TBP
SharePoint Advanced Management
Leave a reply
Author Archives: Vlad Software Engineer
Azure Data Factory: connecting to SharePoint with a Certificate
For a long time we had to provide legacy ACS permissions for Microsoft Azure Data Factory to connect to SharePoint. That’s not the case anymore. Finally Microsoft updated authentication page so ADF V2 supports authentication with Client Id and Certificate, which means that application registration used to connect to SharePoint can have only modern Sites.Selected API permissions.
The steps would be
- Obtain a certificate
- Get a service principal (Register your app in Entra Id )
- Upload the certificate to the app registration
- Provide access for the app id (client id) to your SharePoint site
- Configure linked service in ADF
Detailed Step-by-Step guide ADF connect to SharePoint with a Certificate
1. Obtain a certificate
There are no special technical requirements for a Certificate. Since this is about trust between two parties and you own both – the certificate can be self-signed (e.g. generated with PowerShell as described here). But some organizations still require all certificates used in an org to be trusted by org CA.
2. Register app in Azure to get a service principal
To get a service principal – Client ID (app id) – your must create a so-called “App registration” in Entra Id (Azure AD). Specific requirements: app should have both – Microsoft Graph API and SharePoint API Sites.Selected permissions configured and consented. The process is described, e.g. here.
3. Upload the certificate to the app registration
Under Secrets and Certificates section of you App Registration – select Certificates tab and upload your certificate.
4. Provide access for the app id (client id) to your SharePoint site
This is something only your admins can do. Having Microsoft Graph API and SharePoint API Sites.Selected permissions configured and consented does not mean you automatically have access to SharePoint. Sites.Selected API permissions presence means you are allowed to get access specific SharePoint sites, but what are these sites and what kind of access?
So you’d request your SharePoint tenant admins to provide access (e.g. read-only or read-write or full control) for your App Id (client id) to specific SharePoint site Urls.
If you are an admin – check this.
5. Configure linked service in ADF
The last step is to configure your Data Factory connection to SharePoint list using service principal and certificate you got earlier with steps 1-4.
References:
Working with SharePoint from Python code via Graph API
Python code samples published by Microsoft at the Microsoft Graph API reference pages use GraphServiceClient module. But you also can use just requests module and call Microsoft graph API directly, using requests.post or requests.get methods. Here I’m sharing my Python code samples.
https://github.com/VladilenK/m365-with-Python/tree/main/Graph-API-Plain
Azure ACS retirement. How to prepare your tenant. Guide for SharePoint Admins.
Since Microsoft announced EOL of ACS in 2026, we as SharePoint administrators must be prepared, as it is a really big deal – entire era of SharePoint app-only service principals will gone. SharePoint developers used this kind of authentication since 2013 to build their solutions. And when it comes to software development – it always takes time. Imaging all the code that was designed since 2013 needs to be reviewed and re-written to adopt changes. So it is critical that we should take measures now to avoid huge problems in April 2026.
Recommended transition tactics
For developers
- Prioritizing using Microsoft Graph API.
- In cases Graph API does not provide required functionality – it’s ok to use SharePoint API, but please ensure certificate is used (not secret).
For SharePoint admins
High-level recommended steps are:
- Encourage users registering applications in Azure (not in SharePoint)
- Disable ability for site owners register service principals in SharePoint via appregnew.aspx
Your users will start seeing “Your SharePoint tenant admin doesn’t allow site collection admins…” message (see details), but that’s ok. - Create a process so users can request permissions to SharePoint sites for their Azure-Registered Apps. Provide Sites.Selected permissions by default. Consider automation.
In rare cases when 3-rd party apps require legacy ACS-based permissions, it would be you (SharePoint service admin) who will provide ACS-based access to sites.
Track this activity (so you know for whom this ACS-based permissions were provided).
Inform every developer that ACS will be gone. - Keep audit logs
Starting today and until it’s over you’d get audit logs from Microsoft 365 purview center – consider selecting all events anyone visited appinv.aspx page. - In March-April 2025 (1 year before) ACS EOL, start notifying developers who use ACS.
You can get list of developers combining
– audit log data
– report from Entra Id on apps owners - In advance ( let say, starting September 2025) you can try to temporary switch off ACS (“scream test”).
Detailed steps:
Encourage users registering applications in Azure (not in SharePoint)
Pro’s for App Registered in Entra Id (vs SharePoint Apps-only service principals – apps registered in SharePoint with AppRegNew.aspx) :
- Support authentication with client secret and/or certificate, custom expiration time
- Support both – classic SharePoint REST API and CSOM and Microsoft Graph API
Disable registering service principals in SharePoint
Disable ability for site owners register service principals in SharePoint via appregnew.aspx with Set-SPOTenant PowerShell cmdlet
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $false
When the value is set to false, the service principal can only be created or updated by the SharePoint tenant admin. Your users will start seeing “Your SharePoint tenant admin doesn’t allow site collection admins…” message (see details), but that’s ok.
tbc
References
Using metadata to refine your SharePoint search
Though search in Microsoft 365 SharePoint is good out-of-the box and you can do a full-text search and refine your results by “File type” and “Last modified”, but what if you want your content be tagged with your custom metadata (e.g. “Article category”), and you want to be able to refine your search results based on this metadata? I’d say it is possible and I’ll provide the solution below. The solution includes working with site term store (creating terms, term groups, term sets), configuring list/library columns and updating site search schema (mapping crawled properties to managed properties).
See also:
PowerShell Script for Files Deduplication
If you think you have a lot of duplicated files that consumes your hard drive storage space, this article is for you. Personally, I have a lot of video and pictures on my working hard drive and on a backup HDD. While working with photos and videos I can rename files, copy or move them from folders to folders. As a result, I end up with gigabytes and terabytes occupied with duplicated files. So I need a tool to a) find duplicated files and b) remove duplications. I tried to find good scripts but somehow I was not happy with what I found, so I wrote scripts myself.
Surely you can buy/try a 3-rd party toot with GUI, but if you are comfortable with PowerShell – consider the following.
…
References
- PowerShell scrips at GitHub (use on your own risk)
Birds of Eurasia Best Pictures
There is a new site – Birds of Eurasia Best Pictures – with a lot of good pictures of birds from all of the Eurasian continent. It does not seem that pictures are professional, sooner shots are made by amature birdwatchers, but some pictures are really nice.
Pictures are updated around weekly. Here is an example:
Cinereous Vulture (Aegypius monachus)
Shoot in Mongolia by Oleg Belyalov
Another great picture:
Collared Pratincole by Philippe Campeau, Kyrgyzstan
References
Invention for Life (Infrared Quadrant Detectors for Traffic Safety)
I found an interesting site – it looks like they have highly qualified physicists and inventors. Here is one of their inventions – “Traffic Safety with Infrared Quadrant Detectors“…
Invention high-level description:
And they are looking for investors.