pnpframework icon indicating copy to clipboard operation
pnpframework copied to clipboard

Published 20 hours ago verified publisher icon pnp

Is there a way to authenticate with Azure ACS and a certificate (App Only context) ?

Open jcanquelain opened this issue 3 years ago • 4 comments

Hi, I have an application which currently queries SharePoint Online using App Only access, based on Azure ACS (following this documentation).

It is the only way I found to restrict permissions to one given SharePoint site, because Azure AD applications' permissions only allow Sites.*.All permissions (for instance Sites.ReadWrite.All), which is too wide for me, and not allowed by my Organization (this gives access to all SharePoint sites for the tenant).

I currently authenticate against https://accounts.accesscontrol.windows.net/{{TENANT_ID}}/tokens/OAuth/2, with grant type "client_credientials" + ClientId and ClientSecret. This works like a charm, I can access the SharePoint site without giving SharePoint application permissions at Azure AD level !

So far, so good !

However, I have a technical requirement change from security department, and I now need to authenticated using a certificate instead of ClientId + ClientSecret.

I searched for some time but couldn't find a way to use both ACS access + certificate.

I tried the following :

  • PnP.Framework.AuthenticationManager().GetACSAppOnlyContext() : Works well with client id + client secret, but no overload for certificates
  • PnP.Framework.AuthenticationManager.CreateWithCertificate() : Does not work, need Sites.ReadWrite.All permissions at AAD level
  • Using MSAL, Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Create(ClientId).WithCertificate(certificate).(new Uri($"https://accounts.accesscontrol.windows.net/{Tenantid}")).Build() : Does not work, needs Sites.ReadWrite.All permissions at AAD level

I have no more idea... Is there some method that I missed, or a way to restrict permissions to one site using Azure AD ?

Thanks !

jcanquelain avatar Oct 07 '21 14:10 jcanquelain

I use new PnP.Framework.AuthenticationManager(applicationId, certificate, tenant).GetContext(siteUrl) which is the same as your 2nd try PnP.Framework.AuthenticationManager.CreateWithCertificate() .

Which url do you pass to GetContext( ) ? is it the SPO site url ?

jackpoz avatar Oct 24 '21 16:10 jackpoz

@jackpoz Thanks for the idea. I tried it, but same result as the others : works with rights defined at AAD level, doesn't work with rights only set at site level.

I use SPO site URL in GetContext(). The looks URL like : https://<my_domain>.sharepoint.com/sites/<my_site>

jcanquelain avatar Nov 19 '21 08:11 jcanquelain

@jcanquelain : ACS does not work with certs, Azure AD based auth does but is by default using a tenant wide permission. Sites.Selected today indeed only applies to Graph API calls but we're expanding that to support also SharePoint REST and CSOM requests...this should then unblock your scenario.

jansenbe avatar Dec 02 '21 17:12 jansenbe

Hi @jansenbe , thank you for your answer. I'll then wait and look forward for this support for SP REST and CSOM. Is there a feature / issue on the board I can subscribe to, to be notified when it will be released ? Thanks !

jcanquelain avatar Dec 03 '21 08:12 jcanquelain