Set up App-Only Auth with Key for SharePoint Online
These steps are based on Microsoft’s Granting Access via Azure AD App-Only.
Create the .cer and .pfx file
-
Connect a Windows system (any Windows machine is fine).
-
Save this PowerShell script as Create-SelfSignedCertificate.ps1.
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Creates a Self Signed Certificate for use in server to server authentication
.DESCRIPTION
.EXAMPLE
PS C:\> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21
This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key.
.EXAMPLE
PS C:\> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Password (ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)
This will create a new self signed certificate with the common name "CN=MyCert". The password as specified in the Password parameter will be used to protect the private key
.EXAMPLE
PS C:\> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Force
This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key. If there is already a certificate with the common name you specified, it will be removed first.
#>
Param(
[Parameter(Mandatory=$true)]
[string]$CommonName,
[Parameter(Mandatory=$true)]
[DateTime]$StartDate,
[Parameter(Mandatory=$true)]
[DateTime]$EndDate,
[Parameter(Mandatory=$false, HelpMessage="Will overwrite existing certificates")]
[Switch]$Force,
[Parameter(Mandatory=$false)]
[SecureString]$Password
)
# DO NOT MODIFY BELOW
function CreateSelfSignedCertificate(){
#Remove and existing certificates with the same common name from personal and root stores
#Need to be very wary of this as could break something
if($CommonName.ToLower().StartsWith("cn="))
{
# Remove CN from common name
$CommonName = $CommonName.Substring(3)
}
$certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"}
if($certs -ne $null -and $certs.Length -gt 0)
{
if($Force)
{
foreach($c in $certs)
{
remove-item $c.PSPath
}
} else {
Write-Host -ForegroundColor Red "One or more certificates with the same common name (CN=$CommonName) are already located in the local certificate store. Use -Force to remove them";
return $false
}
}
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$CommonName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 2048
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.ExportPolicy = 1 # This is required to allow the private key to be exported
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") # Server Authentication
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = $StartDate
$cert.NotAfter = $EndDate
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
return $true
}
function ExportPFXFile()
{
if($CommonName.ToLower().StartsWith("cn="))
{
# Remove CN from common name
$CommonName = $CommonName.Substring(3)
}
if($Password -eq $null)
{
$Password = Read-Host -Prompt "Enter Password to protect private key" -AsSecureString
}
$cert = Get-ChildItem -Path Cert:\LocalMachine\my | where-object{$_.Subject -eq "CN=$CommonName"}
Export-PfxCertificate -Cert $cert -Password $Password -FilePath "$($CommonName).pfx"
Export-Certificate -Cert $cert -Type CERT -FilePath "$CommonName.cer"
}
function RemoveCertsFromStore()
{
# Once the certificates have been been exported we can safely remove them from the store
if($CommonName.ToLower().StartsWith("cn="))
{
# Remove CN from common name
$CommonName = $CommonName.Substring(3)
}
$certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"}
foreach($c in $certs)
{
remove-item $c.PSPath
}
}
if(CreateSelfSignedCertificate)
{
ExportPFXFile
RemoveCertsFromStore
}-
Open a Command prompt or PowerShell: Run as Administrator
-
Run the below script to create the .pfx and .cer files needed for the next steps, where:
-
StartDate: Current Date -
EndDate: Current Date + 2 years -
CommonName: Name given to the .cer and .pfx files, such asYourFileName
-
\Create-SelfSignedCertificate.ps1 -CommonName "YourFileName" -StartDate YYYY-MM-DD -EndDate YYYY-MM-DDAt running the command, a password will be requested to protect the private key. YourFileName.pfx and YourFileName.cer files will be created.
Register a new App
-
Go to the Azure Portal , select the Azure Active Directory section, and choose the option App registrations.
-
Register a new application: App Registrations → New Registration https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
| Once the application has been created, copy the Application (client) ID as you’ll need to configure the datasource. |
Grant permission to App
-
From API permissions in the left menu bar, click on the Add a permission button. Choose the permissions that you will grant to this application.
-
Choose Sharepoint permissions, and select the permissions needed (Application → Sites.FullControl.All)
-
-
Click on the Grant admin consent for OrganizationName button and confirm the action by clicking on the Yes button that appears at the top.
-
From Certificates & Secrets in the left menu, upload the Certificate file (YourFIleName.cer) created earlier:
Obtain the base64 code from the .pfx file
It can be obtained in two ways
-
From Command Line (Linux)
-
Convert the .pfx to .pc12
keytool -importkeystore -srckeystore YourFileName.pfx -srcstoretype pkcs12 -destkeystore yourcert.p12 -deststoretype pkcs12
*Convert the .pc12 to base64
base64 -i yourcert.p12 > base64.txt
-
Open the .txt file and copy the value generated, you will need it to configure the datasource config
-
-
From PowerShell
-
From PowerShell, run the following commands:
$fileContentBytes = get-content '.\YourFileName.pfx' -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes) | Out-File 'pfx-encoded-bytes.txt'
-
Open the .txt file and copy the value generated, you will need it to configure the datasource config
-
Renew the Certificate
When the certificate expires, the crawl will fail with the following error:
Client assertion contains an invalid signature. [Reason - The key used is expired
1AuthenticationException: {"error_description":"AADSTS700027: Client assertion contains an invalid signature. [Reason - The key used is expired., Thumbprint of key used by client:"...]}The .cer and .pfx need to be renewed. Follow these steps:
-
Execute the script from '' to get a new .cer and .pfx files
-
Go to the Azure Portal, select the Azure Active Directory section, choose the option App registrations, and open the Application from where the certificate expired.
-
From Certificates & Secrets’in the left menu bar, remove the older certificate, and upload the new one
-
Obtain the base64 from the renewed .pfx file
-
Set up App-only Authentication With Private Key into Sharepoint v2 plugin
-
Client ID, and Base64 from the .pfx file, and password for the private key, must be set into Azure AD Client ID, AZURE AD PKCS12 BASE64 KEYSTORE, and AZURE AD PKCS12 KEYSTORE PASSWORD properties respectively
-
Set the appropriate tenant into Azure AD Tenant property, for example,
lucidworksfusion.onmicrosoft.com