Connecting to SharePoint Online Using Azure AD Application ID via PowerShell
Hello friends, as you know, we need to use powershell codes for some scheluder work on the sharepoint online side, and since we had to write the username and password in these powershell codes, this created a security vulnerability for us. Especially in script executions that require a talent admin user, your company will have to keep the user password that will manage all its control in a file.
To prevent this, we can use it by creating an Azure Application ID that will allow you to access sharepoint online via powershell.
For this, we first go to https://aad.portal.azure.com/ and log in.
Click on “Azure Active Directory” on the left menu on the home page and click on “App registrations” under the “Manage” heading in the middle of the screen that comes there. Here you can see your own apps, if any. We can go to the step of creating our new app registration by clicking “New registration” to create a new one.
On the new creation screen, we create the “SharePoint Online PowerShell App” in order to be suitable for the work I will do on behalf of my application, and select the city to be accessed only for my talent, and create it with the “Register” button at the bottom.
After the creation process is completed, it will direct us to the home page of our app register that we created. Here, we take note of the “Application (client) ID” information at the top and we will need to use it in the next steps.
Now we need to set the authorization for the app register we created. For this, we click on the “API permissions” section under “Manage” in the middle menu. To authorize on the incoming screen, click “Add a permission” to open the authorization selection screen.
In the “Request API permissions” right popup, we find “SharePoint” and select it.
Again, in the same right popup section, under the sharepoint title, we select the “Application permissions” option and select the “Sites.FullControl.All” option in the section just below and give our authorization definition with “Add permissions”.
For this authorization process, an administrator’s approval is also required. If you are logged in as an admin user, the “Grant admin consent for ..” button will be active at the top and you need to complete the authorization process by clicking it. If you do not find it active in this section, since you are not a global admin and the authority you will give is a critical authority, it will need to be given under the control of the administrator, so you should contact your management and ask for approval from this section.
After completing these approval parts, we need to create a certificate, install it and use it when connecting.
$CertificateName = "SharePoint Online PowerShell Certificate"
$CertificatePassword = "Password1"
$DocumentsFolder = [Environment]::GetFolderPath("MyDocuments")
$Certificate = New-SelfSignedCertificate -Subject $CertificateName -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $Certificate -FilePath $DocumentsFolder\$CertificateName.cer
Export-PfxCertificate -Cert $Certificate -FilePath "$DocumentsFolder\$CertificateName.pfx" -Password (ConvertTo-SecureString -String $CertificatePassword -Force -AsPlainText)
We run the above powershell script “SharePoint Online Management Shell” application as administrator and write it there.
When we run the Powershell codes without any problems, you can see that our certificate files are created in the locations I marked above.
We see that we have created certificates with the extensions “.cer” and “.pfx” in the name we gave.
On the app register side we have created, we click on the “Certificates & secrets” option under the “Manage” heading in the middle menu, and come to the “Certificates” tab in the tabbed menu and open the upload screen with the “Upload certificate” button.
In the right popup that opens, we select our certificate with the extension “.cer” and load our certificate with the “Add” button.
After our certificate is uploaded, we also note the “Thumbprint” id information produced specifically for this certificate and we will be using it when connecting.
Now we are trying to connect to our sharepoint site with powershell using the settings and information we have made.
$SiteURL = "https://yunusemrearac.sharepoint.com/"
$ClientID = "cff6452c-ab1e-44f1-8791-418d670f5706"
$ThumbPrint = "73ECA2807230DCBC589214C1143FD8EE182D2AF6"
$Tenant = "yunusemrearac.onmicrosoft.com"
Connect-PnPOnline -Url $SiteURL -ClientId $ClientID -Thumbprint $ThumbPrint -Tenant $Tenant
In the example powershell code above, instead of the “$SiteURL” parameter, the sharepoint address to which you will connect, the application (client) id information given to us when we create the app register instead of the “$ClientID” parameter, the parameter value we get when we install our certificate instead of the “$ThumbPrint” parameter, and finally. In the “$Tanent” section, you write the tanent information that you will count as a connection.
When you make the above adjustments without any problems and enter the parameters in your powershell code completely, you can connect to your sharepoint site as above and perform your operations without the need for any username and password.