Upgrading SharePoint apps from Azure Access Control service to Azure Active Directory

00:00

foreign

00:10

access control services to Azure active

00:13

directory registered applications the

00:15

use case for this scenario is when you

00:18

want to create a demo or a background

00:20

application which will interact with

00:23

elevated permissions with SharePoint

00:25

online and you will not use any specific

00:29

user account but you want to use an

00:31

application only account the options

00:33

available nowadays to realize this kind

00:36

of scenario are using a major access

00:39

control services registered application

00:41

in a specific Target tenant or an Azure

00:44

active directory registered application

00:46

so let me try to explain you why you

00:49

should use Azure directory and in case

00:52

you have an access control services

00:54

register application you should upgrade

00:56

it to Azure ID first of all Azure access

01:00

control services is now what there is an

01:02

old service based on an old development

01:05

model in fact Microsoft retired ECS in

01:09

November 2018. it is still available for

01:13

SharePoint online but you should not use

01:15

it anymore in new Solutions and you

01:18

should upgrade your existing solutions

01:20

to the new model which is the one based

01:22

on Azure active directory moreover the

01:25

Azure ACS is a model is an

01:28

authentication model for application

01:29

which is based on the Adin model of

01:32

SharePoint which is now kind of an old

01:35

model and nowadays you should rely on

01:38

new modern development techniques and

01:40

again one more time on Azure active

01:42

directory application registration where

01:45

for example you can also leverage the

01:47

resource specific content or

01:50

decide.selected permissions which allow

01:52

you to have a really granular selection

01:54

of permissions whenever you need to

01:57

consume a SharePoint online site or

01:59

content so how can you actually upgrade

02:03

from ACS to AED well first of all you

02:06

need to reduce history new Azure active

02:08

directory application you need to create

02:10

an x519 certificate for the

02:12

authentication in fact SharePoint online

02:15

for app only requires you to

02:17

authenticate providing an x509

02:19

certificate you have to configure the

02:22

API permissions that you will need with

02:25

your application in order to consume

02:27

SharePoint online and then you will need

02:28

to refactor a bit your code in order to

02:31

move from the old school client ID and

02:34

client secret and ACS to the new school

02:37

of azure active directory open

02:39

authorization and a client ID with a

02:41

certificate so let me move to the demo

02:44

environment and let me show you how you

02:46

can do that in practice

02:49

so imagine that we have an application

02:52

that we already registered in Azure ACS

02:55

the registration goes through the

02:57

upright new page of your target

02:59

SharePoint online tenant and you will

03:02

get back a client ID a client secret and

03:05

you have to provide the title an app

03:07

domain and then a direct URI for your

03:09

application once you've done that you

03:12

can retrieve through the app inventory

03:14

up in dot SPX page under digital point

03:17

admin UI your application doing a lookup

03:22

by client ID and you will be able to

03:24

configure a custom set of permissions

03:26

like you can see here right here when we

03:29

provide an application permission of

03:32

type full control to this application

03:34

meaning that it will have access to all

03:37

of the site collections in maintenance

03:39

with full control rides and then we have

03:42

a side collection this one from ACS 3ad

03:45

apps in which I have a document Library

03:48

the default one and I want to write an

03:51

application to read the title of this

03:53

document library and to upload the

03:55

document into the document Library so we

03:58

can do that using a c-sharp application

04:02

for example here I have an application

04:05

in which I'm using some packagings like

04:09

the PMP framework for example to speed

04:11

up the development process consuming

04:14

SharePoint online and I'm using some

04:17

other packages to manage the

04:18

configuration setting of my application

04:20

in fact my settings I will have this URL

04:23

of the site that I want to consume the

04:25

title of the list or library that I want

04:27

to consume the client ID and the client

04:29

secret of my application

04:31

as such when I will execute my

04:33

application which is about net 6

04:35

application I will need to read the

04:38

configuration from the app settings Json

04:40

file I will translate the Json settings

04:43

into a fully type object and then using

04:46

a PMP framework I can create an

04:48

authentication manager instance and I

04:50

can do the get ACS upon the context the

04:53

providing URL of the target side the

04:56

client ID and the client secret I will

04:59

get back a client context object of

05:02

system of decline side of the model of

05:04

SharePoint online and then using season

05:06

I can get a list by title providing the

05:09

title of my list I can do the load of

05:13

the list including the title so that by

05:15

executing the query asynchronously

05:18

against the SharePoint online I will get

05:21

back the title of my list I can create a

05:24

random file content with random text

05:27

inside of it and I can upload the file

05:30

again as synchronously in the root

05:32

folder of my target Library simply

05:34

specifying a random file name based on a

05:38

guide and that's it so this is a very

05:40

simple example that we want to upgrade

05:43

from ACS to Azure ID so if I will run

05:47

this application even if it is a very

05:50

simple one

05:51

we can see that in a matter of few

05:54

seconds we will have our console

05:56

application running and we will get back

05:59

the title of the target document library

06:01

and the document will be created in the

06:05

Target document library in fact if I

06:06

refresh this Library we can see that now

06:09

we have a new file that I just created

06:11

simple as that now let's make the

06:14

assumption that we want to upgrade the

06:16

solution to Azure active directory we

06:19

can easily register a new application in

06:22

Azure ID simply relying on PMP power

06:25

shell and specifically we can use the

06:28

register PMP Azure ID app command letter

06:30

providing the application name which

06:33

will be the name of the application that

06:34

will be registered in Azure ID we can

06:37

provide this store where we want to save

06:40

generated risk 509 certificate which

06:43

will be created by the CMD LED and

06:46

uploaded to Azure active directory and

06:48

Associated to our application in nature

06:50

active directory with have to specify

06:52

the target tenant as you can see right

06:55

here as well as the username and the

06:58

password to access the target 10 and

07:01

register the application and the

07:02

password will be provided through a

07:04

prompt to the user as well as we can

07:06

specify a certificate password which

07:08

will be used to protect the private key

07:10

on the certificate and again here I'm

07:13

using a prompt for the user and now I'm

07:15

going to say the dot serum.pfx files

07:18

Associated to the auto generated file of

07:21

my certificate into the current part so

07:24

by executing this CMD layer

07:26

we will have to provide first of all the

07:29

credentials of the user that want to use

07:31

to register my application and then I

07:34

will have to provide a password which

07:36

should be strong enough secure enough to

07:38

protect the private key of my

07:40

certificate

07:42

the CMD let will start creating the

07:45

certificate and storing the certificate

07:47

in the certificate store then it will

07:50

create the application initial active

07:52

directory and will wait up to 60 seconds

07:55

for the app to be ready and then it will

07:57

launch the web UI to Grant the

08:00

permissions that will be automatically

08:02

granted by the CMD led to the

08:04

application created I don't want to

08:07

waste your time so I will speed up the

08:10

recording while waiting for the 60

08:11

seconds

08:13

and here we are now we will have a web

08:17

prompt to Grant the permissions to our

08:21

newly registered application

08:24

first of all we need to pick a user

08:27

account to use in order to do the grant

08:30

of the permissions and we will have to

08:32

provide a password for that users and

08:35

once we have done that we will be able

08:37

to Grant the permissions automatically

08:40

added to the application registrations

08:43

by the CMB LED if you like using

08:46

additional Arguments for the CMD letter

08:48

you can choose the permission that you

08:50

want to Grant targeting either

08:52

SharePoint online permissions or

08:54

micrograph permissions right now I'm

08:56

using default permissions I'm accepting

08:58

to Grant those permissions to my app and

09:01

in a matter of few seconds now we're

09:03

ready the page is done don't care about

09:06

this kind of response but now the

09:08

application is registered and in fact if

09:11

I will go to Azure active directory we

09:13

can see that we have my application

09:16

registered I can click on it and we can

09:20

see

09:21

yet we have an application with a

09:22

specific client ID and directory ID we

09:25

can click on the certificate and secret

09:28

to see the certificate that has been

09:30

generated automatically by the CMD let

09:32

and if we go to API permissions we can

09:34

see the permissions granted to the

09:36

application as you can see right here so

09:38

it is now time to consume one more time

09:41

SharePoint online the same side

09:43

collection as before but now using the

09:45

Azure ID registered application the

09:48

application is almost the same as before

09:49

we still have an app settings.json file

09:52

where we specify still the site URL the

09:55

list ID the client ID and this time the

09:57

tenant ID and the certificate thumb

09:59

print which we can get back from the

10:01

certificate that was generated then

10:03

instead of

10:04

using an instance of authentication

10:07

manager to create the client context

10:10

based on the ACs credentials we rather

10:13

read the certificate that we want to use

10:15

to authenticate against Azure active

10:18

directory providing the Target store the

10:21

store location and the thumbprint of the

10:23

certificate which we can read from the

10:26

settings of our application and then we

10:28

create a new instance of the

10:30

authentication manager using this

10:31

Factory method which is create with

10:33

certificate which will accept the client

10:36

ID the certificate and the Tenant ID by

10:39

doing that the authentication manager

10:41

will allow us to invoke the get context

10:43

method to still get a client context of

10:46

season and since we have a client

10:49

constant we can then do exactly what we

10:51

did before in the previous sample and we

10:53

can read the title of the document

10:55

library and we can upload a document

10:56

into the target document Library so at

10:59

the very end we simply need to register

11:01

the application image ready you can do

11:03

that using the PNP power shares emulator

11:05

or you can do it manually as you can

11:07

read through the article Associated to

11:09

this video and once you have got the

11:12

application registered and the

11:13

certificate created for you you can

11:15

authenticate using the authentication

11:17

manager providing that certificate the

11:19

client ID and the Tenant ID you get the

11:21

context and you are good to go that's

11:23

the replacement you need to do to

11:25

upgrade your solution just for the sake

11:27

of completeness let me run this

11:29

application as like as I did with the

11:31

previous one so now we have yet another

11:33

console application running we get

11:36

the title of the library and we just

11:38

uploaded a new document in the Target

11:40

library in fact if we go back here and

11:43

we refresh now we have two documents

11:45

instead of one and the last one was

11:47

created few seconds ago

11:50

here you can find additional links if

11:53

you want to dig into this topic and

11:55

thanks for watching this video

11:59

[Music]