DisableCustomAppAuthentication

Topics discussed in this article:

  • ACS – Azure Access Control service on SharePoint;
  • Azure AD app-only model vs SharePoint app-only authentication model ;
  • set-spotenant -DisableCustomAppAuthentication $false;
  • set-spotenant -DisableCustomAppAuthentication $true
  • Certificate-based authentication vs Secret-based authentication

What if you disable SharePoint-Apps only principal (i.e. ‘set-spotenant -DisableCustomAppAuthentication $true’ )?

Here are our test results

app registered permissions provided via permissions Auth DisableCustomAppAuthentication Connect-PnPOnline Get-PnPTenant
SPO SPO Tenant FullControl secret TRUE ok 401
Azure AD SPO Tenant FullControl secret TRUE ok 401
Azure AD Azure AD MG/SP: Sites.FullControl.All secret TRUE ok 401
SPO SPO Tenant FullControl cert TRUE
Azure AD SPO Tenant FullControl cert TRUE ok 401
Azure AD Azure AD MG/SP: Sites.FullControl.All cert TRUE ok ok

 

app registered permissions provided via permissions Auth DisableCustomAppAuthentication Connect-PnPOnline Get-PnPTenant
SPO SPO Tenant FullControl secret FALSE ok ok
Azure AD SPO Tenant FullControl secret FALSE ok ok
Azure AD Azure AD MG/SP: Sites.FullControl.All secret FALSE ok 403
SPO SPO Tenant FullControl cert FALSE
Azure AD SPO Tenant FullControl cert FALSE ok 401
Azure AD Azure AD MG/SP: Sites.FullControl.All cert FALSE ok ok

“MG/SP” means API permissions were provided via Microsoft Graph and they are Microsoft Graph API and SharePoint API
Permissions provided via SPO means an “appinv.aspx” page was used.

Finally,

when DisableCustomAppAuthentication is set to $false (i.e. SharePoint app-only service principals are enabled, as it was by default before Aug/Sep 2020),
you cannot use Azure AD app with Azure AD provided API permissions with secret, and
you cannot use Azure AD app with SPO-provided permissions with certificate…

 

SharePoint Online Authentication/Authorization diagram:

SPO-App-Auth-Diagram

How do you connect to SharePoint from code?

Option 1 (classic)

Use SP-App Only service principal: register an app via AppRegNew.aspx page in SharePoint and get AppId (Client Id) and AppSecret (client secret).
Then provide permissions to your App: use AppInv.aspx page and specify permission as an XML. Then consent (approve it) – click “Trust It” on the next page.

Option 2 (modern):

Register an app via Azure App registrations and get Application (client) ID. Generate Client Secret and/or upload Certificate.
Add API permissions you need and ask tenant admin for consent.

Option 3 (hybrid):

Register an app via Azure App registrations and get Application (client) ID. Generate Client Secret and/or upload Certificate.
Then go to SharePoint online AppInv.aspx page and provide permissions to your App via XML. Then consent (approve it) – click “Trust It” on the next page.

 

 

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *