Introduction

This article explains moving SFTPPlus SharePoint Online transfers from username/password + SAML login (FedAuth cookie) to OAuth2 application (client credentials) access via Microsoft Graph API.

SFTPPlus MFT supports both legacy and modern SharePoint online authentication methods.

SharePoint Online authentication errors

Microsoft is deprecating legacy authentication methods and enforcing strict security rules for SAML with FedAuth cookies. OAuth2 is the recommended approach for modern, secure, and scalable integrations with SharePoint Online.

Your application might use the legacy SAML authentication method in which a POST request is made to URL /_forms/default.aspx?wa=wsignin1.0. The request will obtain the FedAuth/rtFa cookie used to interact with SharePoint Online.

As stricter EntraID login rules are enforced by default in Azure Cloud, you will receive a 403 - Forbidden error. Another error you might encounter can be: An error occurred while retrieving auth cookies. These errors occur even when the username and password are valid, and the user has access to the SharePoint site.

This is most probably caused by multi factor authentication being enforced for your application account or your application using a removed or legacy authentication method.

You can reconfigure the EntraID security for your application account to add an exception. This might conflict with your company security policy.

For the case in which your application uses the Basic authentication method, this method was removed by Microsoft, and the only option is to migrate to OAuth2.

Key Benefits of OAuth2:

  • MFA policies no longer block automation.
  • No dedicated O365 user license needed.
  • Scoped site permissions via Sites.Selected.
  • Better integration with Microsoft Graph API.

Background info for SAML + FedAuth and application accounts

This is now considered deprecated authentication method.

SFTPPlus interacts with SharePoint online as a user/personal account.

It automatically performs the authentication in the background and obtains the FedAuth + rtFa cookies.

The cookies are used to perform file operations using the standard WebDAV protocol, over HTTPS.

Limitations:

  • Needs a licensed user.
  • MFA must be disabled. There is no method to bypass it.

OAuth2 App and application ID

When implementing OAuth2 authentication for SharePoint online there is a key conceptual shift from emulating a human user session (username/password) to service account (application-id/secret) with explicit site grants.

To migrate to OAuth2 you will need to register the SFTPPlus application inside your Entra ID and configure SharePoint Online site permissions for the new application.

Check the dedicated SFTPPlus SharePoint Online documentation for the details on setting up SFTPPlus access to SharePoint with OAuth2.

Migration and configuration differences

With the new OAuth2 and MS Graph API SFTPPlus SharePoint location you will create a separate SFTPPlus location for each SharePoint Online site.

The path configured for SFTPPlus for a SharePoint Online site document library is different to the web URL used by SharePoint Online.

In SharePoint Online the URL is defined as:

https://sftpplus.sharepoint.com/sites/test-site/test_lib?id=%2Fsites%2Ftest-site%2FReports%2F2025

In SFTPPlus the path is configured as /Reports/2025, without adding the site domain or site name.

The site domain and site name are defined as part of the location configuration.

Need help with your migration?

If you are unsure whether your current SFTPPlus SharePoint locations use the removed Basic Authentication, legacy SAML (FedAuth) method or you need guidance configuring the new OAuth2 and MS Graph API, our team can assist.

Contact us. We will review your existing configuration and provide concrete steps to complete the migration with minimal downtime.