Authenticating to SharePoint Online with OAuth2, CSOM, and Service Accounts

Question

Is it possible to authenticate to SharePoint Online using OAuth2 with delegated permissions and a service account, or is authentication only feasible with application permissions?

To use delegated permissions, consent must be provided with the service account to the registered application.

The goal is to read the SharePoint List Title from a SharePoint Online site using C# and CSOM with a service account. An app registration has been created in Microsoft Entra with delegated permissions, and the service account has rights only to the SharePoint list it has permissions on.

Currently, an authentication error (401) occurs when attempting to connect to SharePoint Online with CSOM using delegated permissions.

If delegated permissions are applicable for this scenario, what are the basic steps to set this up correctly? How to provide consent to the service account with the application?

Would it be more effective to grant application permissions with Sites.Selected?

Answer 1

delegated permission only work with a user access token (user oauth login flow), not an application access token (clientid, secret). you give the application basically site permissions.

note: azure hosted services can use managed accounts to access azure resources that support managed account authentication, which is more granular application accounts. so if your code is hosted in azure, you could use this approach.