Add authentication via Entra with a certificate

[artem-shelkovnikov]

Closes #3023

See: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs

Azure is retiring old ACS and our connector really needs it right now since we use REST API for Sharepoint. We can migrate some code to use Graph - for example, Graph API introduced new APIs to fetch page content: https://devblogs.microsoft.com/microsoft365dev/microsoft-graph-api-for-sharepoint-pages-is-now-generally-available/

Some other stuff, like List Item Attachments, might not be available. Migration to new API will require a bit more time though.

To buy some time this PR introduces certificate authentication to Sharepoint Online connector. It's possible to either authenticate via a secret (client_secret) or via a certificate (you'll need a certificate + private key).

How to create a certificate and a private key:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout azure_app.key -out azure_app.crt

azure_app.crt is a certificate, azure_app.key is a private key. Then you'll need to upload the certificate to the Azure App that's set up for your Sharepoint Online instance.

We have checked, and this works with new tenants - secret authentication is already not usable for new tenants since November 2024 will be fully retired as of April 2nd, 2026.

Checklists

Pre-Review Checklist

• this PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check config.yml.example)
• this PR has a meaningful title
• this PR links to all relevant github issues that it fixes or partially addresses
• if there is no GH issue, please create it. Each PR should have a link to an issue
• this PR has a thorough description
• Covered the changes with automated tests
• Tested the changes locally
• Added a label for each target release version (example: v7.13.2, v7.14.0, v8.0.0)
• Considered corresponding documentation changes
• Contributed any configuration settings changes to the configuration reference
• if you added or changed Rich Configurable Fields for a Native Connector, you made a corresponding PR in Kibana

Release Note

Introduced certificate authentication for Sharepoint Online connector to allow connector to work against tenants created after 1st of November 2025.

[artem-shelkovnikov]

@leemthompo can I ask for help with documentation for this change? :)

[seanstory]

few comments, but largely LGTM. I'm surprised it was that straightforward.

[seanstory]

I think this will be a breaking change, as on upgrade, we'll add this new config to existing connectors, right? But existing connectors will be using secret? I think we should default to secret, but tooltip that certificate is preferred?

[artem-shelkovnikov]

Yeah you're right, it should be "secret" for backwards compatibility!

[seanstory]

Is this going to break non-path-based site collections?

[artem-shelkovnikov]

What's a non-path-based site collection?

[seanstory]

See #2112

[artem-shelkovnikov]

From the issue I see it's only for Sharepoint Server, not SPO:

For Sharepoint Online, we did some research on How to create Host Named Site collections and as per the documentation, it shows there is no support of Host Named Site collections for Sharepoint in Microsoft 365 and seems there is no concept of Host Named Site Collection in SPO.