AxioWorks

Cyber Essentials

Summary Microsoft has been moving away from legacy authentication for SharePoint and other Microsoft 365 services. Organisations running integrations, reporting tools or custom apps that rely on old authentication mechanisms need to plan and complete migrations to modern, token-based approaches. This article summarises the common authentication methods that are being phased out, explains the modern…

SharePoint authentication: deprecated methods, modern alternatives and SQList support

Summary

Microsoft has been moving away from legacy authentication for SharePoint and other Microsoft 365 services. Organisations running integrations, reporting tools or custom apps that rely on old authentication mechanisms need to plan and complete migrations to modern, token-based approaches. This article summarises the common authentication methods that are being phased out, explains the modern methods that remain supported, and highlights practical migration approaches. It finishes by noting that SQList supports the modern authentication methods used with SharePoint.

Which SharePoint authentication methods are being deprecated?

Microsoft’s modernisation effort targets older protocols and patterns that cannot enforce modern security controls such as multi-factor authentication, Conditional Access and strong token handling. The most important classes of legacy methods you should plan to remove from your estate are:

  • Basic authentication using username and password — Where an app or client sends credentials directly (often over legacy protocols or web services). These credentials are frequently stored in configuration files or connection strings and cannot benefit from MFA or Conditional Access.
  • Legacy web services and SOAP endpoints that require legacy auth — Some older SharePoint integrations call SOAP/ASMX or legacy REST endpoints using direct credentials or legacy authentication tokens.
  • Old client libraries that rely on legacy authentication — Custom code using older SDKs may use deprecated sign-in flows or embedded credentials.
  • Protocols without support for modern federated flows — Any integration relying on legacy protocols that do not negotiate OAuth 2.0 tokens should be treated as deprecated.

Microsoft has been progressively disabling legacy authentication across Microsoft 365 services and recommends migrating away from these methods as soon as possible. Administrators should consult Microsoft’s official documentation and their tenant reports to see which applications are still using legacy authentication in order to plan remediation.

Which modern authentication methods remain supported?

Modern SharePoint authentication relies on Azure Active Directory (Azure AD / Microsoft Entra ID) and OAuth 2.0 / OpenID Connect flows. These approaches support tokens, certificates, and modern security controls. The primary supported approaches are:

  • OAuth 2.0 with Azure AD (delegated permissions) — The app authenticates a user and obtains an access token representing the user. This enables MFA, Conditional Access and user-scoped permissions.
    • Typical use case: web apps, single-page apps and tools that act on behalf of a signed-in user.
  • App-only (application) authentication using client credentials — The application authenticates as itself using a client secret or a certificate to get an access token from Azure AD. This provides unattended, high-privilege access where appropriate.
    • Prefer certificate-based credentials over client secrets for production scenarios because certificates are more secure and rotate more safely.
  • Microsoft Authentication Library (MSAL) — MSAL is the recommended set of libraries for acquiring tokens using modern flows across platforms and languages. It replaces older ADAL-based approaches.
  • Microsoft Graph and SharePoint REST APIs with OAuth tokens — Use Microsoft Graph where possible for a consistent API surface; SharePoint REST endpoints can also accept OAuth tokens.
  • Federation and SAML/OIDC — Organisations using federation (for example, AD FS or a third-party identity provider) should use SAML or OpenID Connect federation with Azure AD rather than legacy claims-only models that don’t support modern controls.
  • Managed identities for Azure resources — For services hosted in Azure, managed identities let resources obtain tokens from Azure AD without storing credentials.

Practical migration checklist

Moving from legacy to modern authentication typically follows a few recurring steps. Use these as a practical checklist for migrating integrations and tools that access SharePoint:

  1. Inventory: Identify all applications, services and scripts that access SharePoint. Use tenant sign-in reports and Azure AD sign-in logs to find legacy auth usage.
  2. Assess: For each integration, decide whether it should act on behalf of a user (delegated) or as an application (app-only).
  3. Re-register applications: Create Azure AD app registrations, assign the minimum required permissions (delegated or application), and choose credential types (certificate preferred for app-only).
  4. Update code and libraries: Replace legacy auth flows or older SDKs with MSAL and OAuth 2.0 flows. Change calls to use access tokens and update to Microsoft Graph where feasible.
  5. Apply security controls: Enable Conditional Access, require MFA for interactive flows, and set appropriate token lifetimes or session controls.
  6. Test and roll out: Validate functionality in a test tenant or with a subset of users before switching off legacy endpoints.
  7. Decommission legacy credentials: Remove stored passwords, connection strings and legacy account credentials once the migration is complete.

Benefits of migrating to modern authentication

Migrating reduces attack surface and enables enterprise security controls:

  • Supports MFA and Conditional Access policies for stronger identity assurance.
  • Avoids long-lived passwords embedded in code or configuration.
  • Enables granular, least-privilege access via Azure AD permissions and roles.
  • Improves auditability through token-based sign-ins and Azure AD auditing logs.

SQList and modern authentication

For organisations using AxioWorks’ SQList to extract and synchronise SharePoint data, SQList supports modern authentication flows. That includes Azure AD-based OAuth 2.0 approaches such as delegated user flows and app-only authentication using client credentials (including certificate-based credentials). If you are planning a migration away from legacy authentication, review your SQList configuration and update any connectors that currently use basic or embedded credentials.

If you need assistance inventorying legacy connections, re-registering applications in Azure AD, or updating integrations to MSAL and OAuth 2.0, AxioWorks can help with planning and implementation to ensure a secure, phased migration.

#sharepoint #authentication #azuread #oauth #msal #sqlist

From the blog