Certificate-Based Authentication (CBA) is required to enable custom actions with SharePoint Online through the PnP PowerShell channel in CoreView. This method is required because Microsoft is retiring legacy IDCRL authentication in favor of modern authentication for SharePoint.
Prerequisites
- Create a key pair and export:
- The public certificate (
.cer) - The private key (
.pfx), optionally protected by a password- If you set a password for the
.pfx, enter it in CoreView. Otherwise, leave the field blank.
- If you set a password for the
- Two methods to generate these files are described below (other methods are possible).
- The public certificate (
- You must have a Tenant Admin role in CoreView.
- Ensure Graph management is already configured (PnP can reuse the same Client ID).
App registration and permission configuration
In the Microsoft Entra admin center, follow the steps below:
Step 1: create o reuse app registration
Navigate to “App registrations” and select your existing Microsoft Entra app registration for Graph Management. The PnP channel will use the same Client ID but with certificate credentials.
Alternatively, you can create a new app registration. Refer to the Graph management documentation, section: “Using the Entra ID admin center” for step-by-step guidance.
Step 2: upload certificate
Open your app registration, go to “Certificates & secrets > Certificates”.
Click “Upload certificate” and select the .cer file containing the public key. Click “Add”.
Step 3: configure API permissions
In your registered application, select “API permissions > Add a permission”.
Choose “SharePoint” from the “Request API permissions” list.
Select “Application permissions” and add: Sites.FullControl.All. Click “Add permissions”.
Click “Grant admin consent for [your organization]”.
Additional permissions
Additional permission may be required for specific scenarios:
| Use case | Required permission |
|---|---|
| Read/write site content | Sites.ReadWrite.All |
| Manage site collections | Sites.Manage.All |
Refer to Microsoft documentation for more information about Microsoft Graph permissions.
Configure PnP SharePoint Management in CoreView
In the CoreView app, follow the steps below:
- Open “Settings > My Organization > Apps management > PnP SharePoint management”.
- Enter the Client ID from your Entra app registration.
- Upload the
.pfxfile (private key for the certificate). If applicable, specify the password used to protect the.pfxfile. Click “Save”.
Behaviors and service notes
Fallback and deprecation
If no certificate is found, CoreView will temporarily use a credential flow for legacy compatibility. Credential flow is scheduled for deprecation after 30 April 2026; ensure certificates are configured for future operation.
Expiration monitoring
Certificates expire periodically and must be renewed before expiry. Certificate status can be verified in the “PnP management” section. CoreView displays a banner alert if the certificate expires or is misconfigured.
How to generate certificates
To generate a certificate, use a method that matches your organization’s security practices. Possible methods include:
PowerShell
See Microsoft’s guide to creating a self-signed certificate.
Note: self-signed certificates are not trusted by external Certificate Authorities (CA).
Azure Key Vault
- Navigate to your Azure Key Vault resource
- Select:
- “Objects > Certificates > Generate/Import”
- Method, certificate name, type (self-signed or CA-signed)
- Recommended validity: 12–24 months
- Content type: PKCS #12