Create App Registration

Microsoft’s recommendation to use an “App Registration”

Microsoft Entra certificate-based authentication enables you to authenticate with X.509 certificates against Microsoft Entra ID. This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).

3 Step guide

1. Create a self signed certificate in PowerShell
2. Create an “App Registration” and link it to your certificate.
3. Configure SharePoint Online permissions for the “App Registration”
   

“Step 1” – Create a self signed certificate using PowerShell.
Run PowerShell ISE or VSCode as administrator paste the below code and change c:\dev\MyCert.pfx to some path where you want the cert files to be created and change MyPassword to your own. Run the script

# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "MyDomain.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyFriendlyName

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer

*You may change the following if you like or just keep it as it is:
MyDomain.com >> YourDomain.com
MyKeyName >> SomeNameUsefulToIdentifyTheCert
MyFriendlyName >> SomeNameUsefulToIdentifyTheCert

You can install the cert on the computer. However that may complicate things.

“Step 2” – Create an “App Registration”
Go the the Azure portal and select “Azure Active Directory/Microsoft Entra ID”
Make a note of your “Tenant ID” as you need that to authenticate in combination with the “Thumbprint” that you will get later in this guide.
Select “App registrations”
Make a “new registration” if you do not already have one. (use the defaults)
Locate the “Client credential” (Top right) and click the link “Add a certificate or secret”
Select “Certificates” and click the “Upload certificate” button. Then select your certificate .cer file and click “Add”
Make a note of the Application (client) ID for use in the SMART Migration. (If you are planning to use an installed cert then make a note of the “Thumbprint” also)

“Step 3” – Set permissions for the “App Registration”
Click the “API Permissions” link (left panel)
Click “Add a permission” and select “SharePoint”
Click “Application permissions”
Add the below standard permissions:
Finally you need to grant consent. Click “Grant admin consent for My Organization”

Advanced configuration if you need.

Restricted API permissions

You can use Sites.Selected in both the Graph and the SharePoint section to make a much more restricted access. Sites.Selected Permissions what is it, and how do I use it

The “Microsoft Graph” permissions are required for :

• Access files larger than > 2 GB
• Read users and groups in the tenant for easier visual mapping of users.
  

Read AD user names etc.

You can access M365 user information in AD (such as display name, department, etc.) using the virtual list Tenant users. Filters: When using the = operator or the IN operator, a server-side filter is applied, optimizing performance for tenants with many users (>3000). Other filters, such as BeginsWith or Contains, are evaluated client-side.
To use the virtual list Tenant users, ensure that you have the necessary App Registration with Graph API permissions: either User.Read.All or User.ReadBasic.All, depending on the specific columns you need to access.

*Confirm App-Only Access Is Allowed for Microsoft Graph
If your app is using app-only authentication, ensure that your SharePoint Online environment allows app-only access for Microsoft Graph. You can set this in the SharePoint Admin Center:

*Fix to the issue: The user or administrator has not consented to use the application with ID ‘31359c7f-bd7e-475c-86db-fdb8c937548e’

Copyright © 2024 MigrateDMS