Application Credentials with Certificate (Sign JWT with Private Key)

Instructions

Follow these simple steps to create Microsoft Entra ID application with application access permissions:

• Create an OAuth app
• Configure App Permissions
• Create Public/Private Key Pair
• Upload Public Key
• Configure ZappySys Connection for Private Key use

• Grant granular permissions (optional)

  This step allows to grant OAuth application granular permissions, i.e. access configured specific Sites, Lists, and List Items.

Step-1: Create OAuth app

1. Navigate to the Azure Portal and log in using your credentials.
2. Access Microsoft Entra ID.
3. Register a new application by going to App registrations and clicking on New registration button:
   INFO: Find more information on how to register an application in Graph API reference.
4. When configuration window opens, configure these fields:
   • Supported account type
     • e.g. select Accounts in this organizational directory only if you need access to data in your organization only.
   
5. After registering the app, copy the Application (client) ID for later:
6. Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs:

Step-2: Configure App Permissions

1. Continue by adding permissions for the app by going to the API permissions section, and clicking on Add a permission:
2. Select Microsoft Graph:
3. Then choose Application permissions option:

4. Continue by adding these Sites permissions (search for site):

   
   INFO: If you want to access specific lists or list items (table-level vs row-level security) rather than the full site, then add Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permissions , just like in the previous step (search for list).
   WARNING: If you add any of these permissions - Sites.Selected, Lists.SelectedOperations.Selected, or ListItems.SelectedOperations.Selected - you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). Follow instructions in Grant SharePoint permissions to the OAuth app (optional) section on how to accomplish that.
5. Finish by clicking Add permissions button:
6. Now it's time to Grant admin consent for your application:
7. Confirm all the permissions are granted:

Step-3: Generate a Self-Signed Certificate

Now let's go through setting up a certificate-based authentication flow for Microsoft Graph or other Azure AD protected APIs using client credentials and a JWT.

You can use OpenSSL or any other way to generate Certificate file but to make it simple we will use below example PowerShell script.

Open PowerShell and execute code listed in below steps.

# Run this in PowerShell
#Change .AddYears(1) to desired number. By default it expires certificate in one year as per below code.

$cert = New-SelfSignedCertificate `
  -Subject "CN=MyClientAppCert" `
  -KeySpec Signature `
  -KeyExportPolicy Exportable `
  -KeyLength 2048 `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyAlgorithm RSA `
  -HashAlgorithm SHA256 `
  -NotAfter (Get-Date).AddYears(1) `
  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

# Export private key (.pfx)  - Keep this with you to make API calls (SECRET KEY - DONOT SHARE)
$pfxPath = "$env:USERPROFILE\Desktop\private_key.pfx"
$pwd = ConvertTo-SecureString -String "yourStrongPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd

# Export public certificate (.cer) - UPLOAD this to Azure Portal
$cerPath = "$env:USERPROFILE\Desktop\public_key.cer"
Export-Certificate -Cert $cert -FilePath $cerPath

Step-4: Upload the Certificate (i.e. Public Key *.cer)

1. In your App Registration, go to Certificates & secrets
2. Under Certificates, click Upload certificate
3. Select the .cer file (public certificate)
4. Click Select a file (Browse button)
5. Select public key file (*.cer) from local machine and click OK to upload

Step-5: Configure ZappySys Connection - Use private key (i.e. *.pfx or *.pem)

1. Go to SSIS package or ODBC data source and use the copied values in Application Credentials authentication configuration:
   • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
   • In the Client ID field paste the Application (client) ID value you copied in the previous step.
2. Configure private key
   • go to Certificate Tab
   • Change Storage Mode to Disk File: *.pfx format (PKCS#12).
     NOTE: You can also use Stored In LocalMachine mode if PFX file already imported in the Local Certificate Storage Area - User Store OR Machine Store.

     If you used OpenSSL to generate key pair then use Disk File: *.pem format (PKCS#8 or PKCS#1) Mode for Cert Store Location.

   • Supply the key file path
   • Supply the certificate password (same password used in earlier PowerShell script)
3. Now go back to General Tab, choose Default Site Id and Default Drive Id from the drop down menu.
4. Click Test connection see everything is good

Step-6 (optional): Grant granular permissions to the OAuth app

If you used Sites.Selected, Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permission in the previous section, you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). You can do it using PowerShell or SharePoint admin center (obsolete method).

Granting SharePoint permissions using PowerShell

Unfortunately, there is no user interface available to control these permissions yet. For now, granting permissions has to be accomplished via Microsoft Graph API [Microsoft reference]:

1. Open PowerShell (run as admin).

2. Call the following PowerShell code to grant read and write permission for the app we created earlier (assuming Application (client) ID is 89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e):

   ##### CONFIGURATION ############################################################################################
   
   # More info at:
   # - https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=powershell
   # - https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.sites/?view=graph-powershell-1.0
   
   # Find SharePoint Site Id by following these steps:
   # - Login into SharePoint Online
   # - Open this URL https://{your-company}.sharepoint.com/_api/site in the browser
   #   NOTE: For a subsite use https://{your-company}.sharepoint.com/sites/{your-subsite}/_api/site
   # - Find 'Id' element in the response (e.g. <d:Id m:type="Edm.Guid">efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3</d:Id>)
   # - Copy the Site Id, i.e.: efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3 
   # Set $siteId variable to the retrieved Site Id:
   
   $siteId="efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3"
   
   
   # Find your Application Id (i.e. Client Id) in the Azure Portal, in App Registrations page:
   # https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
   
   $applicationId="89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e"
   
   
   # Set one of app permissions: read, write, fullcontrol, owner ('write' includes 'read' permission)
   
   $appPermission="write"
   
   
   
   ##### SCRIPT ###################################################################################################
   
   # Step-1: Install 'Microsoft.Graph.Sites' module if it's not installed
   if (-not (Get-Module Microsoft.Graph.Sites -ListAvailable))
   {
       Install-Module Microsoft.Graph.Sites
   }
   
   # Step-2: Load module
   Import-Module Microsoft.Graph.Sites
   
   # Step-3: Login (use Azure admin or SharePoint owner account)
   DisConnect-MgGraph
   Connect-MgGraph
   
   # Step-4: Set parameters for API call (set permissions, Site ID and Application ID)
   
   $params = @{
   	roles = @($appPermission)
   	grantedTo = @{
   		application = @{id = $applicationId}
   	}
   }
   
   # Step-5: Grant permissions
   New-MgSitePermission -SiteId $siteId -BodyParameter $params
   
   # Done!
   Write-Host "Granted SharePoint permissions to application '$applicationId' for site '$siteId'."
   
   

3. That's it! Now you can use the API Connector!

Parameters