Prerequisites
Before you begin, make sure the following requirements are met:
- You have a Microsoft Entra administrator account
- The account has permission to create app registrations
- The account has full access to the SharePoint tenant
- You have a valid SSL certificate in
.cerand.pfxformat - The
.pfxfile is stored in a location accessible by the Cloud Connector, for example:C:\ProgramData\Layer2 Cloud Connector
If you do not already have a certificate, you can create a self-signed certificate as described at the end of this article.
Step 1: Create the app registration
- Navigate to: https://entra.microsoft.com
-
Open App registrations
-
Click New registration
-
4. Configure the app as follows:
- Name: Your application name
- Supported account types: Single tenant
- Redirect URI type: Public client (mobile & desktop)
- Redirect URI: http://localhost
5. Click Register to create the app
After creation, copy the following values:
- Application (client) ID
- Directory (tenant) ID
These values are required for the Cloud Connector connection string.
Step 2: Configure API Permissions
Open the newly created app registration and go to API permissions.
Add a new permission with the following settings:
-
Select SharePoint
-
Select Application permissions
-
Set permissions as follows:
- Search for "Sites.FullControl.All"
- Expand "Sites" and click the checkbox
- Finish by clicking "Add permissions"
After that, grant admin consent for the newly added permission. The permission must show as granted before the app can be used successfully.
Step 3: Upload the certificate
In the app registration, go to Certificates & secrets and then open the Certificates section.
Upload your certificate as follows:
Click Upload certificate
Select your
.cerfileClick Add
This associates the public certificate with the app registration in Entra ID.
Step 4: Use the app registration in the Layer2 Cloud Connector
Once the app registration and certificate are in place, you can use the following connection string format in the Layer2 Cloud Connector:
Url=https://my-company.sharepoint.com/DummyLibrary/Forms/AllItems.aspx;
Authentication=Entra_AppOnly;
TenantId=<your-tenant-id>;
ClientId=<your-client-id>;
CertificatePath=C:\ProgramData\Layer2 Cloud Connector\EntraApp.pfx;
Password=<your-certificate-password>;Replace the placeholder values with your actual tenant ID, client ID, certificate path, and certificate password.
Optional: Create a self-signed certificate
If you do not already have a certificate, you can create a self-signed certificate on the machine where the Cloud Connector will run.
Open PowerShell as Administrator and run the following command:
New-SelfSignedCertificate -Subject "CN=CC Entra TestApp" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Provider "Microsoft Software Key Storage Provider" `
-KeyExportPolicy Exportable `
-KeyUsage KeyEncipherment, DataEncipherment, DigitalSignature `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(1)This example creates a certificate that is valid for one year.
You can adjust the validity period by changing the -NotAfter parameter.
You can also adjust the certificate name by changing the -Subject parameter.
After the certificate has been created, copy its thumbprint and export it to both .cer and .pfx format.
Example:
Export-Certificate -Cert (Get-Item "Cert:\LocalMachine\My\<thumbprint>")
$password = ConvertTo-SecureString -String "<your-secure-password>" -Force -AsPlainText
Export-PfxCertificate -Cert "Cert:\LocalMachine\My\<thumbprint>" -FilePath "<path-to-pfx>"Replace the example thumbprint and password with your actual values.
Notes
- The
.cerfile is uploaded to the app registration in Microsoft Entra - The
.pfxfile remains on the Layer2 Cloud Connector machine and is referenced in the connection string - Make sure the Layer2 Cloud Connector service account can access the folder where the
.pfxfile is stored