How to Connect a Scanner to SharePoint Online: The Modern Auth Guide

This is part of our broader guide to scan documents to SharePoint workflows. This article focuses specifically on authentication — the technical layer that determines whether your scanner can actually connect to SharePoint Online, and why it matters more than ever after Microsoft's 2025 authentication changes.

Basic Auth vs Modern Auth — Why It Matters

Basic authentication works by storing a Microsoft 365 username and password directly on the scanner device. Every time the scanner sends a document to SharePoint, it includes these credentials in the request. It's simple to set up and was the standard approach for device-to-cloud connections for years.

The problem: basic auth is inherently insecure. Credentials stored on a device can be extracted. Requests can be intercepted. There's no MFA support — anyone with the stored credentials can access the SharePoint account from anywhere. Microsoft deprecated basic auth across all Microsoft 365 services in August 2025, immediately breaking every scanner that relied on it.

Modern authentication (OAuth 2.0) works differently. The scanner doesn't store credentials. Instead, it initiates a token exchange with Microsoft's identity platform. The user authenticates (including MFA if required) via a secure browser flow. Microsoft issues a time-limited access token. The scanner uses this token for SharePoint requests and refreshes it automatically before expiry. No password stored on the device, no vulnerability to credential theft, MFA-compatible.

The Three Ways Scanners Connect to SharePoint

1. Direct OAuth (native modern auth)

The scanner has built-in OAuth 2.0 support and authenticates directly with Microsoft's identity platform. No intermediary software required. This is how standalone PC-free network scanners like the Plustek eScan work. Setup: sign in on the scanner touchscreen, complete the OAuth browser flow on any device, done. The connection is persistent and self-refreshing.

2. Via middleware (MFPs and legacy scanners)

Software like Kofax, AutoStore, or PaperStream Capture runs on a server or PC. The scanner sends documents to the middleware, which then authenticates with SharePoint using modern auth and forwards the documents. This preserves existing scanner hardware but introduces a middleware dependency, additional cost, and a single point of failure.

3. Via Power Automate (workaround)

Scanner sends to email or network folder. A Power Automate flow picks up new files and moves them to SharePoint. Works around authentication requirements entirely but adds latency, loses metadata capability, and requires ongoing flow maintenance. Not recommended for production document workflows.

What You Need for a Direct OAuth Connection

• A scanner with native OAuth 2.0 / modern auth support (confirm this explicitly with the vendor)
• A Microsoft 365 account with SharePoint included
• Network access from the scanner location (port 443 outbound to login.microsoftonline.com and your tenant's SharePoint URL)
• A device (phone or laptop) to complete the browser-based authentication flow on first setup
• Optional: a Microsoft 365 Global Admin to approve the scanner's app registration in Azure AD (required if your organisation uses admin consent for app permissions)

Step-by-Step: Authenticating the eScan with SharePoint Online

1. On the eScan touchscreen: Settings → Cloud Services → Microsoft 365 → Sign In
2. The scanner displays a short code and the URL microsoft.com/devicelogin
3. On any browser (phone, laptop): navigate to that URL, enter the code
4. Sign in with the Microsoft 365 account that the scanner will use to access SharePoint
5. Review and grant the permissions requested (typically Sites.ReadWrite.All for SharePoint access)
6. The scanner receives an OAuth token and confirms the connection
7. Configure your SharePoint destinations and job buttons

The token is stored securely on the scanner and refreshed automatically. You will not need to repeat this process unless you revoke the scanner's access in Azure AD or the user account is deleted.

Azure AD App Permissions — What to Expect

When the scanner authenticates for the first time, it registers as an app in your Azure Active Directory (now called Microsoft Entra ID). The scanner requests specific permissions — typically Sites.ReadWrite.All (to read from and write to SharePoint sites) and Files.ReadWrite.All (for OneDrive access if used).

If your organisation has admin consent required enabled (common in mid-size and enterprise environments), a Global Administrator must approve these permissions before the scanner can authenticate. This is a one-time step: Azure AD → Enterprise Applications → find the scanner app → Grant Admin Consent.

If you're not sure whether your organisation requires admin consent: try the authentication flow. If it completes successfully, consent isn't required. If you see "Your organisation requires admin approval," it is — contact your Microsoft 365 admin.

Troubleshooting Common Connection Issues

• "Cannot connect to SharePoint": Check port 443 outbound is open from the scanner's network location. Check DNS resolution. Check the scanner has a valid IP address.
• Authentication completes but documents don't appear: Check the authenticated user has Contribute permissions on the target SharePoint library. Check conditional access policies aren't blocking the connection based on device compliance.
• Admin consent error: Contact your Microsoft 365 Global Admin to approve the scanner's app registration.
• Token expired after long period of inactivity: Re-authenticate via Settings → Cloud Services → Microsoft 365 → Sign In. Normal for devices not used for 90+ days.
• MFA prompt on first setup: Expected — complete MFA on the device you're using for the browser flow. Subsequent scans don't require MFA re-authentication.