I have the below console application, which integrates with SharePoint Online. the console application is hosted on a local VM and authenticates with SharePoint using ClientId, TenantID & Certificate, as follow:-
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using PnP.Core.Auth;
using PnP.Core.Model.SharePoint;
using PnP.Core.Model.Teams;
using PnP.Core.QueryModel;
using PnP.Core.Services;
using PnP.Core.Services.Builder.Configuration;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Globalization;
using System.Runtime.CompilerServices;
using System.Security.Cryptography.X509Certificates;
using static Microsoft.ApplicationInsights.MetricDimensionNames.TelemetryContext;
using static System.Net.Mime.MediaTypeNames;
namespace ConsoleApp4
{
internal class Program
{
static async Task Main(string[] args)
{
var tenantId = "b***c";
var clientId = "7*****9";
var certificatePath = @"c:\CERT\SPDashBoardIntegration.pfx";
var certificatePassword = "***";
// Initialize a new service collection
var serviceCollection = new ServiceCollection();
// Load the certificate
var certificate = new X509Certificate2(certificatePath, certificatePassword, X509KeyStorageFlags.Exportable);
// Configure logging
serviceCollection.AddLogging(builder =>
{
builder.AddConsole();
});
// Add and configure PnP Core SDK
serviceCollection.AddPnPCore(options =>
{
options.PnPContext.GraphFirst = true; // Set true if you prefer to use Graph over CSOM when possible
// options.HttpRequests.UserAgent = "ISV|Contoso|ProductX";
options.Sites.Add("SiteToWorkWith", new PnPCoreSiteOptions
{
SiteUrl = "https://********.sharepoint.com/sites/********-******",
AuthenticationProvider = new X509CertificateAuthenticationProvider(clientId, tenantId, certificate)
});
});
int i = 0;
// Build the service provider
var serviceProvider = serviceCollection.BuildServiceProvider();
// Use the service provider to get the IPnPContextFactory instance
var pnpContextFactory = serviceProvider.GetRequiredService<IPnPContextFactory>();
// Now you can use the IPnPContextFactory to get a PnPContext and perform operations
var context = await pnpContextFactory.CreateAsync("SiteToWorkWith");
// Assume the fields where not yet loaded, so loading them with the list
var workOrderList = context.Web.Lists.GetByTitle("Work Orders", p => p.Title,
p => p.Fields.QueryProperties(p => p.InternalName,
p => p.FieldTypeKind,
p => p.TypeAsString,
p => p.Title));
Now my question is if this is a secure approach? I mean when the VM sends the ClientID, Client Secret & Certificate to SharePoint Online, will that info be secure on the network? i mean will the console application communicate with SharePoint in a secure way when it sends the credentials (ClientID, Client Secret & Certificate)? If not, then how we can secure this?
Thanks
TLS is used to encrypt data in transit. Many Azure services started deprecating TLS 1.0 and 1.1 in favor of TLS 1.2+. Calling these services will throw "The request was aborted: Could not create SSL/TLS secure channel" if your app and VM are not properly set up for secure connections.
Preparing for TLS 1.2 in Office 365
I think, you need to focus more on installing security updates on your VM and keeping credentials that you use to connect to your VM in secret. With these approaches, your Sharepoint credentials are pretty secure.