Skip to main content

Custom SharePoint OAuth Connection with Certificate

info

Please note that from Version 6.0.3378 the SharePoint connector supports Certificate based Authentication.

Its now possible to use client_credentials OAuth Flow with Application Permissions with SharePoint Online. This means you can create a long lived connection to SharePoint which is not tied to a user account.

caution

Note that client_credentials OAuth flow can only be used with a Certificate it does not work with a client secret.

Create Azure AD App Registration

Create a new Azure App Registration to use with SharePoint

Add Permissions

Add Application scope Permissions to the App Registration under API Permissions. Suggested values are Sites.FullControl.All or Sites.Manage.All or Sites.ReadWrite.All.

Create a Certificate to use with Azure AD

You can use Powershell to create a new Self Signed Certificate for use with OAuth Authentication against SharePoint Online. The script below creates a 2 Year Certificate in LocalMachine Store and Exports Public Key File.

We are using the LocalMachine Certificate Store here so that the certificate is accessible to Ouvvi. You can adjust these settings to suit your requirements.

Run the script below from a temp directory with Elevated Admin Permission to create a new Certificate. The public key file will be written to the current directory.

$certname = “SimegoDataSync-SharePoint”
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\LocalMachine\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(2)
Export-Certificate -Cert $cert -FilePath "$certname.cer"

Grant Public Key Permission

The Windows Accounts which need access to the Private Key in this certificate require that you grant permission to the Private Key in Windows Certificate Manager. The accounts which need access are those which are running Data Sync therefore your user account and the Ouvvi Service account.

Within Windows Local Machine/Computer Certificate Manager you can manage the Private Key here Certificate->All Tasks->Manage Private Keys...

Upload Certificate Azure AD App Registration

Upload the Certificate file created earlier to the Azure App registration under Certificates & Secrets ensuring that the Thumbprint value matches that of your certificate.

Configure Data Sync Connection

Within the SharePoint Online connection choose Custom OAuth Application as the Authentication option and set the ClientId to the App Registration Client Id. TokenUrl to the OAuth2 V2 endpoint URI, GrantType to client_credentials and the Certificate Thumbprint to the certificate Thumbprint value or CN name of the certificate.

You can then Authorise the connection choose a List and save the connection to your connection library.