SharePoint App-Only authentication security risks

Iron Contributor

I am assessing the security risks associated with older SharePoint App-Only authentication method. As per my analysis, this method is less secure than using the Azure AD App Registrations.

 

Both SharePoint App and an Azure AD App can authenticate with just a Client ID and a Client Secret. Anyone with these two properties can connect and invoke the APIs from anywhere in the world.  

 

However, with Azure AD App, we have some protection offered by Azure AD built-in intelligent algorithms that could detect or protect against a potential attack. Furthermore, we could use Conditional Access for Workload identities to secure these principals. On the contrary, SharePoint App Only method does not have that protection as it bypasses the Azure AD completely, no conditional access policies apply.

 

Has anyone out there evaluated the security risks of these two and could share their thoughts?

2 Replies
Hi Gurdev,
Azure AD app registrations using certificates is what you should be looking at as this is the recommended way of connecting to SharePoint as an app.
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread?WT.mc_id...
Thanks Joel...yeah, totally understand the recommendation that certificates with Azure AD are the most secure method. However, in our case, the solution requires usage of SharePoint APIs that are not supported with Azure AD App Only. My job is to determine the security risks in allowing the SharePoint App-Only method and hence my original post.