps below to create Microsoft Entra ID application with application access permissions. Using following steps, you can grant very granular app permissions to access File(s). Choose permission based on your need.

Create OAuth app

  1. Navigate to the Azure Portal and log in using your credentials.
  2. Access Microsoft Entra ID.
  3. Register a new application by going to App registrations and clicking on New registration button: Start new app registration in Microsoft Entra ID
    INFO: Find more information on how to register an application in Graph API reference.
  4. When configuration window opens, configure these fields:
    • Supported account type
      • e.g. select Accounts in this organizational directory only if you need access to data in your organization only.
    Register app in Microsoft Entra ID
  5. After registering the app, copy the Application (client) ID for later: Copy client ID of Microsoft Entra ID app
  6. Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs: Copy Auth and Token URLs in Microsoft Entra ID app

Configure App Permissions

  1. Continue by adding permissions for the app by going to the API permissions section, and clicking on Add a permission: Start adding permissions to Microsoft Entra ID app
  2. Select Microsoft Graph: Select Graph API permissions for Microsoft Entra ID app
  3. Then choose Application permissions option: Select app permissions for Microsoft Entra ID app
  4. Continue by adding these Files (OneDrive) permissions (Just search for "Files" and then select desired permissions): Select OneDrive scopes
  5. Finish by clicking Add permissions button: Add permissions to Microsoft Entra ID app
  6. Now it's time to Grant admin consent for your application: Grant admin consent for Microsoft Entra ID app
  7. Confirm all the permissions are granted: Admin consent granted successfully in Entra ID

Generate a Self-Signed Certificate

Now let's go through setting up a certificate-based authentication flow for Microsoft Graph or other Azure AD protected APIs using client credentials and a JWT.

You can use OpenSSL or any other way to generate Certificate file but to make it simple we will use below example PowerShell script.

Open PowerShell and execute code listed in below steps.


# Run this in PowerShell
#Change .AddYears(1) to desired number. By default it expires certificate in one year as per below code.

$cert = New-SelfSignedCertificate `
  -Subject "CN=MyClientAppCert" `
  -KeySpec Signature `
  -KeyExportPolicy Exportable `
  -KeyLength 2048 `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyAlgorithm RSA `
  -HashAlgorithm SHA256 `
  -NotAfter (Get-Date).AddYears(1) `
  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

# Export private key (.pfx)  - Keep this with you to make API calls (SECRET KEY - DONOT SHARE)
$pfxPath = "$env:USERPROFILE\Desktop\private_key.pfx"
$pwd = ConvertTo-SecureString -String "yourStrongPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd

# Export public certificate (.cer) - UPLOAD this to Azure Portal
$cerPath = "$env:USERPROFILE\Desktop\public_key.cer"
Export-Certificate -Cert $cert -FilePath $cerPath

Upload the Certificate (i.e. Public Key *.cer)

Once we have certificate file generated.
  1. In your App Registration, go to Certificates & secrets
  2. Under Certificates, click Upload certificate
  3. Select the .cer file (public certificate) Upload public key (certificate file) for App-Credentials (JWT Auth)
  4. Click Select a file (Browse button)
  5. Select public key file (*.cer) from local machine and click OK to upload

Configure ZappySys Connection - Use private key (i.e. *.pfx or *.pem)

Now its time to use certificate pfx file (private key) generated in the previous step (NOTE: PFX file contains both private key and public key).
  1. Go to SSIS package or ODBC data source and use the copied values in Application Credentials authentication configuration:
    • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
    • In the Client ID field paste the Application (client) ID value you copied in the previous step.
  2. Configure private key
    • go to Certificate Tab
    • Change Storage Mode to Disk File: *.pfx format (PKCS#12).

      NOTE: You can also use Stored In LocalMachine mode if PFX file already imported in the Local Certificate Storage Area - User Store OR Machine Store.

      If you used OpenSSL to generate key pair then use Disk File: *.pem format (PKCS#8 or PKCS#1) Mode for Cert Store Location.

    • Supply the key file path
    • Supply the certificate password (same password used in earlier PowerShell script)
  3. Now go back to General Tab, choose Default Group / User Id and Default Drive Id from the drop down menu.
  4. Click Test connection see everything is good

Parameters

Parameter Required Default value Options
Name: TokenUrl

Label: Token URL

YES
Name Value
For Single Tenant https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/token
For Multi Tenant https://login.microsoftonline.com/common/oauth2/v2.0/token
Name: ClientId

Label: Client ID

YES
Name: Certificate

Label: Certificate: *** Configure [Client Certificate] Tab ***

YES
Name: GroupOrUserId

Label: Default Group or User Id (additional Scopes needed to list - If fails enter manually)

To list all users and groups from your organizations you need additional scopes. See connection UI - Choose User.Read.All and Group.Read.All Scopes and regenerate token. You can manually type value too if you know Group or User Id. Format is /users/{id} OR /groups/{id}
YES
Name Value
My self (Not Valid for Application Credentials)
For any group /groups/ENTER-GROUP-EMAIL-OR-ID
For any user /users/ENTER-USER-EMAIL-OR-ID
Name: DriveId

Label: Default Drive Id

YES
Name: RetryMode

Label: RetryMode

RetryWhenStatusCodeMatch
Name Value
None None
RetryAny RetryAny
RetryWhenStatusCodeMatch RetryWhenStatusCodeMatch
Name: RetryStatusCodeList

Label: RetryStatusCodeList

429 is API limit reached, 423 is File locked
429|503|423
Name: RetryCountMax

Label: RetryCountMax

5
Name: RetryMultiplyWaitTime

Label: RetryMultiplyWaitTime

True
Name: SearchOptionForNonIndexedFields

Label: Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)

If you wish to do certain operations e.g. search / order by on non-indexed fields then you have to set this option to HonorNonIndexedQueriesWarningMayFailRandomly. By default filter / orderby on non-indexed fields not allowed.
Name Value
Search Only Indexed
Search Both Indexed and Non-Indexed HonorNonIndexedQueriesWarningMayFailRandomly
Name: ExtraHeaders

Label: Extra Headers (e.g. Header1:AAA||Header2:BBB)

Name Value
MyHeader1:AAA MyHeader1:AAA
MyHeader1:AAA||MyHeader2:BBB MyHeader1:AAA||MyHeader2:BBB
Name: IsAppCred

Label: IsAppCred

For internal use only
1