Connect to SharePoint Online using Azure AD App ID from PowerShell

Requirement: Connect to SharePoint Online with Azure Active Directory Application from PowerShell.

How to Connect to SharePoint Online using Azure Application ID from PowerShell?

Using Azure Application ID to connect to SharePoint Online is a great way to manage your SharePoint Online environment from unattended PowerShell scripts. In this post, we’ll go over the necessary steps to connect to SharePoint Online using the Azure Application ID from PowerShell.

Step 1: Setup Azure AD Application ID

To connect with SharePoint Online using Azure Application ID, the following steps are necessary:

  1. Register an Azure AD Application
  2. Grant Permission to the App
  3. Create a certificate and upload it to Azure App secret

Register an Azure App

The first step is creating a new app in the Azure App registrations.

  1. Log in to the Azure portal as Global Admin at https://aad.portal.azure.com
  2. Click on “Azure Active Directory” and then “App registrations”.
  3. Click on “Register an application” or the “New registration” button.
    Azure AD register an app
  4. Enter the name of your app and let the default options, and then click on “Register”.
    create azure ad app for sharepoint online powershell
  5. You’ll be taken into the app summary. Make a note of the Application ID.
    get Azure App application id

Grant Permissions to the Azure Application

Once the app is created, we have to grant necessary access to the app. In our case, We are planning to use this App ID in our PowerShell scripts for SharePoint Online. So, We have to grant SharePoint Application permission: Full Control.

  1. From the created app summary page, click on “API permissions” in the left navigation link and then click on “Add a permission”.
    Add permission to Azure AD App
  2. In the “Request API permissions” page, Select “SharePoint”.
    Grant sharepoint permission to App
  3. Select Application permissions >> Select “Sites.FullControl.All” and click on “Add permissions”.
    set access rights to Azure AD App on sharepoint
  4. Click on “Grant admin consent” to consent to the permissions.
    consent permissions to the app

Create a Certificate and Upload it to the App Secret

The next step is creating a secret to the App. Although passwords works, it’s less preferable compared with certificates. So, we need a Self-signed certificate to upload to the application.

$CertificateName = "SharePoint Online Certificate"
$CertificatePassword = "Password1"

#Get the "Documents" folder
$DocumentsFolder = [Environment]::GetFolderPath("MyDocuments")

#Generate a Self-signed Certificate
$Certificate = New-SelfSignedCertificate -Subject $CertificateName -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

#Export the Certificate to "Documents" Folder in your computer
Export-Certificate -Cert $Certificate -FilePath $DocumentsFolder\$CertificateName.cer

#Export the PFX File
Export-PfxCertificate -Cert $Certificate -FilePath "$DocumentsFolder\$CertificateName.pfx" -Password (ConvertTo-SecureString -String $CertificatePassword -Force -AsPlainText)

More on creating self-signed certificate is here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate

Once the certificate is generated, the next step is to upload the certificate to the application secret.

  1. Go to your Azure app >> Click on “Certificates & secrets”.
  2. Click on “Upload certificate”.
    Add certificate secret to the application
  3. Browse to the CER file generated and click on the “Add” button.
    Add certificate to Azure AD Application
  4. Make a note of the “Thumbprint”. That’s your secure key associated with the certificate to authenticate to the application.

That’s all! Once you have completed all of these steps, you will be able to connect to SharePoint Online using the Azure Application ID from PowerShell!

Alternate Approach: PowerShell to Register App, Grant Permissions, and Client Secret

The above steps can be automated using a PowerShell script without going through the web user interface. Open the PowerShell console as Administrator and run this script:

Register-PnPAzureADApp -ApplicationName "SharePointApp" -Tenant "Crescent.com" -Store CurrentUser -SharePointApplicationPermissions "Sites.FullControl.All" -Interactive

This script registers a new Azure AD Application, creates a new self-signed certificate, and adds it to the local certificate store. It will also upload the certificate to the azure app registration.

Register-PnPAzureADApp

You’ll get a prompt to consent following permissions: “Sites.FullControl.All”. Login and accept the permission request.

consent application id permissions

Make a note of Application ID/ClientID and Thumbprint.

Register Application ID using PowerShell

Now, we are good to proceed with connecting to SharePoint Online with PnP PowerShell.

Step 2: Connect to SharePoint Online using App ID and Certificate

Once the Azure AD application is ready, you can connect to SharePoint Online from PnP PowerShell as:

#Parameters
$SiteURL = "https://Crescent.sharepoint.com/sites/retail"
$ClientID = "3735f461-fdb5-4360-8184-b30345e57796"
$ThumbPrint = "EE4C7845D6794F7525C2482551C2AC89F6B9CEE1"
$Tenant = "Crescent.com"

#Connect to SharePoint Online using Certificate
Connect-PnPOnline -Url $SiteURL -ClientId $ClientID -Thumbprint $ThumbPrint -Tenant $Tenant

#Get the Site
Get-PnPSite

Anyone who needs to connect to SharePoint Online with the App must install the certificate in their local machine first, and then use the Client ID and the certificate thumbprint to authenticate.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

3 thoughts on “Connect to SharePoint Online using Azure AD App ID from PowerShell

  • That makes perfect sense – thank you for taking your time to reply 🙂

    Best regards
    Leif

    Reply
  • Hi – and thanks for many great articles.
    A couple of questions regarding this one:
    1) Does this approach not have a built in problem in relation to the certificates having and end-date? I think I see so many problems which have to do with missing certificate renewals. How can you overcome this situation, where you two years down the road suddenly face functionality that no longer works?
    2) Having the client secret in source code – is this good practice, or can it be compared to having a password in clear-text in the code?

    Reply
    • Of course, the Certificates must be renewed before their expiry. The Self-service SSL certificate generated has a validity of 10 years. Users can’t authenticate just by knowing the Thumbprint of the certificate, But they must have the certificate installed in their local machine – which makes it more secure compared with password-based client secrets.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *