Office365-REST-Python-Client icon indicating copy to clipboard operation
Office365-REST-Python-Client copied to clipboard
verified publisher icon vgrem

SharePoint Online SAML Auth Broken - Migrate to Azure AD

Open vgrem opened this issue 6 months ago • 7 comments

The SAML authentication method for SharePoint Online has been disabled by Microsoft, effective immediately. This is a global service-side change and is not a bug in this library.

This is a breaking change. Any code using SAML auth will fail.

What to do now:

Stop using the SAML authentication method.

Immediately migrate to a supported Azure AD (OAuth 2.0) method such as ClientId/Secret or Interactive login.

See the library's documentation for examples using modern authentication.

Related

  • #909
  • #982

vgrem avatar Aug 19 '25 13:08 vgrem

Hi @vgrem - thank you for sharing this - hopefully this will save a lot of people a lot of debugging time.

I have searched but can't seem to find any Microsoft articles substantiating this - i.e. I can't see an announcement saying this change is coming. Do you have any links where Microsoft announce this?

AndrewDicks avatar Aug 20 '25 07:08 AndrewDicks

Hi @AndrewDicks, this thread seems reveal more details regarding this matter, namely:

Microsoft 365 rolled in Secure by Default Settings Changes which require admin consent for third-party apps accessing files and sites.

Based on the update notification in Message Center, Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025

Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser.

vgrem avatar Aug 20 '25 08:08 vgrem

Thank you again, @vgrem - really helpful.

AndrewDicks avatar Aug 20 '25 09:08 AndrewDicks

Thanks for the notice

I have a SharePoint online website that still works, with default security rules enabled... maybe my tenant was not yet migrated.

But I have another tenant, that got this error.

Is there an example for using ClientId/Secret ?

I can only find the example using clientID/certificate.

I check this MS support thread and also the Message Center announcement but I can't find any information regarding SAML Claims Based authentication being removed.

On the SharePoint docs, there is no mention of the deprecation

Double-check that MFA is not enabled for your account. Try to login via a web browser, and make sure you don't get the multi-factor auth prompt.

https://YOUR-SITE.sharepoint.com/_forms/default.aspx?wa=wsignin1.0

adiroiban avatar Aug 21 '25 22:08 adiroiban

We've encountered this problem and had to switch to Azure AD Certificate.

Followed the Microsoft official document on how to generate an X.509 certificate. But got two files of xxxxx.cer (Public Key), and xxxx.pfx(Private Key).

For the examples using certificates, it's using the PEM file format

Wondering how to log in to SharePoint using pfx PFX-formatted private key?

Update: Solved this, need to transform PFX to PEMs:

pfx_path = "xxx.pfx"
pfx_password = b"xxxxxxxx"
private_key_pem_path = "xxxx-SharePoint-Private.pem"
certificate_pem_path = "xxxx-SharePoint-Public.pem"

private_key, certificate, additional_certs = pkcs12.load_key_and_certificates(pfx_data, pfx_password)

if private_key:
    with open(private_key_pem_path, "wb") as f:
        f.write(private_key.private_bytes(
            encoding=Encoding.PEM,
            format=PrivateFormat.PKCS8,
            encryption_algorithm=NoEncryption()
        ))
    print(f"✅ Private Key Saved to: {private_key_pem_path}")
else:
    print("❌ No Priveate Key in PFX")

if certificate:
    with open(certificate_pem_path, "wb") as f:
        f.write(certificate.public_bytes(Encoding.PEM))
    print(f"✅ Certificate Saved to: {certificate_pem_path}")
else:
    print("⚠️ No Certificate")

Then use the "xxxx-SharePoint-Private.pem" for Sharepoint login;

from office365.sharepoint.client_context import ClientContext

ctx = ClientContext(site_url).with_client_certificate(
    tenant=tenant_id,
    client_id=client_id,
    thumbprint=thumprint,
    #"xxxx-SharePoint-Private.pem"
    cert_path=pem_path, 
)
ctx.web.get().execute_query()
print("Connected:", ctx.web.url)

sengatang avatar Aug 22 '25 09:08 sengatang

The certificate login is working fine with the above script when i am trying it in my laptop, but the same thing when i am doing in virtual machine it is throwing this error .. Any ideas what might be the issue ?

kompellaanirudh avatar Sep 12 '25 10:09 kompellaanirudh

Did MS disable this on Sharepoint Server too or just Online ? Because I can't get it to auth to SharePoint Server using user credentials.

developer992 avatar Dec 03 '25 11:12 developer992