sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard
verified publisher icon SharePoint

Azure ACS App based authentication fails for Tenant Level Operation

Open wizneeraj opened this issue 1 year ago • 6 comments

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Developer environment

Windows

What browser(s) / client(s) have you tested

  • [ ] 💥 Internet Explorer
  • [ ] 💥 Microsoft Edge
  • [ ] 💥 Google Chrome
  • [ ] 💥 FireFox
  • [ ] 💥 Safari
  • [ ] mobile (iOS/iPadOS)
  • [ ] mobile (Android)
  • [ ] not applicable
  • [X] other (enter in the "Additional environment details" area below)

Additional environment details

C# based code

Describe the bug / error

We are currently using CSOM based model to setup properties of a Site. The context is built using GetACSAppOnlyContext(clientid, clientsecret).

var adminURL = "https://tenant-admin.sharepoint.com/"; var context = TokenHelperTenant.GetContext(adminURL);

var tenant = new Tenant(context); var siteProperties = tenant.GetSitePropertiesByUrl("https://tenant.sharepoint.com/sites/portal", true); context.Load(siteProperties, s =] s.SharingCapability); context.ExecuteQuery(); //line where the error occurs - "Attempted to perform an unauthorized operation"

The Client App being used has Tenant level Full control permission which was created using appregnew.aspx page and I have ensured DisableCustomAppAuthentication setting is not enabled at the tenant level.

We have started facing the issue starting today. Kindly assist. The issue happens when Get-PnPTenantSite cmdlet is also used.

Steps to reproduce

  1. Register an app with tenant level full control permission using the appregnew.aspx & appinv.aspx page
  2. Use the generated client id & secret to access the site properties using Get-PnPTenantSite

Expected behavior

Should be able to access the properties of the Site from the Tenant

wizneeraj avatar May 09 '24 20:05 wizneeraj

You're not alone. We started to have problems with some security calls, and removing sitecollections by code using Apps. Testing code manually with real user is ok. Problem is in CSOM and PNP calls.

lucacosta1 avatar May 10 '24 09:05 lucacosta1

Seems like the calls are failing when using App based authentication. Executing Get-PnPTenantSite works for user context, fails for App based context. I have raised a MS case as well, but so far no traction.

wizneeraj avatar May 10 '24 10:05 wizneeraj

I'm seeing something similar that started earlier today.

  • Using App Only ACS context with client id and client secret. App is granted full control of tenant, secret current and not expired.
  • CSOM calls to tenant and site collection level operations are failing with "Attempted to perform an unauthorized operation"
  • Calls to web level operations still ok

pdl5p avatar May 10 '24 12:05 pdl5p

we changed the connection to clientid and certificate and fixed on the PNP side. the certificate should be uploaded to the app.

$bytes = Get-Content '.\PnPPowerShell.pfx' -AsByteStream $encodedPfx = [System.Convert]::ToBase64String($bytes) Connect-PnPOnline [tenant].sharepoint.com -ClientId [clientid] -Tenant [tenant].onmicrosoft.com -CertificateBase64Encoded $encodedPfx

from https://pnp.github.io/powershell/articles/connecting.html

lucacosta1 avatar May 10 '24 13:05 lucacosta1

this issue is resolved now by MS

chandan805 avatar May 10 '24 19:05 chandan805

https://admin.microsoft.com/#/servicehealth/history/:/alerts/SP791794 image

pdl5p avatar May 10 '24 22:05 pdl5p

Hello @wizneeraj, Thank you for bringing this issue to our attention. Could you please confirm if the issue still persists for you?

Amey-MSFT avatar May 29 '25 03:05 Amey-MSFT

We are closing this issue for now. If the problem persists, feel free to reopen it or open a new one.

Amey-MSFT avatar Jul 07 '25 10:07 Amey-MSFT