Migrating ACS to Azure AD with Sites.FullControl.All

Migrating from ACS with Sites.FullControl.All permissions to Azure AD with Sites.FullControl.All permissions.

Using Azure Communication Services for authentication with Sites.FullControl.All permissions is being deprecated. If you are using this, you must migrate away from it by 2nd April 2026.

The preferred way of authenticating is using an Azure Portal App Registration. It gives an application an Entra ID (previously Azure AD). The Entra ID manages the authentication and allows invocation of supported apps. This includes SharePoint via API permission scopes.

This document details how to configure an application in Azure Portal and Control Hub changes. It can assist anyone migrating from ACS to Azure AD.

Azure Portal - Application Registration

To register the SharePoint connector application within Azure Portal, follow these steps:

1. Navigate to https://portal.azure.com

2. Ensure you are in the correct Azure Directory.

3. In the search bar, type “App Registrations” or click the shortcut under Azure Services.

4. Select New registration.

5. Name - Give the application a user friendly name

6. Supported account types - Consider if the application will only be used in this directory or others within your organisation.

7. Redirect URI (optional) – This is not required.

8. Select Register.

9. This will take you to the registered application page with an overview of your application. You'll need the Application (client) ID and Directory (tenant) ID from this page later in the process.

Azure Portal - Certificates & Secrets

You can now create and apply a self-signed X.509 certificate. This will authenticate and invoke SharePoint Online via the registered application.

Alternatively, you can use an X.509 certificate issued by your preferred Certificate Authority (CA). Although the certificate is not client facing.

This guide explains creating the self-signed certificate and manifest settings using a Cmdlet. They're needed to use SharePoint CSOM via app-only API permissions. You create them using the PnP.PowerShell Cmdlet, New-PnPAzureCertificate. See Microsofts app only security documentation for more information on this.

Cmdlet Requirements

• Running PowerShell 7 running in Administrator mode.

• The PnP.PowerShell module to be installed.

Running the Cmdlet

1. Open a PowerShell terminal as an administrator and run the following command.

New-PnPAzureCertificate -OutPfx pnp.pfx -OutCert pnp.cer -CertificatePassword (ConvertTo-SecureString -String "<Your Password>" -AsPlainText -Force) 

1. Save the certificate files in your preferred location and give them a strong password.

   • Make sure both the .cer and .pfx files are saved. The .cer (public key) will be uploaded to the registered application in Azure Portal. The .pfx (private key) will be uploaded to the Credential Store in Aiimi Insight Engine Control Hub.

Apply the certificate to the registered application

1. In Azure Portal, select Certificates & Secrets.

2. Ensure you are on the Certificates tab.

3. Select Upload certificate.

4. Select the .cer file you created using New-PnPAzureCertificate.

5. Description – Add a description to the certificate of what it will be used for.

6. Select Add.

This certificate is now associated with the registered application in Azure.

Azure Portal - API Permissions

Now you have a registered application with a certificate, you can add API Permissions.

1. In Azure Portal, navigate to your registered application.

2. Under Manage, select API Permissions.

   • There will always be Microsoft Graph, User.Read permissions. This is required and should remain in place.

3. Select Add a permission.

4. Under Microsoft APIs, select SharePoint.

5. Select Application permissions.

   • This ensures user credentials aren't required for authentication and the context is not scoped to one user.

6. From the available permissions, select Sites.FullControl.All.

   • This is currently the only API permission level we readily support for the SharePoint Online connector.

   • Permission levels lower than this, Sites.Read.All for example are not yet proven and may have unintended consequences.

   • We are actively working to allow the SharePoint Online connector to run in a read-only mode.

7. Select Add permission.

   • The permissions have been applied but not yet granted to the registered application.

8. You must grant admin consent for any permission applied.

   • This allows silent authentication for APIs. Without this the application needs a user invoked authentication flow.

9. Select Grant admin consent for <organisation>.

10. Select Yes to confirm this selection when prompted.

The Sites.FullControll.All API permission has been applied to the registered application.

Aiimi Insight Engine - Credentials

Now everything is configured in Azure Portal, you need to create credentials in Aiimi Insight Engine's Control Hub.

1. Within the Control Hub select Credentials.

2. On the Credentials page, select New Credential.

3. Credential Type – Select Certificate.

   • This will reveal the relevant input fields for uploading a certificate.

4. Credential ID – Enter an ID for this credential.

   • It must be lowercase, with no spaces or special characters.

5. Credential Name – Enter a user friendly name for this credential.

6. Password – Enter the password associated with the certificate you generated earlier.

7. Expiry Date (DD-MM-YYYY) – This will automatically populate according to the certificate’s expiry.

   • You can add a date to the certificate expiry if needed. It must not be in the past or after the certificate’s expiry date.

8. Import Certificate – Either, drag and drop the .pfx file or find it using the “browse files” link.

   • If using “browse files” in Windows Explorer you must enable “All Files (.)" when searching.

   • Only valid certificates can be uploaded.

9. Select Create.

Your new certificate credential is now in the Aiimi Insight Engine Credential Store.

Aiimi Insight Engine – Source Configuration

Now the registered application and credentials are set up, you can configure a SharePoint source.

1. Within the Control Hub select New Configuration.

   • If you're applying this to an existing source, find the configuration and select edit.

2. On the Source tab, select SharePoint from the Source System dropdown.

3. Client ID – Enter the Application (client) ID of the registered application.

   • You can find this in the Overview on the Azure Portal.

4. Directory (Tenant) ID – Enter the Directory (tenant) ID for the registered application.

   • You can find this in the Overview on the Azure Portal.

5. Select Credential – Select the certificate credential associated with the .pfx file.

6. Select Save.

You are now ready to run a crawl without using ACS authentication.