How to do ACS setup for SharePoint app only authentication for SharePoint server (On-Premise)?

Yichen Name 61 Reputation points
2023-01-27T14:29:45.48+00:00

Hi Team,

I wanted to implement app only authentication for SharePoint server. Do you have any document mentioning all the steps for the same?

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,156 questions
SharePoint Server Development
SharePoint Server Development
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Development: The process of researching, productizing, and refining new or existing technologies.
1,557 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Yichen Name 61 Reputation points
    2023-02-13T09:09:13.8633333+00:00

    This process works for online but does not work for on prem versions

    1 person found this answer helpful.
    0 comments No comments

  2. Yanli Jiang - MSFT 20,306 Reputation points Microsoft Vendor
    2023-01-30T09:20:01.1133333+00:00

    Hi @Yichen Name ,

    SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016/2019 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online. Below steps show how to setup an app principal with tenant full control permissions, but obviously you could also grant just read permissions using this approach.

    Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx). In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below.

    02011

    Next step is granting permissions to the newly created principal. Since we're granting tenant scoped permissions this granting can only be done via the appinv.aspx page on the tenant administration site. You can reach this site via https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx. Once the page is loaded add your client id and look up the created principal:

    02012

    To grant permissions, you'll need to provide the permission XML that describes the needed permissions. Since this application needs to be able to access all sites + also uses search with app-only it needs below permissions:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
    </AppPermissionRequests>
    

    When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions.

    If you want to utilize the generated app-only registration with PnP PowerShell, you can do so by connecting to your SharePoint On-Premises or Online environment using:

    Connect-PnPOnline -Url https://contoso.sharepoint.com/sites/demo -ClientId [Your Client ID] -ClientSecret "[Your Client Secret]"

    For more information, please refer to:

    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly

    https://www.wictorwilen.se/blog/sharepoint-2013-using-the-app-only-policy-and-app-principals-instead-of-username-and-password-combos/

    https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/plan-for-app-authentication-in-sharepoint-server

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.