SharePoint App Registration using Client Credentials in Azure Entra ID

Here’s a clean, end-to-end walkthrough to create an App Registration in Microsoft Entra ID for SharePoint access using Client Credentials (app-only / no user login).

1. Create the App Registration

  1. Go to Azure Portal → Entra ID
  2. Click App registrations → New registration

Fill in:

  • Name: e.g. SharePoint Client Credentials App
  • Supported account types: → Single tenant only - Default Directory (most common)
  • Redirect URI: → Leave blank (not needed for client credentials)

Click Register

2. Capture Important IDs

After creation, go to Overview and copy:

  • Application (client) ID
  • Directory (tenant) ID

You’ll need both for OAuth.

3. Create a Client Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Add description + expiration
  4. Click Add

IMPORTANT: Copy the secret value immediately — you won’t see it again.

4. Add Microsoft Graph Permissions

This is the most important step.

  1. Go to API permissions
  2. Click Add a permission
  3. Select:
    • Microsoft Graph
    • (do not select SharePoint)

You’ll see two options:

Choose:

  • Application permissions (NOT delegated)

Then select what you need:

Common choices:

  • Sites.Read.All → Read all SharePoint sites
  • Sites.ReadWrite.All → Read/write all sites
  • Sites.FullControl.All → Full control (use carefully)

Click Add permissions

5. Grant Admin Consent

Still in API permissions:

  • Click Grant admin consent for [your tenant]
  • Confirm

Without this, client credentials will fail

6. (Recommended) Restrict to Specific Sites

By default, Sites.Read.All gives access to ALL SharePoint sites.

For better security:

Instead of broad permissions, use:

  • Sites.Selected

Then grant access per site using:

  • Microsoft Graph

Example (after token is working):

POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

7. Token Endpoint (Client Credentials)

Use this OAuth2 endpoint:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

8. Token Request Example

POST (x-www-form-urlencoded)

client_id=YOUR_CLIENT_ID
&client_secret=YOUR_SECRET
&scope=https://graph.microsoft.com/.default
&grant_type=client_credentials

9. Use the Access Token

Call SharePoint via Graph:

GET https://graph.microsoft.com/v1.0/sites
Authorization: Bearer {access_token}

Notes Specific to SharePoint

You have two API paths:

Option A (Recommended)

  • Use Microsoft Graph
  • Scope: https://graph.microsoft.com/.default

Option B (Legacy)

  • Use SharePoint REST directly: 
    https://{tenant}.sharepoint.com/_api/...

Scope would be:

https://{tenant}.sharepoint.com/.default

Graph is preferred unless you need legacy features.

️ Common Mistakes

  • ✗ Using Delegated permissions instead of Application
  • ✗ Forgetting Admin Consent
  • ✗ Using wrong scope (.default is required)
  • ✗ Expecting user context (this is app-only)

Mental Model

Client Credentials = “This app acts as itself, not as a user.”

No login, no browser, no redirect — just:

  • client_id
  • client_secret (also known as the secret value, not the "secret id")
  • token
  • API call