I'm configuring Amazon Bedrock Knowledge Bases with a SharePoint Online data source using SharePoint App-Only authentication (OAUTH2_SHAREPOINT_APP_ONLY_CLIENT_CREDENTIALS).
This authentication method requires four values in Secrets Manager: clientId, clientSecret, sharePointClientId, and sharePointClientSecret. The sharePointClientId and sharePointClientSecret are generated via SharePoint's appregnew.aspx page, which relies on Azure ACS (Access Control Services).
Microsoft has retired Azure ACS and confirmed it will stop working on April 2, 2026:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Microsoft's recommended replacement is Entra ID Application Permissions, which requires certificate-based authentication — not client secrets. Their documentation explicitly states certificates are the only supported method for Entra ID app-only access to SharePoint Online:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
The Bedrock SharePoint connector does not appear to support certificate-based Entra ID authentication.
Questions:
- Is there a planned update to the Bedrock SharePoint connector to support Entra ID certificate-based authentication before April 2, 2026?
- For customers currently using the SharePoint App-Only auth method, what is the recommended migration path after ACS is discontinued?
