Skip to content

Instantly share code, notes, and snippets.

@joerodgers

joerodgers/SharePointOnlineAppPrincipalCreation.md

Last active April 3, 2024 17:07
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joerodgers/709c418ef2598623cdc87d82ae7ad5fa to your computer and use it in GitHub Desktop.
Save joerodgers/709c418ef2598623cdc87d82ae7ad5fa to your computer and use it in GitHub Desktop.
Download ZIP
SharePoint Online App Principal Setup Instructions
Raw
SharePointOnlineAppPrincipalCreation.md

SharePoint Online App Principal Creation

Create SharePoint App Prinicipal

  1. Create a new SharePoint App Principal by navigating to https://<tenant>.sharepoint.com/sites/<targetsite>/_layouts/15/appregnew.aspx. Click the Create buttons for both the Client Id and Client Secret fields. For automation tasks (PowerShell, .NET executables) you can enter generic information for the App Domain and Redirect URL fields.

2021-01-07_10-25-10

  1. Click the Create button.

2021-01-07_10-42-18

  1. Copy the Client ID and Client Secret values to a secure location. These credentials can access all content the app principal is granted access to from the internet.

  2. The Client Secret expires after 1 year from creation, so mark your calendar. For automation scenarios, it's very likely easier to generate a new Client Id and Client Secret and update the jobs, but you can use PowerShell to generate a new Client Secert that lasts for three years. Details for replacing an expiring Client Secert can be found at: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in

Grant SharePoint App Principal Permisions

  1. Grant permissions to a SharePoint App Princial by navigating to https://<tenant>.sharepoint.com/sites/<targetsite>/_layouts/15/appinv.aspx.

  2. Paste the Client Id into the App Id field and click the Lookup button. Note: The Permission Request XML field will always be blank, even if you have previously granted the SharePoint App Principal rights.

2021-01-07_10-45-58

  1. Paste in the App Permissions Request XML for the desired permission.

    Example App Permission Requests to allow the app princial to to have read access to a single list.

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Read"/>
</AppPermissionRequests>

More information about permission scopes: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint#permission-request-scopes-for-other-sharepoint-features

2021-01-07_11-09-33

  1. Click Create.

  2. In this example, we chose to scope the app principal permissions to a single list, so we now need to explicitly grant those permissions to the app principal. This will grant the app principal to the Documents library. Depending on the scope you grant, you'll see a slightly different UI experience.

2021-01-07_11-11-20

PnP Example using SharePoint App Prinicpal

$clientId     = "daabeeab-3d81-4501-9f17-5496beb8b007"
$clientSecret = "Ul6lKjICLF0hsYvo8QdmRXbXDOT9fjAaUWEqhQYLc1g="

Connect-PnPOnline -Url "https://tenant.sharepoint.com/sites/targetsite" -AppId $clientId -AppSecret $clientSecret -UseWebLogin
 
Get-PnPFile -Url /sites/targetsite/documents/file.docx -Path c:\temp -FileName file.docx -AsFile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment