OAuth 2.0 Authentication Methods

The SharePoint Online connector supports OAuth 2.0 authentication with the following grant types:

Note
Microsoft recommends using JWT Certificate Credentials for authentication, as other grant types (Client Credentials, SAML Bearer Assertion, Refresh Token/Auth Code) are deprecated and will stop working after April 2, 2026. Use JWT Certificate Credentials for all new and existing source configurations.

  • JWT Certificate Credentials (Recommended)

  • SAML Bearer Assertion (Deprecated)

Prerequisites

  • Obtain the Client ID and Client Secret from Azure Active Directory by registering the application.

    Note
    It is mandatory to use the Global Admin and Admin of all Sites User in SharePoint Online to create the application in Azure Active Directory.

  • If the grant type is JWT:

    The Certificate (self-signed or CA signed) must be uploaded and registered at the Azure Active Directory portal. To register the certificate with the Microsoft Identity Platform, complete the following:

    1. Sign in to the Azure Portal.

    2. In the Azure app registrations for client application, select the client application.

    3. Select Certificates & secrets.

      Select Upload certificate and then select the certificate file that you want to upload.

    4. Select Add.

    5. Obtain the values for the following:

      • Private Key: The private key text file.

      • Private Key Password: The password for the private key.

      • Certificate: The text file of the same certificate that was uploaded to the Azure portal.

  • If the grant type is Refresh Token/Auth Code, generate a refresh token. For more information, refer to Generating a Refresh Token (Deprecated).

Assign the following required permissions to the application:

  1. In the Azure Active Directory console of the registered app, select API permissions.

  2. Select Add a permission.

  3. On the Request API permissions page, a list of supported APIs is displayed.

    • Microsoft Graph is under the commonly used Microsoft API.

    • Azure Active Directory Graph under supported Legacy API.

    • SharePoint is under Microsoft API.

  4. Under What type of permissions does your application require?, select the permission type as Delegated or Application. See the following table for the type:

    Permission

    Type

    Purpose

    Microsoft GRAPH API

    Directory.ReadWrite.All

    Delegated

    Read, Update, and Delete Group Add membership

    Directory.AccessAsUser.All

    Delegated

    Change Password and Delete User

    User.ReadWrite.All

    Delegated

    Read and Update any User

    Group.ReadWrite.All

    Delegated

    Read and write all groups

    GroupMember.ReadWrite.All

    Delegated

    Read and write group memberships

    Sites.FullControl.All

    Delegated

    Have full control of all site collections

    SharePoint Online API

    AllSites.FullControl

    Delegated

    Have full control of all site collections

    AllSites.Manage

    Delegated

    Read and write items and lists in all site collections

    Sites.FullControl.All

    Application

    Have full control of all site collections

    Sites.Search.All

    Delegated

    Run search queries as a user

    User.ReadWrite.All

    Delegated

    Read and write user profiles

    User.ReadWrite.All

    Application

    Read and write user profiles

  5. Under Select permissions, select the required permissions.

  6. Select Add permissions.

  7. In Grant consent, select Grant Admin Consent for your configuration and directory. Select Yes when prompted in the pop-up dialog box.

Prerequisite

Note the following:

  • The authentication user must be synchronized in Azure Active Directory.

  • Assign the user the User Administrator permission role in Azure Active Directory.

    Note
    It is mandatory to use the Global Admin and Admin of all Sites User in SharePoint Online to create the application in Azure Active Directory.

  • You must enable the ADFS endpoint required to authenticate the user.

  • The ADFS machine time zone must be in sync with Azure time zone, that is, UTC.

Assign the following required permissions to the application:

  1. In the Azure Active Directory console of the registered app, select API permissions.

  2. Select Add a permission.

  3. On the Request API permissions page, a list of supported APIs is displayed.

    • Microsoft Graph is under the commonly used Microsoft API.

    • Azure Active Directory Graph under supported Legacy API.

    • SharePoint is under Microsoft API.

  4. Under What type of permissions does your application require?, select the permission type as Delegated or Application. See the following table for the type:

    Permission

    Type

    Purpose

    Microsoft GRAPH API

    Directory.ReadWrite.All

    Delegated

    Read and write directory data

    Group.Read.All

    Delegated / Application

    Read all groups

    Group.ReadWrite.All

    Delegated / Application

    Read and write all groups

    GroupMember.Read.All

    Delegated / Application

    Read group memberships

    GroupMember.ReadWrite.All

    Delegated / Application

    Read and write group memberships

    Sites.FullControl.All

    Delegated / Application

    Have full control of all site collections

    Site.Manage.All

    Site.Read.All

    Delegated / Application

    Read items in all site collections

    Site.ReadWrite.All

    Delegated / Application

    Edit or delete items in all site collections

    User.Invite.All

    Application

    Invite guest users to the organization

    User.Read

    Delegated

    Sign in and read user profile

    SharePoint Online API

    SharePoint Online API

    SharePoint Online API

    AllSites.FullControl

    Delegated

    Have full control of all site collections

  5. Under Select permissions, select the required permissions.

  6. Select Add permissions.

  7. In Grant consent, select Grant Admin Consent for your configuration and directory. Select Yes when prompted in the pop-up dialog box.