1 Overview
SharePoint App-only calls can now be authenticated via Azure app registration using a certificate. Though it is possible to configure an Azure app-registration to authenticate with a client secret, SharePoint will deny a token issued this way, so we are bound to use certs in this case.
The process involves several steps of creating an app registration in Azure, configuring it with a cert and configuring the tenant in DynamicPoint Tenant Admin application to use this app registration and cert.
When configuring authentication with certificates, you need to prepare both .cer and .pfx versions of your certificate.
- Note: Prior to configuring SharePoint App Azure Authentication for DynamicPoint’s EasyAP365 or EasyEXP365, auto creation functionality must be configured first. This is due to this authentication not supporting the creation of event receivers.
2 Azure Active Directory
Create app-registration in Azure
App Registration
- Go to portal.azure.com and click on Azure Active Directory:
- From the left menu navigate to App Registrations:
- Click on New Registration:
- On the following screen specify a name for the app registration and leave the rest of the settings to their defaults:
- At the bottom of the screen click the Register button.
Configure App Registration
Now we have the app registration created, we need to configure the permissions which it will allow to DynamicPoint applications.
- Click on API permissions and the following screen will be displayed:
- By default, Microsoft Graph permissions will be added, leave them as they are. Next, click the Add a permission button, search for SharePoint in the list of applications and select Application permissions.
- Select the following permissions:
– Site.ManageAll
– User.ReadAll.
- Click add permissions
- Next, click add permissions again and chose SharePoint, but this time select Delegated permissions
- Select the following permissions:
– AllSites -> AllSites.Write
– User -> User.Read.All
- Once you are finished click Add permissions button at the bottom.
- The resulting permissions should look as follows:
- Be sure to Grant Admin consent by clicking on the button
- With this the permissions this app registration provides are configured.
Redirect
- Click on Overview
- Click on Redirect URIs:
- Select Add a Platform
- Select Web
- Add the URL of the application being installed
- Ensure the ID tokens option is enabled
Certificate Configuration
Now we need to configure the cert.
- Click on Certificates and Secrets from the left menu:
- Click the Upload Certificate button and use the dialog on the right to upload the certificate:
- Here you need to upload the .cer file of your certificate. Once uploaded, the certificate list should look similar to this:
- With this the configuration of Azure app registration is complete.
3 DynamicPoint Tenant Admin
Now we need to configure the tenant to use the newly created app-registration for SharePoint App-only calls.
- Navigate to tenant.dynamicpoint.com and get into edit mode for the tenant:
- First you need to populate the Microsoft Directory ID, also known as Tenant ID. This can be obtained from Azure Active Directory -> App Registrations -> Your App registration:
- Copy the value from Directory (tenant) ID into Microsoft Directory ID field in Tenant Admin.
- Next, click on Application Mapping button which is located next to Microsoft Directory ID field:
- On the Application Mappings dialog (in the background on the above screenshot) click Add button to add new mapping.
- The Application Mapping dialog should appear with prepopulated Directory ID, please leave it as is.
For Type select SharePoint.
You can put any valuable description.
Client ID field should be set to the Application (client) ID field that is found on the Azure app registration overview page (shown on the previous screenshot).
When using certs to authenticate, put the cert password in Client Secret / Password field.
Select the .pfx version of your cert in the Certificate field.Please note that for advanced scenarios the Directory ID here can be different than the default one. But this can be used only when configuring mappings of type Client Credential. For SharePoint the default should be used. - To finish the configuration of this mapping click Update button on the Application Mapping dialog. Then close the Application Mappings list and click Update button on the Tenant edit form.
- Now browse the application for the tenant, if configuration is ok there will be no change in the normal behavior of the application. Otherwise please check the logs for eventual error messages.