Skip to main content
Microsoft is deprecating secrets-based authentication for the Azure ACS REST API on April 2, 2026. SharePoint connector instances that use client secret authentication must switch to certificate-based authentication before this date. After the deadline, instances still using secret auth will no longer be able to update Site Groups, which means permissions within SharePoint will become stale.

Step 1. Open your SharePoint connector in Glean

  1. Sign in to the Glean Admin console.
  2. Navigate to Admin console > Data sources > SharePoint > Setup.

Step 2. Switch from client secret to certificate-based authentication

On Step 3 in Setup, you will see a toggle that allows you to switch between Client secret authentication and Certificate-based authentication.
This toggle is only visible for SharePoint instances that are currently using client secret authentication. If your instance is already using certificate-based authentication, no action is required.
  1. Toggle the authentication mode from Client secret to Certificate-based.
  2. Generate a certificate and private key file pair, and upload the certificate to your Azure App registration:
If your instance uses Sites.FullControl.All, follow the certificate generation and upload steps in the SharePoint setup guide.
  1. Upload your certificate.crt file under Client Certificate.
  2. Upload your privatekey.key file under Private Key.
  3. Enter your Application (client) ID and Directory (tenant) ID from the Azure App registration if they are not already populated.
SharePoint connector configuration page You can reuse your existing SharePoint app to complete this step. If you have multiple apps, please reuse the same certificate you generated for each app.

Step 3. Save and validate the connector

  1. Click Save to apply the new authentication configuration.
  2. After saving, monitor the connector status to confirm that crawling resumes successfully with certificate-based authentication.
  3. Verify that your SharePoint content continues to appear in Glean search results as expected.
If the connector fails to connect after switching, double-check the following:
  • The certificate.crt file has been uploaded to your Azure App registration under Certificates & secrets.
  • The certificate and private key files are correctly formatted. See the SharePoint setup guide for the expected file formats.
  • The Application (client) ID and Directory (tenant) ID match the Azure App registration where the certificate was uploaded.
If issues persist, contact Glean Support for assistance.

FAQ

What happens if I don’t switch before April 2, 2026?

After the Azure ACS secrets deprecation takes effect, your SharePoint connector will experience degraded functionality. Impacted features include but are not limited to:
  • Accurately reflecting changes to access control lists (Site Groups)
  • Respecting No Crawl settings
  • Indexing all SharePoint Lists
As a result, Glean may eventually hide results from SharePoint Online within your Glean deployment if its authentication is not switched after April 2nd.

Do I need to set up a new connector?

No. The migration toggle allows you to switch your existing SharePoint connector instance from secret auth to certificate auth in place, without needing to delete and recreate the connector or interrupt crawling.

I use both SharePoint and OneDrive. Do I need to switch both?

SharePoint and OneDrive share the same underlying Azure App registration and authentication configuration. Once you switch one connector, the other should reflect the updated authentication method as well. Verify both connectors after switching.