Using Azure Key Vault Certificates with SharePoint ClientContext

[williambrach]

Hi everyone,

I have a question regarding using a certificate from Azure Key Vault in conjunction with a SharePoint ClientContext. I would like to know if there's a way to achieve auth with Azure Key Vault.

I tried to use client id and client secret from app registration but for some reason it doesn't work for me

('-2147024891, System.UnauthorizedAccessException', 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))', "403 Client Error: Forbidden for url:

cert_credentials = {
    'tenant': test_tenant_name,
    'client_id': test_client_id,
    'thumbprint': test_cert_thumbprint,
    'cert_path': '{0}/selfsigncert.pem'.format(os.path.dirname(__file__)),
}
ctx = ClientContext(test_site_url).with_client_certificate(**cert_credentials)

I would appreciate any insights or examples on how to properly utilize the certificate from Azure Key Vault in the SharePoint ClientContext. Thank you in advance for your help!

[dkuska]

Generally, authenticating with Client ID and Secret from an App Registration is the way to go for most applications.
If this does not work for you, then it almost always is related to a Permission Issue. We cannot solve this unless we know your permission setup.

I'm not quiet sure whats your issue with using Azure Key Vault. That is not related to this library.

Also why are you pasting a code snippet about Certificate Credentials?

[williambrach]

Thank you for your response @dkuska .

Could you please provide me with a link or guide on how to set the correct permissions? I have already created an App Registration and used the client ID and secret from it, but the permissions did not work .

I shared the certificate credentials snippet because I was attempting to authenticate using a certificate, and it worked fine with the same App Registration.

I mentioned Key Vault because I wanted to avoid storing the certificate locally and instead load it from Azure Vault. I was hoping to find someone who might have encountered a similar issue.

If it's possible, can you share a guide on how to properly set up an App Registration for an SHP (SharePoint) connection? I will give it another try using the Client ID and Secret credentials.

[dkuska]

As far as general authentication goes there are a couple of ressources to look into:

• https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly
• https://github.com/vgrem/Office365-REST-Python-Client/blob/master/examples/sharepoint/AppPermissionRequests.xml
  But you will have to experiment a bit with what works since Office/SharePoint are such complex systems.

As far as Certificate Authorization goes, I don't have much experience with it but I would try it like this:

• https://github.com/vgrem/Office365-REST-Python-Client/blob/master/examples/sharepoint/ConnectionWithCert.md
  An issues I see is that in Azure Key Vaults there is support to create.crt and .pfx self-signed certificates, while Sharepoint works with .pem certificates. So you will need to create your own certificate, upload and update it manually.
  I'd be interested whether or not you manage to do this. In the past I wanted to use this but opted to work with Secret authorization because I could schedule key rotations much easier.

[williambrach]

Thank you for providing the information. I will work on updating my code to support the use of ID and Secret.

Despite my efforts, I encountered a challenge in handling it automatically. On the bright side, I was able to replicate the ConnectionWithCert tutorial and successfully integrate the .pem certificate (generated from .pfx) into the SharePoint connection directly from the .pem file.

However, I faced some hurdles in retrieving the private key from Azure Vault due to account permissions. Consequently, I could only create a public certificate.