Documentation that the SharePoint API's require ClientId + Certificate

[mdressel]

In this response to #1150, @jansenbe said:

you should use Azure AD auth, but for SharePoint API calls that requires a clientid + certificate (Graph calls can do with client+secret, but Core SDK also requires SharePoint API calls).

Similar statements have been made in a bunch of places. But there is no reference to documentation that says this is how it works. At least not that I could find :). To clarify I am not questioning the statement, I just need to be able to communicate this with our development teams and they are going to ask for the documentation to back this statement up.

Is there any documentation from Microsoft about the fact that SharePoint API calls require ClientID + Certificate and can't use ClientId + Secret?

[pulipatiram]

Refer 1: https://pnp.github.io/blog/post/changes-pnp-management-shell-registration/
Refer 2: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/from-acs-to-aad-apps?source=recommendations#consuming-sharepoint-online-in-app-only-mode-via-an-azure-ad-registered-application

Hope this helps

[jansenbe]

@mdressel : don't think there's a formal documentation on legacy SharePoint APIs (REST/CSOM) requiring a certificate when application permissions are used...this was a design choice taken years ago and we've no plans to change that. Only Graph APIs can work with a secret.

[mdressel]

Thanks for the response.

I did find this SharePoint Dev Support article, which I think is the closest you can get.