SharePoint Online Connector
Documentation
Version: 19
Documentation
Authentication

Application Credentials with Certificate (Sign JWT with Private Key)


Description

[API reference]

Instructions

Follow these simple steps to create Microsoft Entra ID application with application access permissions:

  • Create an OAuth app
  • Configure App Permissions
  • Create Public/Private Key Pair
  • Upload Public Key
  • Configure ZappySys Connection for Private Key use
  • Grant granular permissions (optional)

    This step allows to grant OAuth application granular permissions, i.e. access configured specific Sites, Lists, and List Items.

Step-1: Create OAuth app

  1. Navigate to the Azure Portal and log in using your credentials.
  2. Access Microsoft Entra ID.
  3. Register a new application by going to App registrations and clicking on New registration button: Start new app registration in Microsoft Entra ID
    INFO: Find more information on how to register an application in Graph API reference.
  4. When configuration window opens, configure these fields:
    • Supported account type
      • e.g. select Accounts in this organizational directory only if you need access to data in your organization only.
    Register app in Microsoft Entra ID
  5. After registering the app, copy the Application (client) ID for later: Copy client ID of Microsoft Entra ID app
  6. Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs: Copy Auth and Token URLs in Microsoft Entra ID app

Step-2: Configure App Permissions

  1. Continue by adding permissions for the app by going to the API permissions section, and clicking on Add a permission: Start adding permissions to Microsoft Entra ID app
  2. Select Microsoft Graph: Select Graph API permissions for Microsoft Entra ID app
  3. Then choose Application permissions option: Select app permissions for Microsoft Entra ID app
  4. Continue by adding these Sites permissions (search for site):

    Select SharePoint Online application scopes
    INFO: If you want to access specific lists or list items (table-level vs row-level security) rather than the full site, then add Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permissions , just like in the previous step (search for list).
    WARNING: If you add any of these permissions - Sites.Selected, Lists.SelectedOperations.Selected, or ListItems.SelectedOperations.Selected - you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). Follow instructions in Grant SharePoint permissions to the OAuth app (optional) section on how to accomplish that.
  5. Finish by clicking Add permissions button: Add permissions to Microsoft Entra ID app
  6. Now it's time to Grant admin consent for your application: Grant admin consent for Microsoft Entra ID app
  7. Confirm all the permissions are granted: Admin consent granted successfully in Entra ID

Step-3: Generate a Self-Signed Certificate

Now let's go through setting up a certificate-based authentication flow for Microsoft Graph or other Azure AD protected APIs using client credentials and a JWT.

You can use OpenSSL or any other way to generate Certificate file but to make it simple we will use below example PowerShell script.

Open PowerShell and execute code listed in below steps.


# Run this in PowerShell
#Change .AddYears(1) to desired number. By default it expires certificate in one year as per below code.

$cert = New-SelfSignedCertificate `
  -Subject "CN=MyClientAppCert" `
  -KeySpec Signature `
  -KeyExportPolicy Exportable `
  -KeyLength 2048 `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyAlgorithm RSA `
  -HashAlgorithm SHA256 `
  -NotAfter (Get-Date).AddYears(1) `
  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

# Export private key (.pfx)  - Keep this with you to make API calls (SECRET KEY - DONOT SHARE)
$pfxPath = "$env:USERPROFILE\Desktop\private_key.pfx"
$pwd = ConvertTo-SecureString -String "yourStrongPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd

# Export public certificate (.cer) - UPLOAD this to Azure Portal
$cerPath = "$env:USERPROFILE\Desktop\public_key.cer"
Export-Certificate -Cert $cert -FilePath $cerPath

Step-4: Upload the Certificate (i.e. Public Key *.cer)

Once we have certificate file generated.
  1. In your App Registration, go to Certificates & secrets
  2. Under Certificates, click Upload certificate
  3. Select the .cer file (public certificate) Upload public key (certificate file) for App-Credentials (JWT Auth)
  4. Click Select a file (Browse button)
  5. Select public key file (*.cer) from local machine and click OK to upload

Step-5: Configure ZappySys Connection - Use private key (i.e. *.pfx or *.pem)

Now its time to use certificate pfx file (private key) generated in the previous step (NOTE: PFX file contains both private key and public key).
  1. Go to SSIS package or ODBC data source and use the copied values in Application Credentials authentication configuration:
    • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
    • In the Client ID field paste the Application (client) ID value you copied in the previous step.
  2. Configure private key
    • go to Certificate Tab
    • Change Storage Mode to Disk File: *.pfx format (PKCS#12).

      NOTE: You can also use Stored In LocalMachine mode if PFX file already imported in the Local Certificate Storage Area - User Store OR Machine Store.

      If you used OpenSSL to generate key pair then use Disk File: *.pem format (PKCS#8 or PKCS#1) Mode for Cert Store Location.

    • Supply the key file path
    • Supply the certificate password (same password used in earlier PowerShell script)
  3. Now go back to General Tab, choose Default Site Id and Default Drive Id from the drop down menu.
  4. Click Test connection see everything is good

Step-6 (optional): Grant granular permissions to the OAuth app

If you used Sites.Selected, Lists.SelectedOperations.Selected or ListItems.SelectedOperations.Selected permission in the previous section, you must grant the app the SharePoint permissions for the specific resource (e.g. a Site, a List, or a ListItem). You can do it using PowerShell or SharePoint admin center (obsolete method).

Granting SharePoint permissions using PowerShell

Unfortunately, there is no user interface available to control these permissions yet. For now, granting permissions has to be accomplished via Microsoft Graph API [Microsoft reference]:

You must be the owner of the resource to grant permissions (i.e. belong to SharePoint owners group or be the owner of the Site or List).
  1. Open PowerShell (run as admin).
  2. Call the following PowerShell code to grant read and write permission for the app we created earlier (assuming Application (client) ID is 89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e):

    ##### CONFIGURATION ############################################################################################
    
    # More info at:
    # - https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=powershell
    # - https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.sites/?view=graph-powershell-1.0
    
    # Find SharePoint Site Id by following these steps:
    # - Login into SharePoint Online
    # - Open this URL https://{your-company}.sharepoint.com/_api/site in the browser
    #   NOTE: For a subsite use https://{your-company}.sharepoint.com/sites/{your-subsite}/_api/site
    # - Find 'Id' element in the response (e.g. <d:Id m:type="Edm.Guid">efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3</d:Id>)
    # - Copy the Site Id, i.e.: efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3 
    # Set $siteId variable to the retrieved Site Id:
    
    $siteId="efcdd21a-aaaa-bbbb-cccc-5d8104d8b5e3"
    
    
    # Find your Application Id (i.e. Client Id) in the Azure Portal, in App Registrations page:
    # https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
    
    $applicationId="89ea5c94-aaaa-bbbb-cccc-3fa95f62b66e"
    
    
    # Set one of app permissions: read, write, fullcontrol, owner ('write' includes 'read' permission)
    
    $appPermission="write"
    
    
    
    ##### SCRIPT ###################################################################################################
    
    # Step-1: Install 'Microsoft.Graph.Sites' module if it's not installed
    if (-not (Get-Module Microsoft.Graph.Sites -ListAvailable))
    {
        Install-Module Microsoft.Graph.Sites
    }
    
    # Step-2: Load module
    Import-Module Microsoft.Graph.Sites
    
    # Step-3: Login (use Azure admin or SharePoint owner account)
    DisConnect-MgGraph
    Connect-MgGraph
    
    # Step-4: Set parameters for API call (set permissions, Site ID and Application ID)
    
    $params = @{
    	roles = @($appPermission)
    	grantedTo = @{
    		application = @{id = $applicationId}
    	}
    }
    
    # Step-5: Grant permissions
    New-MgSitePermission -SiteId $siteId -BodyParameter $params
    
    # Done!
    Write-Host "Granted SharePoint permissions to application '$applicationId' for site '$siteId'."
    
    
  3. That's it! Now you can use the API Connector!

Parameters

Parameter Required Default value Options
Name: TokenUrl

Label: Token URL

YES
Name Value
For Single Tenant https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/token
For Multi Tenant https://login.microsoftonline.com/common/oauth2/v2.0/token
Name: ClientId

Label: Client ID

YES
Name: Certificate

Label: Certificate: *** Configure [Client Certificate] Tab ***

YES
Name: SiteId

Label: Default Site Id

Specify a site
YES root
Name: DriveId

Label: Default Drive Id

Specify a default Drive Id you like to use for operations.
Name: RetryMode

Label: RetryMode

RetryWhenStatusCodeMatch
Name Value
None None
RetryAny RetryAny
RetryWhenStatusCodeMatch RetryWhenStatusCodeMatch
Name: RetryStatusCodeList

Label: RetryStatusCodeList

429 is API limit reached, 423 is File locked
429|503|423
Name: RetryCountMax

Label: RetryCountMax

5
Name: RetryMultiplyWaitTime

Label: RetryMultiplyWaitTime

True
Name: SearchOptionForNonIndexedFields

Label: Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)

If you wish to do certain operations e.g. search / order by on non-indexed fields then you have to set this option to HonorNonIndexedQueriesWarningMayFailRandomly. By default filter / orderby on non-indexed fields not allowed.
Name Value
Search Only Indexed
Search Both Indexed and Non-Indexed HonorNonIndexedQueriesWarningMayFailRandomly
Name: ExtraHeaders

Label: Extra Headers (e.g. Header1:AAA||Header2:BBB)

Name Value
MyHeader1:AAA MyHeader1:AAA
MyHeader1:AAA||MyHeader2:BBB MyHeader1:AAA||MyHeader2:BBB
Name: IsAppCred

Label: IsAppCred

For internal use only
1