Azure function and IDCRL

Question

I am reading this article about the retirement of Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols...

https://m365admin.handsontek.net/microsoft-sharepoint-retirement-idcrl-authentication-protocol-enforcement-openid-connect-oauth-protocols/

where i have an azure function deployed inside azure app service and using managed identity, where i authenticate to sharepoint using this code:-

GraphServiceClient graphClient;
//TokenCredential credential;
string accessToken = "";
if (Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development")
{
    var credential = new InteractiveBrowserCredential();
    var tokenRequestContext = new TokenRequestContext(new[] { "https://******.sharepoint.com/.default" }); // Change scope based on API
    AccessToken tempaccesstoken = await credential.GetTokenAsync(tokenRequestContext);
    accessToken = tempaccesstoken.Token;
}
else
{
    accessToken = await GetJwtTokenUsingSystemManagedIdentity();
}
                //Call to get the "Call Transfer Log Data" sharepoint list data
                try
                {
                    //var siteId = "***";
                    //var listId = "*************";
                    string siteUrl = "https://*********.sharepoint.com/sites/analytics";
                    string listName = "Call Transfer";
                    string tenant = "*******";
                    string site = "analytics";
                    string listTitle =  Log Data";
                    siteUrl = $"https://{tenant}.sharepoint.com/sites/{site}";
                    string apiBaseUrl = $"{siteUrl}/_api/web/lists/GetByTitle('{listTitle}')/items";
                    var httpClient = new HttpClient();
                    httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
                    httpClient.DefaultRequestHeaders.Accept.ParseAdd("application/json;odata=verbose");
                    string filterDate = DateTime.UtcNow.AddDays(-120).ToString("yyyy-MM-ddTHH:mm:ssZ");
                    string requestUrl = $"{apiBaseUrl}?$filter=Modified ge datetime'{filterDate}'&$top=100&$orderby=Modified desc";
}

private static async Task<string> GetJwtTokenUsingSystemManagedIdentity()
{
    string resource = "https://****.sharepoint.com/.default";
    var credential = new DefaultAzureCredential();
    var tokenRequestContext = new TokenRequestContext(new[] { resource });
    var token = await credential.GetTokenAsync(tokenRequestContext);
    //Console.WriteLine("Toekn is " + token.Token)
    ; return token.Token;
}

so will this get affected?

Answer 1

Hi john john Pter

Thank you for reaching out to Microsoft Q&A forum

The retirement of the IDCRL (Identity Client Runtime Library) authentication protocol in Microsoft SharePoint primarily targets legacy authentication methods used in older clients, scripts, or applications, such as certain outdated versions of SharePoint Designer or PowerShell modules that rely explicitly on IDCRL for token acquisition. This change enforces modern standards like OpenID Connect for interactive logins and OAuth for delegated or application-based access, aiming to enhance security and compliance.

Link reference:

https://app.cloudscout.one/evergreen-item/mc1184649/

Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

However, your implementation already aligns with these modern protocols by using Azure AD-based credentials to obtain OAuth 2.0 access tokens, which are compliant with the updated requirements. As a result, your code should not be affected and will continue to function without needing modifications specifically related to this retirement.

Hope my answer will help you, for any further concern, kindly let me know in the comment section.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

The retirement of the IDCRL authentication protocol and the enforcement of OpenID Connect and OAuth protocols will affect how authentication is handled in your Azure function when accessing SharePoint. Since your code uses a managed identity to authenticate to SharePoint, it is essential to ensure that your Azure function is updated to use the recommended authentication protocols.

In your code, if you are using the GetJwtTokenUsingSystemManagedIdentity() method to obtain the access token, you should verify that this method is compatible with the new authentication protocols. The use of managed identities is generally supported with OpenID Connect and OAuth, so you should be able to continue using this approach as long as it aligns with the updated requirements.

Make sure to test your Azure function after the transition to confirm that it can successfully authenticate and interact with SharePoint using the new protocols. Additionally, keep an eye on any updates from Microsoft regarding the specific changes and timelines related to the retirement of IDCRL and the enforcement of the new protocols.