topic Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement? in Data Engineering

Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

MathieuSGA — Tue, 26 May 2026 16:00:05 GMT

Hello Fabric Community,

I'm facing a roadblock with SharePoint integration from Microsoft Fabric, and I hope you can help clarify the modern, supported approach.

Context and app registration configuration

We have an Azure AD (Entra ID) app registration with the following API permissions, both **granted and admin-consented**:

API	Permission	Type
Microsoft Graph	Sites.FullControl.All	Application
SharePoint	Sites.FullControl.All	Application

In our Fabric notebook, secrets (tenant ID, client ID, client secret) are retrieved at runtime from **Azure Key Vault** using `notebookutils.credentials.getSecret()`. No credentials are hardcoded or stored in the notebook. We use MSAL (`ConfidentialClientApplication`) with the `client_credentials` flow to acquire tokens.

We verified both tokens are correctly issued and contain `Sites.FullControl.All` in their `roles` claim — so the permissions are in order. **Read operations on SharePoint (listing lists, reading items, resolving already-present users) work perfectly.**

The blocker — the User Information List (UIL):

The UIL is a hidden system list present on every SharePoint site. It references all users who have ever interacted with the site. **A user absent from the UIL cannot be referenced in a Person or Group field** — you cannot just pass an email address directly.

This is a "lazy provisioning" model: the UIL is not a direct mirror of Azure AD / Entra ID. It is populated on-demand, either when a user first accesses the site, or when `_api/web/ensureuser` is explicitly called. If the employee has never opened SharePoint for this site, they simply do not exist in the UIL yet.

What we tried:

The only documented way to provision a user in the UIL programmatically is via:

```
POST https://<tenant>.sharepoint.com/sites/<site>/_api/web/ensureuser
Body: { "logonName": "i:0#.f|membership|user@domain.com" }
```

When called using our **AAD app-only token** (the one confirmed to carry `Sites.FullControl.All`), this returns:

```
HTTP 401 — "Unsupported app only token"
```

This is documented behavior: `ensureuser` requires a **delegated token** (issued on behalf of a real signed-in user), not an app-only token.

Why the usual workarounds are closed:

- **Azure ACS (SharePoint Add-in model):** Retired as of April 2026. No longer functional — no new tokens can be issued. This legacy path is gone.
- **ROPC (Resource Owner Password Credentials) with a service account:** Not possible in our tenant — MFA is enforced on all accounts with no exception.

We have **not found any Microsoft Graph API endpoint** capable of directly provisioning a user into the SharePoint UIL, or writing to a Person field for a user not yet present in the UIL.

Our questions:

1. Is there any supported, **non-interactive (unattended)** way to provision a user in the SharePoint UIL from Fabric, now that ACS is retired and ROPC is blocked?
2. Has anyone successfully used **Microsoft Graph** or **Power Automate** as a workaround to "preload" users into the UIL for unattended pipelines?
3. Is there a way to write to a Person or Group field using only the user's UPN or Object ID, **bypassing the UIL lookup entirely**?

Any detailed guidance, workarounds, or official documentation references are very welcome. Thank you!

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

v-hjannapu — Wed, 27 May 2026 09:50:01 GMT

Hi @MathieuSGA,

Thank you for reaching out to the Microsoft fabric community forum.

Your understanding of the UIL behavior is correct. SharePoint Person/Group fields still depend on the site’s User Information List, so users must exist in the UIL before those fields can be populated successfully. One important detail is that your current implementation uses Entra app-only with a client secret. Microsoft’s supported modern model for SharePoint Online app-only REST access is certificate-based authentication and client-secret app-only tokens are known to cause the Unsupported app only token error in SharePoint REST scenarios.

However, I could not find any official Microsoft documentation explicitly confirming whether /_api/web/ensureuser supports or rejects certificate-based Entra app-only authentication. Microsoft also does not provide a Graph API to preload users into the UIL and there is no documented way to bypass the UIL dependency using only UPN or Object ID. So, at this point, certificate-based Entra app-only auth is still worth testing against ensureuser, since it is the only remaining supported unattended model. If that still fails with Unsupported app only token, then there likely is no fully supported unattended UIL provisioning path remaining after ACS retirement.

In practice, the remaining reliable options are delegated bootstrap flows like Power Automate running in user context or having users access the SharePoint site once so they are automatically added to the UIL.

Please check below documentation for your reference:

Granting access using SharePoint App-Only | Microsoft Learn

AzureAd/Sahrepoint connexion - Invalid client secret error in Access token request with a certifica…

Granting access via Entra ID App-Only | Microsoft Learn

Accessing SharePoint using an application context, also known as app-only | Microsoft Learn

Hope this helps if you have any queries we are happy to assist you further.
Regards,
Community Support Team.

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

MathieuSGA — Wed, 27 May 2026 14:35:40 GMT

Sounds interesting/promising !

As for the steps ahead, would you happen to have more detailed step-by-step guide to how to:
- generate a credential in Azure
- be able to use it in a Fabric Notebook to generate/acquire a token that would allow us to call the `_api/web/ensureuser` with a successfull outcome

As for some additional context here are ...

... a printscreen of the Azure App config menu - could you confirm part of the job happens here ?

... a snippet of code I found here to supposedly retrieve a certificate that would have been store in an Azure KeyVault Secret

import base64, msal from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.serialization import pkcs12, Encoding, PrivateFormat, NoEncryption # 1. Load credentials from Azure Key Vault kv_url = "https://your-keyvault.vault.azure.net" tenant_id = notebookutils.credentials.getSecret(kv_url, "sp-tenant-id") client_id = notebookutils.credentials.getSecret(kv_url, "sp-client-id") cert_pfx_b64 = notebookutils.credentials.getSecret(kv_url, "sp-certificate") # 2. Parse the PFX to extract what MSAL needs private_key, certificate, _ = pkcs12.load_key_and_certificates( base64.b64decode(cert_pfx_b64), password=None ) private_key_pem = private_key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()).decode() thumbprint = certificate.fingerprint(hashes.SHA1()).hex().upper() # 3. Acquire an access token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential={"private_key": private_key_pem, "thumbprint": thumbprint}, authority=f"https://login.microsoftonline.com/{tenant_id}" )

Would you happen to need any additional intel to help: I am available to provide them asap.

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

v-hjannapu — Fri, 29 May 2026 09:47:59 GMT

Hi @MathieuSGA,

Yes, the screenshot you shared shows the correct area in Azure where the certificate gets attached to the App Registration under the Certificates tab. Typically, the certificate itself is first generated externally (for example via PowerShell or Azure Key Vault) as a .cer + .pfx pair and then the public certificate is uploaded there. Your Fabric notebook approach is also aligned with the current MSAL + certificate + Key Vault pattern Microsoft recommends for modern SharePoint app-only authentication.

The general flow would be to generate a certificate, upload the public certificate to the App Registration, store the PFX securely in Key Vault, retrieve it from Fabric at runtime and then use MSAL certificate authentication instead of a client secret to acquire the SharePoint token.

That said, I would still treat this as a validation step specifically for /_api/web/ensureuser. Microsoft documents certificate-based Entra app-only authentication for SharePoint Online REST APIs generally, but I could not find clear documentation confirming that /_api/web/ensureuser specifically supports app-only execution. So, the setup itself looks correct, but ensureuser may (mostly not) still reject the token requiring delegated user context.

Hope it helps to resolve your issue.
Regards,
Community Support Team.

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

v-hjannapu — Tue, 02 Jun 2026 04:10:21 GMT

Hi @MathieuSGA,
I hope the information provided above assists you in resolving the issue. If you have any additional questions or concerns, please do not hesitate to contact us. We are here to support you and will be happy to help with any further assistance you may need.

Regards,
Community Support Team.

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

v-hjannapu — Fri, 05 Jun 2026 04:05:29 GMT

Hi @MathieuSGA,
I hope the above details help you fix the issue. If you still have any questions or need more help, feel free to reach out. We are always here to support you.

Regards,
Community Support Team.

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

MathieuSGA — Tue, 09 Jun 2026 13:16:55 GMT

The resolution process is "On Hold" for now since I need my Azure Admin to help me implement the provided approach

Re: Programmatically add a user to the SharePoint UIL from Fabric after ACS retirement?

v-hjannapu — Wed, 17 Jun 2026 10:00:26 GMT

Hi @MathieuSGA,
Thanks for the update, please do let us know once it is solved. If you have any other issues, please feel free to create a new post, we are always happy to help.

Regards,
Community Support Team.