Introduction:
In recent years, Microsoft Entra ID has moved away from legacy service account and username/password-based authentication patterns for SharePoint access. These older approaches are no longer recommended because they are harder to secure, difficult to manage, and often blocked by modern tenant security policies.
The recommended alternative is to use Microsoft Entra ID authentication with Microsoft Graph–based app registration and certificate-based client credential flow, while continuing to use SharePoint CSOM for SharePoint operations.
In this model:
- The application authenticates as an app
- Obtains an access token
- Uses that token to call SharePoint through CSOM
Scenario
A common scenario is a background console application that needs to read files or list items from a SharePoint site without any interactive user sign-in.
Instead of storing a service account username and password, the application uses:
- Microsoft Entra ID app registration
- Certificate-based authentication
- Microsoft Authentication Library (MSAL) to acquire an access token
- SharePoint CSOM to execute site operations
This approach is more secure, supports automation, and aligns with Microsoft’s recommended authentication model.
Step-by-Step Implementation:
1. Register an Application in Microsoft Entra ID
Create a new app registration in the Entra admin center.
Record the following values:
- Tenant ID
- Client ID
- Certificate thumbprint
2. Create or Import a Certificate
Generate a certificate for app authentication and install it in the certificate store.
The application uses the certificate’s private key to prove its identity when requesting a token.
Check my article on client certificate configuration in Microsoft Entra ID.
3. Configure API Permissions
Grant the application the permissions needed to access SharePoint content.
Common application permissions include:
Sites.Read.AllSites.ReadWrite.All
After adding permissions, make sure to grant admin consent.
4. Store Configuration Values Securely
Store the configuration values in your application settings file.
<appSettings>
<add key="ida:ClientId" value="..." />
<add key="ida:TenantId" value="..." />
<add key="ida:CertThumbprint" value="..." />
<add key="SharePoint:SiteUrl" value="https://tenant.sharepoint.com/sites/SiteName" />
<add key="SharePoint:DefaultFolderServerRelativeUrl" value="/sites/SiteName/Shared Documents" />
</appSettings>This approach keeps your code clean and simplifies deployment across environments.
5. Acquire an Access Token Using MSAL
Use Microsoft Authentication Library (MSAL) to build a confidential client application.
Configure it with:
- Tenant ID
- Client ID
- Certificate
- Resource scope (SharePoint or Microsoft Graph)
Then request an app-only token.
Example token acquisition logic:
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithAuthority(AzureCloudInstance.AzurePublic, tenantId)
.WithCertificate(certificate)
.Build();
var authenticationResult = await app
.AcquireTokenForClient(new[] { resourceScope })
.ExecuteAsync()
.ConfigureAwait(false);6. Create the SharePoint CSOM Client Context
Pass the access token into the SharePoint CSOM ClientContext request pipeline.
Add the Authorization header with the Bearer token so SharePoint accepts the request.
Example CSOM context setup:
using (var context = new MsalTokenHelper.ClientContext(siteUrl))
{
var folder = context.Web.GetFolderByServerRelativeUrl(folderServerRelativeUrl);
var files = folder.Files;
context.Load(files, collection => collection.Include(file => file.Name));
context.ExecuteQuery();
}7. Perform SharePoint Operations
Once authenticated, use CSOM to interact with SharePoint objects such as:
- Sites
- Lists
- List items
- Files and folders
In this project, the primary goal is to list files from SharePoint.
Summary:
The legacy service account authentication model is no longer the preferred approach for SharePoint automation.
For the SharePointCSOM_ListFiles_Console project, the modern solution is to:
- Use Microsoft Entra ID app authentication
- Authenticate with certificate-based credentials
- Acquire tokens using MSAL
- Use those tokens with SharePoint CSOM
This approach provides:
- Stronger security
- Easier maintenance
- Alignment with Microsoft’s modern identity best practices
Get Completed source code from my GitHub repo
