0

I found this video on YouTube which show how to use PnP core inside Azure Function to integrate with SharePoint Online @ https://www.youtube.com/watch?v=9erhWdwbkq8&t=543s

but can i have the same features but instead of using PnP core to use CSOM + instead of securing the Azure Active Directory App using Certificate to secure it using client secret ?

Thanks

Improve this question
2
  • Why would you use a secret instead of a certificate? Commented Feb 16, 2023 at 1:15
  • @CallumCrowley thanks for the reply. because client secrets can provide an acceptable level of security with minimal cost/administration effort to manage it compared to certificates ... but from Ron answer seems if we want to use CSOM we need to use certificates ? Commented Feb 16, 2023 at 7:26

2 Answers 2

Reset to default
1

The SharePoint Client Object Model and REST API require that you use client Id and certificate when requesting tokens that have application (app only) permissions from Azure AD. If you use a client Id and secret to get a token that has application permissions, the SharePoint Client Object Model and REST API will throw an exception when that token is used with a request.

It's worth noting that the Microsoft Graph doesn't have the same restriction. With Microsoft Graph you can use client Id and secret to get tokens that have application permissions and then use those tokens when making requests to SharePoint.

I'm not sure why CSOM and REST have the restriction and Microsoft Graph does not. It seems a little counterintuitive.

Improve this answer
8
  • thanks for the reply... so if we want to use CSOM then we have to use certificates? and from where we can gain such a certificate? assuming we do not want to use self-signed because we are going to publish it to a production environment... second question, regarding Graph does it have a libraries we can use inside visual studio ? or we will need to perform row REST API calls ? Thanks Commented Feb 16, 2023 at 7:30
  • I'll answer each of your questions in a separate comment. First, if you want to use CSOM with a token that has application permissions then, yes, you will need to use client Id and certificate. Commented Feb 16, 2023 at 10:56
  • The use of self-signed certificates for Azure AD authentication is pretty common, but if you want you can get a certificate from a certificate authority like Let's Encrypt or DigiCert. Commented Feb 16, 2023 at 10:59
  • There are Microsoft Graph SDKs for C#, JavaScript, and other languages you can use if you'd prefer not to use the REST API. learn.microsoft.com/en-us/graph/sdks/sdks-overview Commented Feb 16, 2023 at 11:03
  • 2
    No, you don't need to replace CSOM with Microsoft Graph right away, however there may come a time where you will need to do so. When that might happen depends on how quickly Microsoft can get Microsoft Graph close to functional parity with CSOM. They have a long way to go to do that, so I expect CSOM to be a viable choice for several years to come. Commented Feb 16, 2023 at 18:51
0

Other people are saying that you need a certificate to work with CSOM app context permissions. Thats not true, you can authenticate and use it with only client id and secret.

AuthenticationManager authManager = new AuthenticationManager();
            ClientContext context = authManager.GetACSAppOnlyContext(Siteurl, clientId, clientSecret);

            Web web = context.Web;
            context.Load(web);
            context.ExecuteQueryRetry(2);

It works. I have been using it this way all the time

Improve this answer
2
  • 1
    That technique is using the add-in security model. That is, it is authenticating against Azure Access Control Services (ACS), not Azure AD. From Granting access using SharePoint App-Only (learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/…), "For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure." Commented Feb 21, 2023 at 11:18
  • Thanks for the detailed explanation Commented Feb 21, 2023 at 11:25

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.