Azure Data Factory: connecting to SharePoint with a Certificate

For a long time we had to provide legacy ACS permissions for Microsoft Azure Data Factory to connect to SharePoint. That’s not the case anymore. Finally Microsoft updated authentication page so ADF V2 supports authentication with Client Id and Certificate, which means that application registration used to connect to SharePoint can have only modern Sites.Selected API permissions.

The steps would be

  1. Obtain a certificate
  2. Get a service principal (Register your app in Entra Id )
  3. Upload the certificate to the app registration
  4. Provide access for the app id (client id) to your SharePoint site
  5. Configure linked service in ADF

Detailed Step-by-Step guide ADF connect to SharePoint with a Certificate

1. Obtain a certificate

There are no special technical requirements for a Certificate. Since this is about trust between two parties and you own both – the certificate can be self-signed (e.g. generated with PowerShell as described here). But some organizations still require all certificates used in an org to be trusted by org CA.

2. Register app in Azure to get a service principal

To get a service principal – Client ID (app id) – your must create a so-called “App registration” in Entra Id (Azure AD). Specific requirements: app should have both – Microsoft Graph API and SharePoint API Sites.Selected permissions configured and consented. The process is described, e.g. here.

3. Upload the certificate to the app registration

Under Secrets and Certificates section of you App Registration – select Certificates tab and upload your certificate.

4. Provide access for the app id (client id) to your SharePoint site

This is something only your admins can do. Having Microsoft Graph API and SharePoint API Sites.Selected permissions configured and consented does not mean you automatically have access to SharePoint. Sites.Selected API permissions presence means you are allowed to get access specific SharePoint sites, but what are these sites and what kind of access?
So you’d request your SharePoint tenant admins to provide access (e.g. read-only or read-write or full control) for your App Id (client id) to specific SharePoint site Urls.
If you are an admin – check this.

5. Configure linked service in ADF

The last step is to configure your Data Factory connection to SharePoint list using service principal and certificate you got earlier with steps 1-4.

References:

Leave a Reply

Your email address will not be published. Required fields are marked *