Summary of trivial configuration process

With SharePoint Online, you can define applications in Azure AD that can be granted permissions to SharePoint and all other services in Office 365. If you are using SharePoint Online, this model is the preferred model

Example Set the app-only permission of the AzureAD app

When executing application-only applications in Azure AD, certificates are typically used to request access: anyone with a certificate and its private key can use the application and the permissions granted to the application.

You are now ready to configure the Azure AD application to invoke SharePoint Online using the application-only access token. To do this, you must create and configure a self-signed X.509 certificate that will be used to authenticate your application against Azure AD when the request applies access tokens only. First, you must create a self-signed X.509 certificate, which can be created using the Makecert.exe tool provided with the Windows SDK or through PowerShell scripts that do not rely on Makecert. Using PowerShell scripts is the preferred method

Be sure to run it with administrator privileges

.\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2017-10-01 -EndDate 2022-10-01
Copy the code

The Create – SelfSignedCertificate. Ps1 script as follows

PowerShellCopy

#Requires -RunAsAdministrator <# .SYNOPSIS Creates a Self Signed Certificate for use in server to server authentication .DESCRIPTION .EXAMPLE PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key. .EXAMPLE PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Password (ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force) This will create a new self signed certificate with the common name "CN=MyCert". The password as specified in the Password parameter will be used to protect the private key .EXAMPLE PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Force This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key. If  there is already a certificate with the common name you specified, it will be removed first. #> Param( [Parameter(Mandatory=$true)] [string]$CommonName, [Parameter(Mandatory=$true)] [DateTime]$StartDate, [Parameter(Mandatory=$true)] [DateTime]$EndDate, [Parameter(Mandatory=$false, HelpMessage="Will overwrite existing certificates")] [Switch]$Force, [Parameter(Mandatory=$false)] [SecureString]$Password ) # DO NOT MODIFY BELOW function CreateSelfSignedCertificate(){ #Remove and existing certificates with the same common name from personal and root stores #Need to be very wary of this as could break something if($CommonName.ToLower().StartsWith("cn=")) { # Remove CN from common name $CommonName = $CommonName.Substring(3) } $certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"} if($certs -ne $null -and $certs.Length -gt 0) { if($Force) { foreach($c in $certs) { remove-item $c.PSPath } } else { Write-Host -ForegroundColor Red "One or more certificates with the same common name (CN=$CommonName) are already located in the local certificate store. Use -Force to remove them"; return $false } } $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=$CommonName", 0) $key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" $key.KeySpec = 1 $key.Length = 2048 $key.SecurityDescriptor = "D:PAI(A;; 0xd01f01ff;;; SY)(A;; 0xd01f01ff;;; BA)(A;; 0x80120089;;; NS)" $key.MachineContext = 1 $key.ExportPolicy = 1 # This is required to allow the private key to be exported $key.Create() $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid. InitializeFromValue (" 1.3.6.1.5.5.7.3.1 ") # Server Authentication $ekuoids = new - object - com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids) $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = $StartDate $cert.NotAfter = $EndDate $cert.X509Extensions.Add($ekuext) $cert.Encode() $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") return $true } function ExportPFXFile() { if($CommonName.ToLower().StartsWith("cn=")) { # Remove CN from common name  $CommonName = $CommonName.Substring(3) } if($Password -eq $null) { $Password = Read-Host -Prompt "Enter Password to protect private key" -AsSecureString } $cert = Get-ChildItem -Path Cert:\LocalMachine\my | where-object{$_.Subject -eq "CN=$CommonName"} Export-PfxCertificate -Cert $cert -Password $Password -FilePath "$($CommonName).pfx" Export-Certificate -Cert $cert -Type CERT -FilePath "$CommonName.cer" } function RemoveCertsFromStore() { # Once the certificates have been been exported we can safely remove them from the store if($CommonName.ToLower().StartsWith("cn=")) { # Remove CN from common name $CommonName = $CommonName.Substring(3) } $certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"} foreach($c in $certs)  { remove-item $c.PSPath } } if(CreateSelfSignedCertificate) { ExportPFXFile RemoveCertsFromStore }Copy the code

Two file systems will ask you for a password to encrypt your private key, and both.pfx and.cer files will be exported to the current folder.

Go to Azure APP to register permissions

Open the Office 365 administrator admin.microsoft.com

“Azure Active Directory”

App Registrations Registers a new one and then selects App Permission To select permissions for all sites. This should require administrative approval

Adding Permission suggestions

Click Add Permissions and add the permissions that you want to grant to this application. The list below is a suggestion that you can grant fewer permissions, but this may cause some calls to fail due to access denied errors.

  • SharePoint -> Delegate Permissions -> AllSites -> allSites.fullControl
  • SharePoint -> Delegate Permissions -> Sites -> Sites.search.all
  • SharePoint -> Delegate permission -> TermStore -> termStore.readwrite.all
  • SharePoint -> Delegate permission -> User -> user.readwrite.all
  • Microsoft Graph -> Delegate Permissions -> User -> user.read
  • Microsoft Graph -> Delegate Permissions -> Directory -> directory.readwrite.all
  • Microsoft Graph – > assigned permissions – > Directory – > Directory. AccessAsUser. All
  • Microsoft Graph -> Delegate Permissions -> Groups -> group.readwrite.all

Then go to Certificates & Secrets and upload the.cer file you just generated

Application configuration on Azure

You can use commands to quickly configure permissions

$app = Register-PnPAzureADApp -ApplicationName "PnP.Framework.Consumer" -Tenant contoso.onmicrosoft.com -OutPath c:\temp  -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force) -GraphApplicationPermissions "Group.ReadWrite.All", "User.ReadWrite.All" -SharePointApplicationPermissions "Sites.FullControl.All", "TermStore.ReadWrite.All", "User.ReadWrite.All" -Store CurrentUser -DeviceLoginCopy the code
  • SharePoint -> Application Permissions -> Sites -> Sites.FullControl.All
  • SharePoint -> Application Permissions -> TermStore -> TermStore.ReadWrite.All
  • SharePoint -> Application Permissions -> User -> User.ReadWrite.All
  • Microsoft Graph -> Application Permissions -> User -> User.ReadWrite.All
  • Microsoft Graph -> Application Permissions -> Group -> Group.ReadWrite.All

Please note that PnP Sites Core is archived and no longer maintained, but the PnP Framework contains almost all PnP Sites Core functionality and will be actively maintained

It is therefore highly recommended that you switch your application from PnP Sites Core to the PnP Framework.

I don’t see the Weblogin option anymore, and yes, Web login relies on the.NET API, which is not available in.NET Standard 2.0, so we did remove this feature from the PnP framework. However, if you need this option, you can copy the implementation from PnP PowerShell and use it in your application in conjunction with the AUTHENTICATION manager classes of the PnP framework.

Reference links:

1. The PNP framework github.com/pnp/pnpfram…

2.Azure AD registration process docs.microsoft.com/en-us/share…