Migrating ACS to Azure AD with Sites.FullControl.All
This document details migrating from ACS with Sites.FullControl.All to Azure AD with Sites.FullControl.All. It explains configuring an application in Azure Portal and Control Hub changes. It's helpful for anyone migrating from ACS to Azure AD.
Using Azure Communication Services to authenticate with Sites.FullControl.All is being deprecated. You must migrate away from it by 2nd April 2026.
The preferred way to authenticate is using an Azure Portal App Registration. It gives an application an Entra ID (Azure AD). The Entra ID manages authentication and allows invocation of supported apps. This includes SharePoint via API permission scopes.
Prerequisites
You must grant access to the IPs in the SharePoint section of Microsofts URLs and IP Address Ranges document.
PowerShell 7 and PnP PowerShell module must be installed.
Azure Portal - Application Registration
Follow these steps to register the SharePoint connector app within Azure Portal.
Navigate to https://portal.azure.com.
Check you're in the correct Azure Directory.
In the search bar, type “App Registrations”.
Or select App Registrations under Azure Services.
Select New registration.
Name - Give the application a user friendly name.
Supported account types - Choose if the application will only be used in this directory. Or if it will be used in others too.
Redirect URI (optional) – This is not required.
Select Register
This gives you an overview of your application on the registered application page.
You'll need the Application (client) ID and Directory (tenant) ID from this page later in the process.
Azure Portal - Certificates & Secrets
You can create and apply a self-signed X.509 certificate. This authenticates and invokes SharePoint Online via the registered application. Or, you can use an X.509 certificate issued by your Certificate Authority (CA). Although the certificate is not client facing.
This is for creating the self-signed certificate and manifest settings using a Cmdlet. These are needed to use SharePoint CSOM via app-only API permissions.
You create them using the PnP.PowerShell Cmdlet, New-PnPAzureCertificate. See Microsoft's app only security documentation for more information on this.
Running the Cmdlet
Cmdlet Requirements
Running PowerShell 7 in Administrator mode.
The PnP.PowerShell module is installed.
Open PowerShell as an administrator.
Run the following command.
Save the certificate files created in your preferred location and give them a strong password.
Make sure both the .cer and .pfx files are saved.
The .cer (public key) will be uploaded to the registered application in Azure Portal.
The .pfx (private key) will be uploaded to the Credential Store in Workplace AI's Control Hub.
Apply the certificate to the registered application
In Azure Portal, select Certificates & Secrets.
Navigate to the Certificates tab.
Select Upload certificate.
Select the .cer file you created using the command above.
Description – Add a description for the certificate of what it is used for.
Select Add.
This certificate is now associated with the registered application in Azure.
Azure Portal - API Permissions
Now you have a registered application with a certificate, you can add API Permissions.
In Azure Portal, navigate to your registered application.
Under Manage, select API Permissions.
There will always be Microsoft Graph, User.Read permissions. This is required and should remain in place.
Select Add a permission.
Under Microsoft APIs, select SharePoint.
Select Application permissions.
This ensures user credentials aren't needed for authentication and context is not scoped to one user.
From the available permissions, select Sites.FullControl.All.
This is the only API permission level we support for the SharePoint Online connector.
Permission levels lower than this are not yet proven and may have consequences. For example Sites.Read.All.
We are working to allow the SharePoint Online connector to run in a read-only mode.
Select Add permission.
This applies the permissions but does not grant them to the application.
You must grant admin consent for any permission applied.
This allows silent authentication for APIs without needing a user invoked authentication flow.
Select Grant admin consent for <organisation>.
Select Yes to confirm this selection when prompted.
The Sites.FullControll.All API permission has applied to the registered application.
Aiimi Workplace AI - Credentials
Now everything is configured in Azure Portal you need to create credentials in the Control Hub.
Within the Control Hub select Credentials.
On the Credentials page, select New Credential.
Credential Type – Select Certificate.
This will reveal the relevant input fields for uploading a certificate.
Credential ID – Enter an ID for this credential.
It must be lowercase, with no spaces or special characters.
Credential Name – Enter a user friendly name for this credential.
Password – Enter the password associated with the certificate you generated earlier.
Expiry Date (DD-MM-YYYY) – This will automatically populate according to the certificate’s expiry.
You can add a date to the certificate expiry if needed. It must not be in the past or after the certificate’s expiry date.
Import Certificate – Either, drag and drop the .pfx file or find it using the “browse files” link.
If using “browse files” in Windows Explorer you must enable “All Files (.)" when searching.
Only valid certificates can be uploaded.
Select Create.
Your new certificate credential is now in the Workplace AI Credential Store.
Aiimi Workplace AI – Source Configuration
Now the registered application and credentials are set up, you can configure a SharePoint source.
Within the Control Hub select New Configuration.
If you're applying this to an existing source, find the configuration and select edit.
On the Source tab, select SharePoint from the Source System dropdown.
Client ID – Enter the Application (client) ID of the registered application.
You can find this in the Overview on the Azure Portal.
Directory (Tenant) ID – Enter the Directory (tenant) ID for the registered application.
You can find this in the Overview on the Azure Portal.
Select Credential – Select the certificate credential associated with the .pfx file.
Select Save.
You are now ready to run a crawl without using ACS authentication.
Last updated