AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2026-05-13 · Security-related high

File: bedrock/latest/userguide/sharepoint-data-source-connector.md

Summary

Updated SharePoint authentication from retired App-Only to Microsoft Entra ID OAuth2 client credentials. Added retirement notice, new configuration steps, and updated Secrets Manager requirements.

Security assessment

The change addresses a critical security issue where SharePoint App-Only authentication via Azure ACS was retired by Microsoft, making it non-functional. This creates an authentication vulnerability. The documentation now adds security-focused guidance for implementing OAuth2 client credentials authentication, including proper permission scoping (Sites.Read.All) and secrets management.

Diff

diff --git a/bedrock/latest/userguide/sharepoint-data-source-connector.md b/bedrock/latest/userguide/sharepoint-data-source-connector.md
index 7aecac7bb..85ba6c316 100644
--- a//bedrock/latest/userguide/sharepoint-data-source-connector.md
+++ b//bedrock/latest/userguide/sharepoint-data-source-connector.md
@@ -42 +42 @@ There are limits to how many files and MB per file that can be crawled. See [Quo
-  * SharePoint App-Only authentication
+  * Microsoft Entra ID authentication (OAuth2 client credentials)
@@ -51 +51,5 @@ There are limits to how many files and MB per file that can be crawled. See [Quo
-**In your SharePoint (Online), complete the following steps for using SharePoint App-Only authentication:**
+###### Important
+
+SharePoint App-Only authentication via Azure ACS was retired by Microsoft on April 2, 2026 and is no longer functional. Use Microsoft Entra ID (OAuth2 client credentials) authentication instead. When configuring your data source, set the `authType` to `OAUTH2_CLIENT_CREDENTIALS`.
+
+**In your SharePoint (Online), complete the following steps to configure Microsoft Entra ID authentication:**
@@ -59 +63 @@ There are limits to how many files and MB per file that can be crawled. See [Quo
-###### Note
+  * Register an application in Microsoft Entra ID. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/), navigate to _App registrations_ , and select _New registration_. Note the _Application (client) ID_ and _Directory (tenant) ID_.
@@ -61 +65 @@ There are limits to how many files and MB per file that can be crawled. See [Quo
-For an example application, see [Register a client application in Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) (formerly known as Azure Active Directory) on the Microsoft Learn website. 
+  * Configure API permissions for the registered application. Add _Microsoft Graph_ → _Application permissions_ → `Sites.Read.All`. Then grant admin consent for your organization.
@@ -63 +67 @@ For an example application, see [Register a client application in Microsoft Entr
-  * Configure SharePoint App-Only credentials.
+  * Create a client secret. In your app registration, go to _Certificates & secrets_ → _New client secret_. Copy the secret value immediately, as it will not be shown again.
@@ -65,5 +69 @@ For an example application, see [Register a client application in Microsoft Entr
-  * Copy the client ID and client secret value when granting permission to SharePoint App-Only. For more information, see [Granting access using SharePoint App-Only](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs).
-
-###### Note
-
-You do not need to setup any API permission for SharePoint App-Only. However, you must configure APP permissions on the SharePoint side. For more information about the required APP permissions, see the Microsoft documentation on [Granting access using SharePoint App-Only](https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs).
+  * Store the tenant ID, client ID, and client secret in AWS Secrets Manager. Your secret must contain the following key-value pairs: `clientId`, `clientSecret`.
@@ -132,5 +132 @@ All data that you sync from your data source becomes available to anyone with `b
-When using SharePoint App-Only authentication, your secret authentication credentials in AWS Secrets Manager must include these key-value pairs:
-
-  * `clientId`: `client ID associated with your Microsoft Entra SharePoint application`
-
-  * `clientSecret`: `client secret associated with your Microsoft Entra SharePoint application`
+When using Microsoft Entra ID authentication (`OAUTH2_CLIENT_CREDENTIALS`), your secret authentication credentials in AWS Secrets Manager must include these key-value pairs:
@@ -138 +134 @@ When using SharePoint App-Only authentication, your secret authentication creden
-  * `sharePointClientId`: `client ID generated when registering your SharePoint app for App-Only authentication`
+  * `clientId`: `Application (client) ID from your Microsoft Entra ID app registration`
@@ -140 +136 @@ When using SharePoint App-Only authentication, your secret authentication creden
-  * `sharePointClientSecret`: `client secret generated when registering your SharePoint app for App-Only authentication`
+  * `clientSecret`: `client secret value from your Microsoft Entra ID app registration`
@@ -168 +164 @@ Console
-  6. Provide the authentication information to connect to your SharePoint instance. For SharePoint App-Only authentication:
+  6. Provide the authentication information to connect to your SharePoint instance. For Microsoft Entra ID authentication:
@@ -170 +166 @@ Console
-    1. Provide the tenant ID. You can find your tenant ID in the Properties of your Azure Active Directory portal.
+    1. Provide the tenant ID. You can find your tenant ID in the Properties of your Microsoft Entra admin center.
@@ -172 +168 @@ Console
-    2. Go to AWS Secrets Manager to add your secret credentials or use an existing Amazon Resource Name (ARN) for the secret you created. Your secret must contain the SharePoint client ID and the SharePoint client secret generated when you registered the App-Only at the tenant level or the site level, and the Entra client ID and Entra client secret generated when you register the app in Entra.
+    2. Go to AWS Secrets Manager to add your secret credentials or use an existing Amazon Resource Name (ARN) for the secret you created. Your secret must contain the client ID and the client secret from your Microsoft Entra ID app registration.
@@ -249 +245 @@ To learn about customizations that you can apply to ingestion by including the o
-The OAuth2.0 authentication is not recommended. We recommend that you use SharePoint App-Only authentication.
+SharePoint App-Only authentication via Azure ACS was retired by Microsoft on April 2, 2026. Use Microsoft Entra ID authentication (`OAUTH2_CLIENT_CREDENTIALS`) as described in the prerequisites above.