Access Sharepoint online from web app with authenticated user

[MauricioUY]

Hello,

I'm in the migration process from Sharepoint 2010 on-premises to Sharepoint Online.

I'have Office Addins which utilize web methods which have code CSOM/PnP to work with Sharepoint online. The webservice is hosted in IIS with NTLM integrated security in a Windows 2016 domain. This domain is synced with AzureAD, and we have "single signon" configured. I need automatically authenticate with Sharepoint Online the user which is working with the Office Addin. I already read documents like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs or this: https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient The samples which connect directly from clientApp to SPO works great, using logged in user, but in my case we have a jump to a webservice from client PC, I need to authenticate that user.

So: user authenticated in his PC with Office, CALL a webservice (IIS), CALL Sharepoint Online How I could authenticate automatically with integrated security? I really appreciate any help, thanks a lot!! Mauricio.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: e082eb56-fafb-9ef7-fadb-e0b90f5369a9
• Version Independent ID: 0f1a3528-3615-5722-2352-a1ad4622c244
• Content: Granting access via Azure AD App-Only
• Content Source: docs/solution-guidance/security-apponly-azuread.md
• Product: sharepoint
• GitHub Login: @VesaJuvonen
• Microsoft Alias: vesaj

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[andrewconnell]

Not sure you're going to be able to leverage the user's credentials from the PC => web service => SPO... that's multiple hops & it's blocked by default.

The AADHttpClient is a SPFx object... SPFx isn't relevant here as you're talking about doing everything from outside the SPO UX (SPFx is a client-side customization framework).

Conceptually, you could create an Azure AD app & give it permissions to SPO that your web service leverages to authenticate with Azure AD, obtain an access token, and connect to SPO either direct to the SP REST API or using Microsoft Graph.

[MauricioUY]

Hello Andrew, thanks for your answer.

ok, no SPFx then... I already tried with an AzureAD app registered, this wirks great, but in this case the identity and permissions are for this app and not for the authenticated user....

Now I'm trying for this way: https://github.com/Azure-Samples/active-directory-dotnet-iwa-v2

any help will be appreciate, thanks!

[andrewconnell]

You may want to look into the Azure AD docs for creating a web API that implements the on-behalf-of (OBO) pattern...

[msft-github-bot]

Closing this issue as "answered". If you encounter a similar issue(s), please open up a new issue. See our wiki for more details: Issue-List: Our approach to closed issues