Are tenant admin operation supported with application permissions ?

[lucmoco]

I tried to do the following CSOM tenant admin operation with application permissions:

var tenant = new Tenant(tenantContext);
var siteProperties = tenant.GetSitePropertiesByUrl(siteUrl, true);
tenantContext.Load(siteProperties);
tenantContext.ExecuteQuery();

My application principal has all application permissions, including Sites.FullControl.All, but I get a 401 unauthorized response. The same call succeeds with delegated permissions.

The documentation should make clear that this is not a supported scenario (or, better, this scenario should be supported).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 93e8fb5e-6609-837a-d446-22e21a15c7bd
• Version Independent ID: d884aca7-6a6e-3046-a892-2e8cf9b47665
• Content: Accessing SharePoint using an application context, also known as app-only
• Content Source: docs/solution-guidance/security-apponly.md
• Product: sharepoint
• GitHub Login: @VesaJuvonen
• Microsoft Alias: vesaj

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[kongmengfei]

@lucmoco,

Just did following test, i think it's possible to do tenant admin operation with application permissions:

1. Register app Principal

App permission:

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>

2, Get App token:

3, Attach token to below code:

        static void Main(string[] args)
        {
            ClientContext ctx = new ClientContext("https://abc-admin.sharepoint.com");
            ctx.ExecutingWebRequest += Ctx_ExecutingWebRequest;


            var tenant = new Tenant(ctx);
            var siteProperties = tenant.GetSitePropertiesByUrl("https://abc.sharepoint.com/sites/s01", true);
            ctx.Load(siteProperties);
            ctx.ExecuteQuery();

            Console.WriteLine(siteProperties);
        }

        static void Ctx_ExecutingWebRequest(object sender, WebRequestEventArgs e)
        {
            var token = @"eyJ0eXHqhv5Y4HhqWg_Y0xjv6mvk6A";
            e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + token;
        }

Result:

Baker Kong
Microsoft SharePoint Community Support

[lucmoco]

Hi @kongmengfei,

Thank you for your response. I should have been more explicit: I am not trying to access SharePoint using a SharePoint App-Only principal, but using an Azure AD application.

In my code, since doing tenant operations with my Azure AD application would not work, I had to register an extra SharePoint App-Only principal (SharePoint add-in) as you describe, and with the add-in the tenant operations succeeded.

But this forces me to registering two identities for my application, an Azure AD application AND a SharePoint App-Only principal (SharePoint add-in).

Cheers,
Luc

[sandeepvootoori]

Is this supported with Azure AD Application?

I think the docs need to be updated if its really not possible, Its not listed in the limitations

[michaelmaillot]

Hi @lucmoco,

I've tried on my side with Sites.FullControl.All and it's working (same behavior with Sites.Manage.All). According to me, this is supported with Azure AD App.

Do you still have the issue?

[github-actions]

Thank you for taking the time to file an issue. We periodically archive older or inactive issues as part of our issue management process, which automatically closes them once they are archived.

If you’d like to understand more about why and how we handle archived (closed) issues, please see Our approach to closed issues.

We appreciate your contribution and if this is still an active issue with the latest SPFx versions, please do resubmit the details. We needed to perform a cleanup, so that we can start with a clean table with a new process. We apologize for the inconvenience this might cause.