Certificate-Based Authentication
Certificate-based authentication provides a secure way to connect to SharePoint and supports both basic integration and permission sync functionality. Use certificate authentication when:- You need permission sync capabilities
- You prefer certificate-based security over client secrets
- Your organization requires certificate-based authentication
Setting up
Step 1: Create Azure App Registration
1
Open Azure Portal
Log in to Azure Portal for your organization.
2
Open App registrations
Navigate to “App registrations” using the search bar.
3
Create registration
Click New Registration.
4
Name and register app
Name it something like “Onyx SharePoint Connector - Certificate”, leave everything else as default,
and click Register.
5
Save IDs
Under “Essentials” in the overview tab, you will find the Application (client) ID and Directory (tenant) ID.
Save those for later.
Step 2: Generate and Upload Certificate
Option A: Generate Self-Signed Certificate
Option B: Use Organization Certificate
Obtain a certificate from your organization’s Certificate Authority (CA) following your internal security policies.We only support PFX format for certificate uploads in Azure.
Step 3: Upload Certificate to Azure
1
Open Certificates & secrets
In your Azure App Registration, navigate to the “Certificates & secrets” tab.
2
Upload certificate
Click Upload certificate.
3
Select file
Select your certificate file (.crt, .pem, or .cer format).
4
Add certificate
Add a description and click Add.
Step 4: Configure API Permissions
1
Open API Permissions
Navigate to the “API Permissions” tab in the Azure Portal.
2
Add a permission
Click Add a permission.
Basic Permissions (No Permission Sync)
If you are not planning to enable permission sync, you only need basic permissions:1
Choose Microsoft Graph
Click Microsoft Graph, then click on Application permissions.
2
Select Sites.Read.All
Navigate to the “Sites” permission group. Select the checkbox for Sites.Read.All.
- Advanced: If you want to limit the sites this app has access to, select Sites.Selected. However, if you do this, you will need to add the App you are currently registering to each site you want to index.
3
Add and grant
Click Add permissions. Finally, click Grant admin consent for <Organization name> and click Confirm.
Extended Permissions (With Permission Sync)
If you plan to enable permission sync, you’ll need additional permissions:1
Add another permission
Click Add a permission again.
2
Microsoft Graph application permissions
Click Microsoft Graph, then click on Application permissions.
Add the following additional Microsoft Graph permissions:
- Directory.Read.All - Used to query the overall organizational directory structure, including how users, groups, organizational units, and other directory objects relate to each other.
- Group.Read.All - Used to read detailed group-specific information such as group properties, settings, types (Security vs Microsoft 365), and configurations.
- GroupMember.Read.All - Used to retrieve and expand all members within a group, including nested group memberships. This allows Onyx to determine which users have access to SharePoint content through group membership.
- Member.Read.Hidden - Allows reading memberships of security groups that are marked as “hidden” in Entra ID.
- User.Read.All - Used to retrieve complete user profiles and enumerate all users in the directory. Click Add permissions.
3
Microsoft Graph delegated permission
Click Add a permission again in API Permissions tab. Click Microsoft Graph,
then click on Delegated permissions. Add the following delegated permission:
- User.Read - This delegated permission allows the application to sign in on behalf of a user and read the signed-in user’s basic profile information. Unlike application permissions which work without a user context, this delegated permission is required when the app needs to establish an authenticated identity context for making API calls to Microsoft Graph and SharePoint. It provides the minimum required access for user authentication flows. Click Add permissions.
4
SharePoint application permissions
Click Add a permission again in API Permissions tab. Click SharePoint,
then click on Application permissions. Add the following SharePoint permissions:
- Sites.FullControl.All - Despite the name, Onyx only uses this to retrieve details about permissions. No write operations are performed.
- User.Read.All - Used to list all users within the directory for permission mapping. Click Add permissions.
5
Grant admin consent
Finally, click Grant admin consent for <Organization name> and click Confirm.
Step 5: Configure in Onyx
1
Open SharePoint connector
Navigate to the Onyx Admin Panel and select the SharePoint Connector.
2
Create Certificate credential
Click Create New credential and select the Certificate tab.
3
Enter credential details
- Application (client) ID from Step 1
- Directory (tenant) ID from Step 1
- Certificate File: Upload your certificate file (.pfx file)
- Certificate Password: Enter password which you used to export the certificate file
4
Save credentials
Click Create to save your credentials.
Step 6: Enable Permission Sync (Optional)
When creating your SharePoint connector with certificate authentication:1
Locate Permission Sync option
In the connector configuration, you’ll see a Permission Sync option.
2
Enable Permission Sync
Enable this option to synchronize SharePoint permissions with Onyx.
Permission sync is available only on Cloud and the Enterprise Edition of Onyx.
Permission Sync Details
When permission sync is enabled:- Document-level permissions: Onyx will respect SharePoint document permissions
- Site-level permissions: Users will only see documents from sites they have access to
- Group permissions: SharePoint group memberships are synchronized
- Real-time sync: Permissions are updated regularly to reflect SharePoint changes