You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updating article on creating AAD App Only Certificate Token (#3909)
* Updated article to reflect actual situation
As Azure has quite drastically changed, the steps outlined here didn't reflect the actual situation anymore. It has become quite a bit easier. Updated the steps and screenshots to reflect the actual situation.
* Updated screenshots used in the article
Updated screenshots used in the article to reflect the current way Azure Active Directory looks like
* Screenshot no longer used
This step is no longer necessary today, so removed the use of this screenshot
You will be asked to give a password to encrypt your private key, and both the .PFX file and .CER file will be exported to the current folder.
162
162
163
-
Next step is registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant. To do that, open the Office 365 Admin Center (https://portal.office.com) using the account of a user member of the Tenant Global Admins group. Click on the "Azure Active Directory" link that is available under the "Admin centers" group in the left-side treeview of the Office 365 Admin Center. In the new browser's tab that will be opened you will find the [Microsoft Azure portal](https://ms.portal.azure.com). If it is the first time that you access the Azure portal with your account, you will have to register a new Azure subscription, providing some information and a credit card for any payment need. But don't worry, in order to play with Azure AD and to register an Office 365 Application you will not pay anything. In fact, those are free capabilities. Once having access to the Azure portal, select the "Active Directory" section and choose the option "App Registrations". See the next figure for further details.
163
+
Next step is registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant. To do that, open the Office 365 Admin Center (https://admin.microsoft.com) using the account of a user member of the Tenant Global Admins group. Click on the "Azure Active Directory" link that is available under the "Admin centers" group in the left-side treeview of the Office 365 Admin Center. In the new browser's tab that will be opened you will find the [Microsoft Azure portal](https://portal.azure.com). If it is the first time that you access the Azure portal with your account, you will have to register a new Azure subscription, providing some information and a credit card for any payment need. But don't worry, in order to play with Azure AD and to register an Office 365 Application you will not pay anything. In fact, those are free capabilities. Once having access to the Azure portal, select the "Azure Active Directory" section and choose the option "App registrations". See the next figure for further details.
164
164
165
165
166
166
167
-
In the "App Registrations" tab you will find the list of Azure AD applications registered in your tenant. Click the "New application registration" button in the upper left part of the blade. Next, provide a name for your application, select the option "Web app / API", and fill in the "Sign-on URL" with a URL (does not have to exist, e.g. https://www.pnp.com). Click on “Create” to create the Azure AD application.
167
+
In the "App registrations" tab you will find the list of Azure AD applications registered in your tenant. Click the "New registration" button in the upper left part of the blade. Next, provide a name for your application and click on "Register" at the bottom of the blade.
168
168
169
169
170
170
171
-
Once created you need to look up your Azure AD application again and open it:
172
-
173
-
174
-
175
171
> [!IMPORTANT]
176
-
> Once the application has been opened copy the application ID as you’ll need it later.
172
+
> Once the application has been created copy the "Application (client) ID" as you’ll need it later.
177
173
178
-
Now click on "Required Permissions", and click on the "Add" button, a new blade will appear. You need to configure the following permissions:
Now click on "API permissions" in the left menu bar, and click on the "Add a permission" button. A new blade will appear. Here you choose the permissions that you will grant to this application. Choose i.e.:
182
175
183
-
The "Application Permissions" are those granted to the application when running as App Only.
176
+
- SharePoint
177
+
- Application permissions
178
+
- Sites
179
+
- Sites.FullControl.All
180
+
181
+
Click on the blue "Add permissions" button at the bottom to add the permissions to your application. The "Application permissions" are those granted to the application when running as App Only.
184
182
185
183
186
184
187
-
Final step is “connecting” the certificate we created earlier to the application. You need to execute the Get-SelfSignedCertificateInformation.ps1 script.
Final step is “connecting” the certificate we created earlier to the application. Click on "Certificates & secrets" in the left menu bar. Click on the "Upload certificate" button, select the .CER file you generated earlier and click on "Add" to upload it.
You will have to provide the full qualified path of the .CER file that you created when you created the certificate for the AppOnly context configuration. The command will copy into the clipboard a JSON snippet that you will use in the upcoming steps. Paste the content of the clipboard in a safe place (like a fresh new notepad file).
221
-
222
-
Go back to the Azure AD Application that you created in the previous step and click the "Manifest" button at the top of the blade, then click Edit'. Search for the **keyCredentials** property and replace it with the snippet you generated before, this will be like:
187
+
To confirm that the certificate was successfully registered, click on "Manifest" in the left menu bar. Search for the **keyCredentials** property. It should look like:
223
188
224
189
```JSON
225
190
"keyCredentials": [
226
191
{
227
192
"customKeyIdentifier": "<$base64CertHash>",
228
-
"keyId": "<$KeyId>",
193
+
"endDate": "2021-05-01T00:00:00Z",
194
+
"keyId": "<$guid>",
195
+
"startDate": "2019-05-01T00:00:00Z",
229
196
"type": "AsymmetricX509Cert",
230
197
"usage": "Verify",
231
-
"value": "<$base64Cert>"
198
+
"value": "<$base64Cert>",
199
+
"displayName": "CN=<$name of your cert>"
232
200
}
233
201
],
234
202
```
235
203
236
-
Click Save when you complete this step.
204
+
If you see a section looking somewhat similar to this, the certificate has been added successfully.
237
205
238
-
In this sample the Sites.FullControl.All application permission require admin consent in a tenant before it can be used. Create a consent URL like the following:
206
+
In this sample the Sites.FullControl.All application permission require admin consent in a tenant before it can be used. In order to do this, click on "API permissions" in the left menu again. At the bottom you will see a section "Grand consent". Click on the "Grand admin constent for <organizationname>" button and confirm the action by clicking on the "Yes" button that appears at the top.
243
209
244
-
Using the application id from my Azure AD app and consenting to the app from my tenant contoso.onmicrosoft.com, the URL looks like this:
210
+
## Using this principal with PnP PowerShell
211
+
If you want to use this AAD App Only principal with [PnP PowerShell](https://github.com/SharePoint/PnP-PowerShell), after you have installed the PnP PowerShell module, you can connect to your SharePoint Online environment using:
Connect-PnPOnline -ClientId <$application client id as copied over from the AAD app registration above> -CertificatePath '<$path to the PFX file generated by the PowerShell script above>' -CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url https://<$yourtenant>.sharepoint.com -Tenant "<$tenantname>.onmicrosoft.com"
248
215
```
249
216
250
-
Browsing to the created URL and log in as a tenant admin, and consent to the application. You can see the consent screen show the name of your application as well as the permission scopes you configured.
251
-
252
-
253
-
254
-
> [!NOTE]
255
-
> After clicking “Accept” you’re redirected to the sign-in URL you specified earlier (https://www.pnp.com in our case) …if that URL is not valid the redirect will fail but the grant was done successful, so nothing to worry about.
256
-
217
+
You can now perform operations through PnP PowerShell against your SharePoint Online environment using this certificate App Only trust.
257
218
258
219
## Using this principal in your application using the SharePoint PnP Sites Core library
259
220
In a first step, you add the SharePointPnPCoreOnline library nuget package: https://www.nuget.org/packages/SharePointPnPCoreOnline. Once that’s done you can use below code construct:
@@ -316,6 +277,9 @@ $clientContext.ExecuteQuery()
316
277
$clientContext.Web.Title
317
278
```
318
279
280
+
## Using this principal with the Pnp Modernization Scanner
281
+
Now you have created the Azure Active Directory Application Registration, proceed with [following the steps here](https://docs.microsoft.com/en-us/sharepoint/dev/transform/modernize-scanner) to use this principal with the tool.
282
+
319
283
## FAQ
320
284
### Can I use other means besides certificates for realizing app-only access for my Azure AD app?
321
285
No, all other options are blocked by SharePoint Online and will result in an Access Denied message.
0 commit comments