App registration certificate

To use OAuth2 client credentials for authentication in SharePoint, you must upload a certificate to your Entra ID (formerly Azure Active Directory) app registration.

Follow these steps:

Assign SharePoint permissions to the Entra ID app registration.
Create a self-signed certificate.
Upload the certificate to the Entra ID app registration.

Assign permissions to the app registration

Specific SharePoint permissions must be assigned to the app registration. This can only be done through PowerShell. Use this script:

$TenantID = "tenant ID"
# Found in the Azure App Registration (Called Directory (tenant) ID).

# Secondary Azure App Registration with Sites.FullControl.All to assign the 
permissions to the other app registration.
# Found in the Azure App Registration (Called Application (client) ID.)
$AdminPrivClientId = "client ID"

$SiteURL = "https://<YourTenant>.sharepoint.com/sites/IPS"
$AppID = "application ID"
# Found in the Azure App Registration (Called Application (client) ID, this
is the ID for the app registration.)

$DisplayName = "IPS" 
# Found in the Azure App Registration

Connect-PnPOnline -Url $siteurl -Interactive -ClientId $AdminPrivClientId
-Tenant $TenantID

Grant-PnPAzureADAppSitePermission -AppId $AppID -DisplayName $DisplayName
-Site $SiteURL -Permissions Write

Note: You must be a Site Collection Admin of the target SharePoint site to run the script. You must also have a secondary (temporary) app registration with the Sites.FullControl.All permission for SharePoint. The secondary app registration is used to assign the required permissions to the permanent and more limited app registration.

The -ClientID switch is unique to a tenant and is used for PnP PowerShell to run. This is also known as the Application (Client) ID in the app registration.

See this link for more information.

Create the certificate

Use this script in PowerShell to create the certificate and export it to a .cer and .pfx file.

$passwordString = "[Specify a unique password]"
$dnsName = "Specify the host name or domain name"
$certificateName = "Specify a name for the certificate"
$tempFolder = "c:\temp\"

$tempFolder = $tempFolder.TrimEnd('\')

$certFileName = $certificateName + ".cer"
$cerPath = Join-Path $tempFolder -ChildPath $certFileName

$pfxFileName = $certificateName + ".pfx"
$pfxPath = Join-Path $tempFolder -ChildPath $pfxFileName

$cert = New-SelfSignedCertificate -DnsName $dnsName -CertStoreLocation Cert:\CurrentUser\
My Export-Certificate -Cert $cert -FilePath $cerPath

$password = ConvertTo-SecureString -String $passwordString -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $password

Use the $passwordString variable to set a unique password. You will use this password for authentication in Operations and Regulations.

The $dnsName variable is required. It can be whatever hostname/domain name you want.

The $certificateName variable specifies the certificate name. This will be the filename of the .cer file.

Upload the certificate to the app registration

To upload the .cer file that you exported from the script above to the app registration, select the Certificates tab in Entra ID. Click Upload Certificate and select the .cer file.