search

dataiku / dss-plugin-sharepoint-online

Dataiku DSS plugin to interact with your lists and documents stored on Microsoft SharePoint Online
https://www.dataiku.com/product/plugins/sharepoint-online/
Apache License 2.0
3 stars 4 forks source link

Create secret not working. Login option 3 #56

Open Erdb33reis opened 3 months ago

Erdb33reis commented 3 months ago

Hi,

Option 3 is unfortunately no longer usable due to the deprication of a function by Microsoft. https://www.dataiku.com/product/plugins/sharepoint-online/ MS info: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs

Are there any alternative ways we can use the sharepoint integration or will this be the point at which we can no longer use it? Options 1 and 2 are not practicable for our company (MFA).

ElectroTiger commented 2 months ago

^ Upvoted this issue for visibility, in that this Dataiku plugin should begin to support Microsoft's recommend alternative for app-only authentication, which seems to be Azure AD Registered Apps with certificate authentication: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread; https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/from-acs-to-aad-apps. In fact, I can see that there is an Open pull request to make this happen: https://github.com/dataiku/dss-plugin-sharepoint-online/pull/48

@Erdb33reis Meanwhile, I do find that Method 3 still works, but you may be encountering issues since Dataiku's documentation seems to be inaccurate. I spent a couple hours troubleshooting myself, and I can tell you this:

If you get this error: image

At your /appinv.aspx link, modify your Permission Request XML to set the permissionrequestscope as such: image

If you get this error: image

Use PowerShell (as a tenant admin) to enable the depreciated Custom App Authentication

# Check if SharePoint module is currently installed; returns nothing if not.
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

# Installs PowerShell module for this user.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser

# Connect to Sharepoint (opens up separate window for auth)
Connect-SPOService -Url https://teragonia-admin.sharepoint.com

# Enable Custom App Authentication
Set-SPOTenant -DisableCustomAppAuthentication $false

If you want to narrow down your permission request XML further (best practice), check out this Medium article on what URL you use to access the "appinv.aspx" to scope to a particular site collection / site / library - and I suspect that the right that is needed is only "Manage" rather than "FullControl": https://medium.com/ng-sp/sharepoint-add-in-permission-xml-cheat-sheet-64b87d8d7600