Forum Discussion

Tommy-Johannessen's avatar
Tommy-Johannessen
Copper Contributor
Aug 25, 2023
Solved

Error when authenticating with Default Azure Credential (CSOM)

Before the summer break I used a code that we have developed to set up content on SharePoint sites though local host when running from Visual Studio. Then when I returned about a week later the code ...
  • elnurrr's avatar
    elnurrr
    Oct 23, 2023
    then you will have to wait for MS reenabling SPO accepting 'user_impersonation' scope (there is a ticket already) 🙂
    any other solution involves an app registration created
elnurrr's avatar
elnurrr
Copper Contributor
Oct 20, 2023

Perneel, here is your workaround 🙂

#if DEBUG
            var credential = new InteractiveBrowserCredential(new InteractiveBrowserCredentialOptions() { ClientId = "the-client-id" });
#else
            var credential = new Azure.Identity.DefaultAzureCredential();
#endif

var token = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "https://yourtenanthere.sharepoint.com/.default" }));
log.LogInformation(token.Token);

 

The app registration the 'the-client-id' refers to looks like this

 

As a result, you are able to get an access token via the the Authorization Code Flow with PKCE and your browser while debugging your code locally in VS

 

Tommy-Johannessen's avatar
Tommy-Johannessen
Copper Contributor
Oct 23, 2023

Thank you for the reply elnurrr,

 

One of the issues with this approach is that we some times use our kode to setup SharePoint lists and content types on sites, where we only have access to that specific site and a user (often with MFA).

 

The approach we used earlier allowed us to login with the user in Visual Studio and run the code on behalf of that user. Now that is not possible, just wanted to know if it was possible to achieve the same without making a resource in Azure.

 

But I will keep your answer in mind as a nice workaround when possible, thanks.

  • elnurrr's avatar
    elnurrr
    Copper Contributor
    Oct 23, 2023
    then you will have to wait for MS reenabling SPO accepting 'user_impersonation' scope (there is a ticket already) 🙂
    any other solution involves an app registration created
    • Tommy-Johannessen's avatar
      Tommy-Johannessen
      Copper Contributor
      Oct 23, 2023
      Thank you for the help 🙂
      Will use the workaround whenever possible, and wait patiently for them to reenable 'user_impersonation' for SPO
      • elnurrr's avatar
        elnurrr
        Copper Contributor
        Dec 01, 2023
        Got a response from Microsoft
        "...
        In May 2023, a pull request was merged to deny the use of the scope user_impersonation for all non first-party applications and some first-party applications.
        This is a design change what was made to address security concerns, because this (user_impersonation) is an implicit (not explicitly granted) scope, and a token with this scope gains all the permissions that the user is granted in SharePoint.
        ...
        "
        Seems like the DefaultAzureCredential is not going to work 'by default' with SPO anymore

Resources