cli-microsoft365 icon indicating copy to clipboard operation
cli-microsoft365 copied to clipboard
verified publisher icon pnp

Auth with client_id and client_secret

Open liquidcarbon opened this issue 1 year ago • 5 comments

Hello,

I'm able to access SP resources through Office365-REST-Python-Client using app principal with client_id and client_secret:

from office365.sharepoint.client_context import ClientContext
from tests import test_client_id, test_client_secret, test_site_url

ctx = ClientContext(test_site_url).with_client_credentials(
    test_client_id, test_client_secret
)
target_web = ctx.web.get().execute_query()
print(target_web.url)

How can I use this route to authenticate through CLI? Browser login wants me to have admin powers, which is a hassle to obtain, and probably won't work from a VM.

liquidcarbon avatar May 01 '24 22:05 liquidcarbon

Hi @liquidcarbon

Looking at your example, it looks like you need something like:

m365 login --authType secret --appId 31359c7f-bd7e-475c-86db-fdb8c937548c --secret topSeCr3t@007

You can view more examples at: https://pnp.github.io/cli-microsoft365/cmd/login#examples

milanholemans avatar May 01 '24 22:05 milanholemans

Thank you! Looks like I got the happy message with "connectionName": using

m365 login --authType secret --tenant "..." --appId "..." --secret "..."

without tenant: Error: missing_tenant_id_error: A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.

liquidcarbon avatar May 01 '24 22:05 liquidcarbon 

m365 spo get --output json
Error: SharePoint does not support authentication using client ID and secret. Please use a different login type to use SharePoint commands.

😿

Would none of Sharepoint CLI work at all then? Why does it work through the REST API?

liquidcarbon avatar May 01 '24 22:05 liquidcarbon

The article you are referencing uses an authentication type (Azure ACS) that has been deprecated for a few years now. In fact this way of authenticating will stop working in June 2026. By default, Azure ACS is turned off, you can turn it back on if I'm not mistaken by setting the right tenant settings, but this is not really recommend.

The proper way of connecting is using an app registration with certificate.

milanholemans avatar May 01 '24 23:05 milanholemans

What @milanholemans said: when you connect to SharePoint using application permissions, you need to authenticate using a certificate. If you use delegated permissions, you've got some more options. Both rules apply no matter if you use CSOM or REST APIs.

waldekmastykarz avatar May 03 '24 09:05 waldekmastykarz

@liquidcarbon do you consider this question as answered?

milanholemans avatar May 06 '24 21:05 milanholemans

Yes, thank you!

liquidcarbon avatar May 06 '24 21:05 liquidcarbon