Setting up SharePoint app-only principal with App Registration

Introduction

Granting access to SharePoint online can be done in different ways. We can grant the following access.

• User access
• Service account access
• App access

User Access is something that we already know, where site owners grant access to the users of the sites to access the content within the SPO site.

Service account access is giving a service account. Usually, the service account is used by backend jobs to monitor the site or to perform specific tasks such as adding or modifying content, adding or deleting users, etc.

App Access: If a third-party app / Provider-hosted app wants to get access to the SPO site, they can currently do it by registering the Application registration and then configuring the Service Principal (SPN) access to the site.

The article comprises three sections.

• Creating App Registration
• Granting API Access
• Configuring the Permissions

Legacy authentication is required for the Apps that are still using Client credentials flow (Client ID and Client Secret for authentication).

Before the App registration existed, for granting access to SharePoint online sites using Windows Azure Access Control Services, we were using /_layouts/15/appregnew.aspx. This AppRegNew.aspx creates the Enterprise App with Client Id and secret and Application Name. The Application registration done this way will have access only to that site. The same client credentials cannot be used for different site collections. For different sites, other client credentials need to be created.

The use case here is to create an App Registration and use it for different site collections.

Note.  Azure Access Control Services (ACS) acts as a trusted token provider for SharePoint provider-hosted apps and remote components in an OAuth2.0 Authorization flow. Starting November 27th, 2023, the Azure ACS for SharePoint online has been deprecated, and it will stop working after 04/02/2026. It is better to look for modern authentication using OAuth2.0 that supports certificate-based authentication.

Before going to the next steps, check whether your M365 tenant supports legacy authentication. Work with SharePoint Admin or Global Admin to check if custom app authentication is enabled.

get-spotenant -DisableCustomAppAuthentication

If the value is set to $false, then the custom app authentication is allowed, which will support the Client Credentials flow. If the value is set to $true, then the custom app authentication is disabled, which means that the client credentials flow will no longer work.

Creating App Registration:

For this step, it is required to follow the below steps to create an app. As a pre-requisite, you should have access to Azure Portal and either a privileged admin role or a global admin role to grant the admin consent.

Step 1. Log in to the Azure portal. https://portal.azure.com using the organization account. Click on 'Microsoft Entra' on the home page. If you cannot find you can also search for Entra.

Step 2. From the Entra page, under the 'Manage' section, click on 'App Registration' and then click on 'New Registration'.

Step 3. On the new registration page, give some names. Here, I have given as svcazsp-contoso-dev-access. Leave the rest of the options as default. We are configuring this app only for the existing tenant.

Step 4. Once the App Registration is successfully completed, it will navigate to the app home page, where you can see the

The above steps conclude with creating the App registration.

Configuring Client Credentials

In this section, we will configure client credentials.

Step 1. Click on 'Certificates and Secrets' --> New Client Secret.

Step 2. Enter the description. In this case, I have chosen the expiry default, which is six months, and it can be extended up to 2 years.

Step 3. Note down the client's secret value. Once you go past this page, you cannot see the client secret.

Configuring API Access

In this section, we configure the scope, where the SPN can access the resources; in this case, it is SharePoint online.

Step 1. In the 'Manage' section, click on 'API permissions'.

Step 2. Under the 'Configured Permission' click on 'Add a permission'.

Step 3. Under the Microsoft APIs, select 'SharePoint' --> Select "Application Permissions" -->

Step 4. Observe that once the API permissions are requested, you will see the warning under the 'Status' which says 'Not Granted for Tenant...'

For this, you need to work with a global admin or a person with a privileged admin role to grant consent to this app.

Step 5. Once the Global Admin or Privileged admin grants the consent, it will ask for confirmation. Select 'Yes'.

Step 6. Once the grant is consented, you should see the 'Green check mark' in the 'Status' section.

The above steps conclude with configuring the API permissions for SharePoint.

Configuring Site Access

Now it's time to configure access to SharePoint. Please note that since we have created the App registration and the access has been configured using Client Credentials (Client ID and secret), we need to grant access via _layouts/15/appinv.aspx.

Step 1.  Append "_layouts/15/appinv.aspx" to the site where the SPN needs to be granted access.

Step 2. Search for the App registration using the Client ID, define the host, and redirect URIs.

Step 3. Update the permission XML with written permission. Please note that you can have the following permission roles defined. In this case, I have used 'Write Access'.

<AppPermissionRequests AllowAppOnlyPolicy="true">    
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write" />    
</AppPermissionRequests>

Note. As you see in the banner, the ACS is in the process of deprecation. After 4/2/2026, the ACS will completely stop to work.

Step 4. Once clicked on 'Create', Trust the App with the required permissions. It will ask for consent before updating the access. Once clicked on 'Yes' SPN has been granted required access.

The above steps conclude with configuring the permission to the SPN.

Validation

For the validation here, I am using PnP PowerShell.

Step 1. Connect to the site using connect-pnponline with the defined client credentials.

You can ignore the warning, as this is legacy authentication. This warning is expected since we are not using any Microsoft Graph requests.

Step 2. Run the command 'Get-PnPList'.

Connect-PnPOnline -Url "https://contoso.sharepoint.com/teams/QAVinay" -ClientId "clientidfromazuread" -ClientSecret "clientsecretgeneratedfromappregistraion"

Get-PnPList

TLDR

Thus, in this article, we have seen.

• The authentication to SharePoint online using a user account, service account, and App Principal.
• Setting up App registration.
• Setting up API permissions and consenting to the grant for the App.
• Setting up permission for SPO sites using Permissions XML.

References

• https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
• https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/three-authorization-systems-for-sharepoint-add-ins
• https://www.c-sharpcorner.com/article/token-based-authentication-in-sharepoint-online/
• https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use