Open jcanquelain opened 3 years ago
jackpoz
commented
3 years ago I use new PnP.Framework.AuthenticationManager(applicationId, certificate, tenant).GetContext(siteUrl) which is the same as your 2nd try PnP.Framework.AuthenticationManager.CreateWithCertificate() .
Which url do you pass to GetContext( ) ? is it the SPO site url ?
jcanquelain
commented
2 years ago @jackpoz Thanks for the idea. I tried it, but same result as the others : works with rights defined at AAD level, doesn't work with rights only set at site level.
I use SPO site URL in GetContext(). The looks URL like : https://<my_domain>.sharepoint.com/sites/<my_site>
jansenbe
commented
2 years ago @jcanquelain : ACS does not work with certs, Azure AD based auth does but is by default using a tenant wide permission. Sites.Selected today indeed only applies to Graph API calls but we're expanding that to support also SharePoint REST and CSOM requests...this should then unblock your scenario.
jcanquelain
commented
2 years ago Hi @jansenbe , thank you for your answer. I'll then wait and look forward for this support for SP REST and CSOM. Is there a feature / issue on the board I can subscribe to, to be notified when it will be released ? Thanks !
Hi, I have an application which currently queries SharePoint Online using App Only access, based on Azure ACS (following this documentation).
It is the only way I found to restrict permissions to one given SharePoint site, because Azure AD applications' permissions only allow *Sites..All** permissions (for instance Sites.ReadWrite.All), which is too wide for me, and not allowed by my Organization (this gives access to all SharePoint sites for the tenant).
I currently authenticate against
https://accounts.accesscontrol.windows.net/{{TENANT_ID}}/tokens/OAuth/2, with grant type "client_credientials" + ClientId and ClientSecret. This works like a charm, I can access the SharePoint site without giving SharePoint application permissions at Azure AD level !So far, so good !
However, I have a technical requirement change from security department, and I now need to authenticated using a certificate instead of ClientId + ClientSecret.
I searched for some time but couldn't find a way to use both ACS access + certificate.
I tried the following :
PnP.Framework.AuthenticationManager().GetACSAppOnlyContext(): Works well with client id + client secret, but no overload for certificatesPnP.Framework.AuthenticationManager.CreateWithCertificate(): Does not work, needSites.ReadWrite.Allpermissions at AAD levelMicrosoft.Identity.Client.ConfidentialClientApplicationBuilder.Create(ClientId).WithCertificate(certificate).(new Uri($"https://accounts.accesscontrol.windows.net/{Tenantid}")).Build(): Does not work, needsSites.ReadWrite.Allpermissions at AAD levelI have no more idea... Is there some method that I missed, or a way to restrict permissions to one site using Azure AD ?
Thanks !