Authenticate our .NET console application against SharePoint online if we have `DisableCustomAppAuthentication` set to true

Question

We have the following:-

• SharePoint online tenant recently created
• Windows server 2019
• .NET console application which have some code that integrates with SharePoint online
• The .NET console application runs on schedule basis using windows task scheduler.

now previously on old tenants i authenticate my code using this method by passing the ClientID and Client Secret:-

      static void Main(string[] args)
              {
                       
                  string siteUrl = "https://***.sharepoint.com/sites/CustomerServiceKB/";
                  string clientId = "******";
                  string clientSecret = "*****";
                  using (ClientContext context = new OfficeDevPnP.Core.AuthenticationManager().GetAppOnlyAuthenticatedContext(siteUrl, clientId, clientSecret))
            
                  {

but on our newly created tenant we can not authenticate our code using the above method, because we have the DisableCustomAppAuthentication set to true.. now we do not want to modify this property.

So our question is; if we have the DisableCustomAppAuthentication set to true (and we do not want to set it to false), then how we can authenticate our console application? which is hosted inside our windows server and which runs on schedule basis using tasks scheduler ?

Now i read about this approach to use registered app inside azure AD @ https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread to register a new application inside Azure AD. but when i click to register a new application, i got this message:-

so this makes me afraid that i will be following an approach which is already deprecated ... so what is the latest approach that we should follow to authenticate our CSOM code inside our console application with SharePoint online?

Answer 1

Yes Agreed. By default DisableCustomAppAuthentication is set to True, which will affect any tenants provisioned after sometime late August, 2020 That’ll break a lot of custom functionality like apps or PowerShell scripts that work on any older tenants.

Options:

1. Move away from the old, app-only authentication using Client Id and Client Secret

This would be the better way forward – for an application authentication scenarios, you’d need to register your app in Azure Active Directory, but in that case you can’t manage permissions granularly, at all.

2. Unfortunately, next option is to set to False.

Set the property DisableCustomAppAuthentication to false. You can also enable custom app authentication by disabling the tenant property “DisableCustomAppAuthentication“.

You’ll need to have at least SharePoint Administrator permissions to run this.

First of all, update your SharePoint Online PowerShell module to the latest version. After that, authenticate, and then run this below:

Set-SPOTenant -DisableCustomAppAuthentication $false

Or alternatively, you can run this PnP commandlet:

Set-PnPTenant -DisableCustomAppAuthentication $false

App registration in AAD is not getting deprecated. The ADAL libraries published are the ones that will be reaching end of support by June 30th, 2022. So this will not impact creating application Ids in Azure AD.

Now when you register a new application in App Registration you will see that MS Graph permissions are now added not the Azure AD Graph permissions. When you update the existing applications to use MS Graph Permissions you need to provide the consent again for the application as the permissions on the app are changing. Also you need to do this to only the applications which you have registered in your tenant i.e. single tenant apps and multi-tenant apps which you have published.

Microsoft will be doing updates on the Microsoft apps and there is no specific action you have to take for Microsoft owned application. We can write the script to map the same permission sets from Azure AD Graph to MS Graph permissions but in that case also you need to provide consent again to those apps.

Soon MS will show the list of applications which are using Azure AD Graph permissions in your tenant. Then things will become easy as you can directly take action on it.

Reference : https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5/