The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
Hi @Chris Jones
Based on the information you provided, I completely understand the transition challenge you are facing. Now that the legacy SharePoint ACS-based app registration method (appregnew.aspx and appinv.aspx) has been officially retired, your customers can no longer generate local client secrets directly inside SharePoint.
Your observation is spot on: creating a standard Microsoft Entra ID (formerly Azure AD) App Registration gives you the Client ID and Tenant ID, but it does not automatically connect to SharePoint or auto-generate certificates the way the old wizard did.
The modern path forward requires moving entirely to Entra ID App-Only authentication using certificates, which is Microsoft's current security standard. Instead of SharePoint issuing a client secret, everything now shifts to Microsoft Entra ID. The connection is established by uploading the Public Key (.cer) of a certificate to Entra ID, while your product uses the Private Key (.pfx) to sign authentication requests.
Because Entra ID does not auto-generate certificates, you must generate a self-signed certificate yourself. The absolute fast way to achieve this is by using PnP PowerShell, which automates both the certificate generation and the Entra app registration simultaneously.
Since appinv.aspx is deprecated, permission scopes are now defined directly within the Entra App Registration under API Permissions.
- Authentication: Instead of using a client secret, you must use a certificate (upload the public key
.certo Entra ID, and keep the private key.pfxsecured in your application). - Permissions: You no longer use
appinv.aspx. Instead, configure API permissions directly in the Entra app (Graph or SharePoint application permissions). To maximize security, it is recommended to use the Microsoft Graph application permission Sites.Selected, and then explicitly grant access to specific site collections. - Granting Access: Since the old SharePoint UI page is gone, you must use Microsoft Graph API or PowerShell (such as
POST /sites/{siteId}/permissionsor PnP PowerShell) to explicitly assign permissions for your App ID to the target sites.
If your customers do not have a certificate ready, they can easily automate both the app registration and self-signed certificate generation at the same time by running the PnP PowerShell cmdlet
Please refer to the official Entra ID App-Only documentation for the exact step-by-step setup:
Upgrading SharePoint applications from Azure Access Control Service to Azure Active Directory
Add and manage application credentials in Microsoft Entra ID
Please let me know if you need any further details!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.