Hi Jie Yin, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!
Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept" the answer. Accepted answers show up at the top, resulting in improved discoverability for others.
Issue:
The issue arises when attempting to access SharePoint Online (SPO) resources across tenants using Azure Data Factory (ADF) with an Azure AD app-only authentication method. The error "Token type is not allowed" occurs during the process, indicating a problem with authentication.
Root Cause:
· The SharePoint tenant has disabled custom app authentication, leading to the "Token type is not allowed" error when using the SharePoint API.
· The retirement of SharePoint-only app access necessitates transitioning to Azure AD app-only access with Graph API permissions for accessing SharePoint resources.
Solution:
To resolve the issue, the following steps are taken:
1. Temporary Resolution:
· Enable custom app authentication with the SharePoint API using the Set-SPOTenant -DisableCustomAppAuthentication $false command. This temporarily resolves the "Token type is not allowed" error.
2. Transition to Azure AD App-Only Access:
· Register an Azure AD application in the SharePoint tenant.
· Grant necessary permissions to the Azure AD application, preferably using Graph API permissions instead of SharePoint API permissions.
· Obtain an access token from the Azure AD token endpoint using the client ID, client secret, and tenant ID of the Azure AD application.
· Access SharePoint resources using the Graph API with the obtained access token.
3. Grant App Permissions on SharePoint Sites:
· If required, grant specific permissions to the Azure AD application for accessing individual SharePoint sites.
· This can be done either through the SharePoint site appinv page or using the PnP PowerShell module.
4. Implementation:
· Utilize the registered Azure AD application and the Graph API to access SharePoint resources across tenants.
· Ensure proper handling of permissions and token management to maintain secure access.