question

TedWagner-4398 avatar image
0 Votes"
TedWagner-4398 asked TedWagner-4398 commented

ADAL deprecation and SharePoint Online

I am seeing posts about ADAL being deprecated, but nothing on migrating SharePoint Client Object Model / SharePoint REST APIs / or JSOM to support to support MSAL tokens.

There are several items Graph does not support and we need to continue to use these tools. Is there any information on using the CSOM with an MSAL token?

office-sharepoint-onlineazure-ad-msalazure-ad-adal-deprecation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelHan-MSFT avatar image
0 Votes"
MichaelHan-MSFT answered TedWagner-4398 edited

Hi @TedWagner-4398,

Below is my sample for you to get the MSAL access token

     private static async Task<string> GetToken()
     {
         string applicationId = "client-id";
         string tenantId = "tenant.onmicrosoft.com";
         X509Certificate2 certificate = new X509Certificate2(@"C:\cer.pfx", "password");

         IConfidentialClientApplication confApp = ConfidentialClientApplicationBuilder.Create(applicationId)
         .WithAuthority($"https://login.microsoftonline.com/{tenantId}")
         .WithCertificate(certificate) 
         .Build();

         var scopes = new[] { "https://tenant.sharepoint.com/.default" };
         var authenticationResult = await confApp.AcquireTokenForClient(scopes).ExecuteAsync();
         return authenticationResult.AccessToken;
     }
     static async Task Main(string[] args)
     {


         string site = "https://tenant.sharepoint.com/sites/test";
         string token = await GetToken();
         Console.WriteLine(token);

         ClientContext ctx = new ClientContext(site);
         ctx.ExecutingWebRequest += (s, e) =>
         {
             e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + token;
         };
         Web web = ctx.Web;
         ctx.Load(web);
         ctx.ExecuteQuery();
         Console.WriteLine(web.Title);

     }

Here is a nice blog to use CSOM with an MSAL toke for your reference: https://www.vrdmn.com/2020/06/using-net-standard-csom-and-msalnet-for.html

And I would suggest use PnP Framework library directly for SharePoint CSOM. This is much easier. For example, you just need to get the clientcontext like below.

 var context = new PnP.Framework.AuthenticationManager(clientId, certificatePath, password, "tenant.onmicrosoft.com").GetContext(site);


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MichaelHan-MSFT Both of these answers are app context. We need a solution to replace user context, aka the app requests needs to run as the user. What is the implicit grant flow, or even the on behalf of flow? SharePoint Online is more likely to throttle if all are users are using the app authentication token. If each request is running under the user's context, requests are spread out and our applications do not throttle. Also, using a user's access token when you add/update a SharePoint item it correctly shows who made the changes, this is a necessary feature of SharePoint that cannot be lost.

0 Votes 0 ·
MichaelHan-MSFT avatar image
0 Votes"
MichaelHan-MSFT answered TedWagner-4398 commented

Hi @TedWagner-4398,

If you want to use username and password for authentication, the AuthenticationManager class in PnP Framework library also supports it. Below is my sample for you:

         String name = "michael@tenant.onmicrosoft.com";
         String password = "xxxx";
         SecureString securePassword = new SecureString();
         foreach (char c in password.ToCharArray())
         {
             securePassword.AppendChar(c);
         }

         string site = "https://tenant.sharepoint.com/sites/test";
         var authenticationManager = new AuthenticationManager(name, securePassword);
         var ctx = authenticationManager.GetContext(site);
         Web web = ctx.Web;
         ctx.Load(web);
         ctx.ExecuteQuery();
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Good morning @MichaelHan-MSFT


We already have the user's token from the login, we dont want to use a password as you show. Here are the two examples we are needing replaced, right now they require ADAL tokens and I dont see any MSAL replacement for them using PnP or the SharePoint docs.

For CSOM we use this call:

 TokenHelper.GetClientContextWithAccessToken(this.url, accessToken);


For REST we use HttpRequestMessage and it looks like this:

 var digest = context.GetFormDigestDirect();
 HttpRequestMessage msg = new HttpRequestMessage(Method, Uri);
 msg.Headers.Authorization = new AuthenticationHeaderValue("Bearer", userToken);
 msg.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
 msg.Headers.Add("X-RequestDigest", digest.DigestValue);
 ProductHeaderValue productHeaderValue = new ProductHeaderValue("NONISV|<company name>|<app name>");
  msg.Headers.UserAgent.Add(new ProductInfoHeaderValue(productHeaderValue));
0 Votes 0 ·