SharePoint Online Connector
Last updated
Last updated
If you are authenticating using ACS (Azure Communication Services) with Sites.FullControl.All permissions enabled, it will be important to migrate away from ACS by 2nd April 2026.
The preferred way of authenticating is to use an App Registration in Azure Portal. This registers an application with Entra ID (previously Azure AD), manages authentication with Entra ID and allows invocation of supported applications, such as SharePoint via API permission scopes.
This document details how to configure an application in Azure Portal and the changes required in Control Hub to use it. It will assist anyone migrating from ACS to Azure AD.
To register the SharePoint connector application within Azure Portal, follow these steps:
Navigate to
Ensure you are in the correct Azure Directory.
In the search bar, type “App Registrations” or click the shortcut under Azure Services.
Select New registration.
Name - Give the application a user facing name
Supported account types - Consider if the application will be used specifically within this directory or other directories within your organisation.
Redirect URI (optional) – This is not required.
Select Register.
This will take you to the registered application page.
From here you will see an overview of your application detailing important information such as, Application (client) ID, Directory (tenant) ID.
You will need this information later in the process.
You can now create and apply a self-signed X.509 certificate to authenticate with and invoke SharePoint Online via the registered application. Alternatively, you may also use an X.509 certificate issued by your preferred Certificate Authority (CA), although the certificate is not client facing.
Open a new PowerShell terminal and run the following command.
Be sure to save the certificate files to a preferred location and give it an appropriate, strong password.
Make sure you both the .cer and .pfx files are saved:
The .cer (public key) will be uploaded to the registered application in Azure Portal.
The .pfx (private key) will be uploaded to the Credential Store in Aiimi Insight Engine Control Hub.
In Azure Portal, select Certificates & Secrets.
This will take you to the Certificates & Secrets page.
Ensure you are on the Certificates tab.
Select Upload certificate.
Find and select the generated .cer file created using the New-PnPAzureCertificate.
Description – Add a description of how the certificate will be used.
Select Add.
Your certificate is now uploaded and associated with the registered application in Azure.
Now you have a registered application backed with a certificate, you are ready to add API Permissions.
In Azure Portal, under Manage, select API Permissions.
By default, there will always be Microsoft Graph, User.Read permissions. This is required and should remain in place.
Select Add a permission.
Under Microsoft APIs, select SharePoint.
Select Application permissions.
This is very important to ensure no user credentials are required for authentication and the context is not scoped to a single user.
From the available permissions, select Sites.FullControl.All.
This is currently the only API permission level we readily support for the SharePoint Online connector.
Permission levels lower than this, Sites.Read.All for example are not yet proven and may have unintended consequences.
We are actively working to allow the SharePoint Online connector to run in a read-only mode.
Select Add permission.
You will see that permission is applied but not yet granted to the registered application.
You must grant admin consent for any permission applied.
This is necessary to allow silent authentication for APIs, without which the application would require a user invoked authentication flow.
Select Grant admin consent for <organisation>.
Select Yes to confirm this selection when prompted.
You have now applied Sites.FullControl.All API permission to the registered application.
Now everything is configured in Azure Portal, you need to change any existing configurations in Aiimi Insight Engine Control Hub.
Within the Control Hub select Credentials.
On the Credentials page, select New Credential.
Select Certificate for the credentials type.
This will reveal the relevant input fields for uploading a certificate.
Credential ID – Enter an ID for this credential.
It must be lowercase, with no spaces and no special characters.
Credential Name – Enter a user-friendly name for this credential.
Password – Enter the password associated with the certificate previously generated.
Expiry Date (DD-MM-YYYY) – This will automatically populate according to the certificate’s expiry.
You can add a date to the certificate expiry date if you prefer. It must not be in the past or after the certificate’s expiry date.
Import Certificate – Either drag and drop the .pfx part of the certificate or manually upload it using the “browse files” link.
If using “browse files” in Windows Explorer, enable “All Files (*.*)" when searching.
Only valid certificates can be uploaded.
Select Create.
You can now see your new certificate credential in the Credential Store.
Now you have a registered application in Azure, backed with a certificate/public key, API permissions applied and an associated private key (.pfx) stored in AIE Control Hub, you can configure a SharePoint source.
Navigate to Aiimi Insight Engine Control Hub.
Click Configurations.
If applying to an existing source, find the existing SharePoint source configuration.
The following connectivity steps apply to new source configurations too.
Select Edit on the configuration.
On the Source tab, choose the Connection sub tab.
Client ID – Enter the Application (client) ID of the registered application.
You can find this in the Overview on the Azure Portal.
Directory (Tenant) ID – Enter the Directory (tenant) ID for the registered application.
You can find this in the Overview on the Azure Portal.
Select Credential – Select the certificate credential associated with the .pfx file.
Select Save.
You are now ready to run a crawl without using ACS authentication.
This guide explains how to set this up with the PnP.PowerShell Cmdlet ,New-PnPAzureCertificate. It generates a self-signed certificate and manifest settings for using SharePoint CSOM (Client Object Model) via app-only application API permissions, as detailed here: