Understanding O365 and SPO Authentication in a Nutshell

The post is part of a series on O365, SharePoint Online, Windows Azure, and authentication. It explains how authentication works with O365 and SPO.

This post is part of a series on Office365/SharePoint Online, Windows Azure and Authentication. The other posts in this series can be found here: Office365/SharePoint Online, Windows Azure and Authentication

In my previous post in this series I talked about how authentication works with Office365 (O365) & SharePoint Online (SPO). You first authenticate with Microsoft Online (MSO) and then your browser passes along the SAML token with each request to site collections in SPO.

The first thing we need to do when accessing SPO programmatically is to understand how we authenticate with MSO and get the SAML token. Thankfully Microsoft provides a sample to help with the authentication piece. What you need is to make sure you have the Windows Identity Framework Runtime installed first. The main class that Wictor Wilen provides for authenticating to MSO is MsOnlineClaimsHelper. This class takes three parameters in the constructor:

  • MSO Username of the account to authenticate with
  • MSO Password of the account to authenticate with
  • URL of the root site collection for your SPO account - note this is the root site collection which may not necessarily be the site collection you are interested in, but it is needed to authenticate and get the key

The MsOnlineClaimsHelper class has a public property, CookieContainer (which is also of type System.Net.CookieContainer ), that you’ll use to get the SAML token from MSO to attach to future requests. When the CookieContainer property is accessed, if null, the MsOnlineClaimsHelper will go authenticate and parse the results to extract the SAML token and store it in the cookie container.

Check out the code sample I mentioned previously in this post. What you’re looking for are two files in the MSDN folder of the ACsCichlids.StoreFront project & the CSOM redistributable . These two files are the aforementioned MsOnlineClaimsHelper.cs & a file it depends on, WcfClientContracts.cs. Copy them into your project and that’s all you need in order to authenticate.

Here’s just a little code from a simple console app that shows me authenticating into my SharePoint Online site collection:

static void Main(string[] args) {
  string msoUsername = "[email protected]";
  string msoPassword = "[password]";
  string msoRootSpSite = "https://aconn.sharepoint.com/";

  var msoHelper = new MsOnlineClaimsHelper(msoUsername,

  CookieContainer cookieJar = msoHelper.CookieContainer;
Andrew Connell
Developer & Chief Course Artisan, Voitanos LLC. | Microsoft MVP
Written by Andrew Connell

Andrew Connell is a web & cloud developer with a focus on Microsoft Azure & Microsoft 365. He’s received Microsoft’s MVP award every year since 2005 and has helped thousands of developers through the various courses he’s authored & taught. Andrew’s the founder of Voitanos and is dedicated to helping you be the best Microsoft 365 web & cloud developer. He lives with his wife & two kids in Florida.

Share & Comment