1     Overview

SharePoint App-only calls can now be authenticated via Azure app registration using a certificate. Though it is possible to configure an Azure app-registration to authenticate with a client secret, SharePoint will deny a token issued this way, so we are bound to use certs in this case.

The process involves several steps of creating an app registration in Azure, configuring it with a cert and configuring the tenant in DynamicPoint Tenant Admin application to use this app registration and cert.

When configuring authentication with certificates, you need to prepare both .cer and .pfx versions of your certificate.

2     Azure Active Directory

App Registration in Azure

1. Go to portal.azure.com and click on Azure Active Directory:
2. From the left menu navigate to App Registrations:
3. Click on New Registration:
4. On the following screen specify a name for the app registration and leave the rest of the settings to their defaults:
5. At the bottom of the screen click the Register button

Configure App Registration

Now we have the app registration created, we need to configure the permissions which it will allow to DynamicPoint applications.

1. Click on API permissions and the following screen will be displayed:
2. By default, Microsoft Graph permissions will be added, leave them as they are.
3. Next, click the Add a permission button, search for SharePoint in the list of applications and select the permissions provided on the screenshot: Site.ManageAll, TermStore.ReadAll, User.ReadAll.
4. Please note that you need to pick the application type, not delegate.
5. Once you are finished click Add permissions button at the bottom.
6. With this the permissions this app registration provides are configured.

Certificate Configuration

Now we need to configure the cert.

1. Click on Certificates and Secrets from the left menu:
2. Click the Upload Certificate button and use the dialog on the right to upload the certificate:
3. Here you need to upload the .cer file of your certificate. Once uploaded, the certificate list should look similar to this:
4. With this the configuration of Azure app registration is complete.

 

 

3     DynamicPoint Tenant Admin

Now we need to configure the tenant to use the newly created app-registration for SharePoint App-only calls.

1. Navigate to tenant.dynamicpoint.com and get into edit mode for the tenant:
2. First you need to populate the Microsoft Directory ID, also known as Tenant ID. This can be obtained from Azure Active Directory -> App Registrations -> Your App registration:
3. Copy the value from Directory (tenant) ID into Microsoft Directory ID field in Tenant Admin.
4. Next, click on Application Mapping button which is located next to Microsoft Directory ID field:
5. On the Application Mappings dialog (in the background on the above screenshot) click Add button to add new mapping.The Application Mapping dialog should appear with prepopulated Directory ID, please leave it as is.
   For Type select SharePoint.
   You can put any valuable description.
   Client ID field should be set to the Application (client) ID field that is found on the Azure app registration overview page (shown on the previous screenshot).
   When using certs to authenticate, put the cert password in Client Secret / Password field.
   Select the .pfx version of your cert in the Certificate field.
   
   Please note that for advanced scenarios the Directory ID here can be different than the default one. But this can be used only when configuring mappings of type Client Credential. For SharePoint the default should be used.
6. To finish the configuration of this mapping click Update button on the Application Mapping dialog. Then close the Application Mappings list and click Update button on the Tenant edit form.
7. Now browse the application for the tenant, if configuration is ok there will be no change in the normal behavior of the application. Otherwise please check the logs for eventual error messages.