Authenticating with SharePoint Online

This article is a resource where you learn about authenticating with SharePoint Online.

Note

Under the hood WikiTraccs uses the PnP Core library that is also used by PnP PowerShell. Thus concepts regarding authentication are similar. That’s why this documentation will link to PnP documentation at certain points.

Tip

Use interactive authentication for starters. It’s the easiest option that gives good interactive feedback if something goes wrong.

Prerequisites

When “authenticating with SharePoint Online” you are in fact authenticating with an Entra ID application that must be configured to authorize the access to SharePoint Online. Such an Entra ID application has to either exist or you have to register a new one.

You might have to register a new Entra ID application for use with WikiTraccs. This can be done manually in the Azure Portal or via PnP PowerShell. A sample on how to do this via PnP PowerShell is shown here: Register your own Entra ID App.

Note

This blog post has step-by-step instructions on how to register the app in the Azure Portal: Registering WikiTraccs as app in Entra ID.

For the specific permissions to configure on the Entra ID application and the permissions the SharePoint account needs on target sites, see: Required permissions for SharePoint Online.

Ultimately - regardless of the Entra ID application you choose to use - WikiTraccs needs to know the ID of this application, and the application (plus the SharePoint account, under interactive/delegated auth) has to permit a certain amount of access to the target sites where WikiTraccs will migrate Confluence content to.

Interactive authentication

Note

The following assumes you are using WikiTraccs.GUI.

Note

In WikiTraccs.GUI there is a Test SharePoint connection button. You can select this button at any time to test if the configuration is right and the authentication succeeds. This also checks that the permission level is sufficient.

Interactive authentication allows to sign-in with a user that will be used to access SharePoint Online. The user account needs appropriate permissions on the target SharePoint site - see Required permissions for SharePoint Online for the scenarios and the recommended minimum role.

With interactive authentication multi-factor authentication (MFA) is fully supported.

Choose Interactive as Target: Authentication type.

Enter the Entra ID application ID into the Azure AD Application Client ID input field. (Note: This ID looks like “31359c7f-bd7e-475c-86db-fdb8c937548e”.) The user must be granted access to the Entra ID application that is used to authenticate with.

Also fill the Target SharePoint Site Address and Target Tenant ID fields.

Select the Test SharePoint connection to test connecting. A dialog window will appear to display the result of this test.

Attention

The sign-in experience will be opened in a regular browser window (that might already be open) and not in a new, dedicated window. This is due to cross-platform restrictions that need to be solved. This could cause problems when already being logged in with a user account that is different from the one to be used for WikiTraccs. In this case just copy the URL from the address bar to another browser window where you sign in with the right user.

Note

WikiTraccs uses the OAuth 2.0 authorization code flow.

Delegated auth with Sites.Selected: not supported

Microsoft added delegated Sites.Selected for Microsoft Graph, but not for the SharePoint REST and CSOM endpoints that WikiTraccs requires. You can use Sites.Selected with Certificate authentication, though, which doesn’t involve interactive user login.

Device code authentication

Available.

Client credentials authentication

Available, but often not feasible due to MFA or CA requirements.

Certificate authentication

Certificate authentication is an app-only authentication method: WikiTraccs authenticates as the Entra ID application itself, using a certificate as credential. There is no migration user account, no interactive sign-in, and no browser window.

This is the recommended option for unattended migrations and for environments where creating and maintaining a dedicated migration user account is impractical. It pairs naturally with the Sites.Selected application permission, where an admin grants the app access on each target site individually - but the option is not tied to Sites.Selected and works with broader application permissions as well.

Comparison to interactive authentication

With interactive authentication you sign in as a user, and WikiTraccs inherits the intersection of that user’s permissions and the delegated scopes configured on the Entra ID application. A migration user account is required, with appropriate site permissions (see Required permissions for SharePoint Online).

With certificate authentication there is no user. WikiTraccs authenticates as the app, and SharePoint evaluates the app’s own permissions. No migration account is needed - which is why this mode is the best fit for Sites.Selected.

Prerequisites

An Entra ID application registered in the target tenant (same as for the other authentication methods - see Registering WikiTraccs as App in Entra ID).
A certificate whose public key has been uploaded to the app registration (Certificates & secrets → Certificates → Upload certificate). The matching .pfx (private key) stays on the machine that runs WikiTraccs.
Application permissions configured and admin-consented on the app registration, plus a per-target-site grant if Sites.Selected is used. See Required permissions for SharePoint Online for the full permission matrix, and Configuring Sites.Selected Authentication for WikiTraccs for the end-to-end walkthrough.

Note

Certificate authentication is app-only and therefore bypasses MFA and Conditional Access policies that target user sign-in. Make sure the certificate private key is stored securely on the migration machine.

Configuration in WikiTraccs

Choose Cert as the SharePoint authentication type.

Fill the Tenant ID and Entra ID Application Client ID fields at the top of the screen the same way you would for the other auth modes.

In the Certificate field, enter either:

the absolute or relative path to the .pfx file (the path is resolved against the working directory and normalized to absolute when saved), or
the SHA-1 thumbprint of a certificate that has been imported into the Windows certificate store (CurrentUser\My or LocalMachine\My)

WikiTraccs auto-detects which form you entered: a 40-character hex string (optionally with spaces or colons) is treated as a thumbprint, anything else as a file path. The Verify button next to the input field checks the certificate on demand - it loads the cert the exact same way the migration will later, and prompts for a PFX password if the file is password-protected. A successful verify shows the certificate’s subject and expiration date.

If the certificate file is password-protected, WikiTraccs prompts for the password the first time it needs it (either via the Verify button or at migration start). The entered password is stored in the configuration file alongside the certificate path, consistent with how WikiTraccs stores other secrets. Subsequent runs reuse the stored password without prompting.

At migration start, WikiTraccs performs a hard certificate check before any network call: the certificate is loaded, the password is validated, and on failure the migration aborts cleanly with a clear error message. This avoids half-started migrations caused by a misconfigured or expired certificate.

See the dedicated blog post for an end-to-end walkthrough of the Sites.Selected configuration and how to run WikiTraccs under certificate authentication: Configuring Sites.Selected Authentication for WikiTraccs.

Required permissions for SharePoint Online

Reference for the SharePoint permissions WikiTraccs requires on the migration account, the Entra ID application, and each target site. Includes scenarios, alternatives, and intermediate configurations.

Last modified May 18, 2026