Add authentication via Entra with a certificate #3064
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 tasks
|
@leemthompo can I ask for help with documentation for this change? :) |
seanstory
reviewed
Jan 2, 2025
| {"label": "Client Secret", "value": "secret"}, | ||
| {"label": "Certificate", "value": "certificate"}, | ||
| ], | ||
| "value": "certificate", |
There was a problem hiding this comment.
I think this will be a breaking change, as on upgrade, we'll add this new config to existing connectors, right? But existing connectors will be using secret? I think we should default to secret, but tooltip that certificate is preferred?
| "label": "Content of certificate file", | ||
| "display": "textarea", | ||
| "sensitive": True, | ||
| "order": 5, |
There was a problem hiding this comment.
Suggested change
| "order": 5, | |
| "order": 6, |
| "sensitive": True, | ||
| "order": 6, |
There was a problem hiding this comment.
Suggested change
| "order": 6, | |
| "order": 7, |
| }, | ||
| "site_collections": { | ||
| "display": "textarea", | ||
| "label": "Comma-separated list of sites", | ||
| "tooltip": "A comma-separated list of sites to ingest data from. If enumerating all sites, use * to include all available sites, or specify a list of site names. Otherwise, specify a list of site paths.", | ||
| "order": 5, | ||
| "order": 7, |
There was a problem hiding this comment.
Suggested change
| "order": 7, | |
| "order": 8, |
| "type": "list", | ||
| "value": "*", | ||
| }, | ||
| "enumerate_all_sites": { | ||
| "display": "toggle", | ||
| "label": "Enumerate all sites?", | ||
| "tooltip": "If enabled, sites will be fetched in bulk, then filtered down to the configured list of sites. This is efficient when syncing many sites. If disabled, each configured site will be fetched with an individual request. This is efficient when syncing fewer sites.", | ||
| "order": 6, | ||
| "order": 8, |
There was a problem hiding this comment.
Suggested change
| "order": 8, | |
| "order": 9, |
| @@ -1235,7 +1356,7 @@ def get_default_configuration(cls): | |||
| "depends_on": [{"field": "use_document_level_security", "value": True}], | |||
| "display": "toggle", | |||
| "label": "Fetch drive item permissions", | |||
| "order": 10, | |||
| "order": 12, | |||
There was a problem hiding this comment.
Suggested change
| "order": 12, | |
| "order": 13, |
| @@ -1244,7 +1365,7 @@ def get_default_configuration(cls): | |||
| "depends_on": [{"field": "use_document_level_security", "value": True}], | |||
| "display": "toggle", | |||
| "label": "Fetch unique page permissions", | |||
| "order": 11, | |||
| "order": 13, | |||
There was a problem hiding this comment.
Suggested change
| "order": 13, | |
| "order": 14, |
| @@ -1253,7 +1374,7 @@ def get_default_configuration(cls): | |||
| "depends_on": [{"field": "use_document_level_security", "value": True}], | |||
| "display": "toggle", | |||
| "label": "Fetch unique list permissions", | |||
| "order": 12, | |||
| "order": 14, | |||
There was a problem hiding this comment.
Suggested change
| "order": 14, | |
| "order": 15, |
| @@ -1262,7 +1383,7 @@ def get_default_configuration(cls): | |||
| "depends_on": [{"field": "use_document_level_security", "value": True}], | |||
| "display": "toggle", | |||
| "label": "Fetch unique list item permissions", | |||
| "order": 13, | |||
| "order": 15, | |||
There was a problem hiding this comment.
Suggested change
| "order": 15, | |
| "order": 16, |
| client_id, | ||
| certificate, | ||
| private_key, | ||
| f"https://{self._tenant_name}.sharepoint.com/.default", |
There was a problem hiding this comment.
Is this going to break non-path-based site collections?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #3023
See: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs
Azure is retiring old ACS and our connector really needs it right now since we use REST API for Sharepoint. We can migrate some code to use Graph - for example, Graph API introduced new APIs to fetch page content: https://devblogs.microsoft.com/microsoft365dev/microsoft-graph-api-for-sharepoint-pages-is-now-generally-available/
Some other stuff, like List Item Attachments, might not be available. Migration to new API will require a bit more time though.
To buy some time this PR introduces certificate authentication to Sharepoint Online connector. It's possible to either authenticate via a secret (
client_secret) or via a certificate (you'll need a certificate + private key).How to create a certificate and a private key:
azure_app.crtis a certificate,azure_app.keyis a private key. Then you'll need to upload the certificate to the Azure App that's set up for your Sharepoint Online instance.We have checked, and this works with new tenants -
secretauthentication is already not usable for new tenants since November 2024 will be fully retired as of April 2nd, 2026.Checklists
Pre-Review Checklist
config.yml.example)v7.13.2,v7.14.0,v8.0.0)Release Note
Introduced certificate authentication for Sharepoint Online connector to allow connector to work against tenants created after 1st of November 2025.