Setting up an app-only principal with tenant
permissions
1.
Navigate to a site in your tenant and then call
the appregnew.aspx page
https://tenant-admin.sharepoint.com/_layouts/15/appregnew.aspx. (Change tenant to your own).
2. In this page click on the Generate button to
generate a client id and client
secret and fill the remaining information.
Title |
Sekasoft.EIDEasySign |
App Domain |
|
Redirect URI |
Important
Store the retrieved
information
(client id and client secret) since you'll need this in the next step!
3.
Next step is granting permissions to the newly created principal.
Since we're granting tenant scoped permissions this granting can only be done
via the appinv.aspx page on the tenant administration site. You
can reach this site via
https://tenant-admin.sharepoint.com/_layouts/15/appinv.aspx.
Once the page is loaded add your client id and look up the created
principal:
To grant permissions, you'll need to
provide the permission XML that describes the needed permissions. Since this
application needs to be able to access all sites + also uses search with
app-only it needs below permissions:
XMLCopy
<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage"
/></AppPermissionRequests>
When you click on Create you'll be
presented with a permission consent dialog. Press Trust It to grant the
permissions:
Important
Please
safeguard the created client id/secret combination as would it be your
administrator account. Using this client id/secret one can read/update all data
in your SharePoint Online environment!
Q: I get notification that App Client
ID and Secret IDs are incorrect. What to do?
A: Check if your tenant settings are as follow: DisableCustomAppAuthentication
is set to false.
How to set this parameter DisableCustomAppAuthentication?
-
Launch SharePoint Online Management Shell on your computer. If you don’t
have it on your computer download and install it from Microsoft site: https://www.microsoft.com/en-US/download/details.aspx?id=35588
-
Run it and paste the command:
Connect-SPOService -Url https:// tenant-admin.sharepoint.com //change tenant name to your own and connect as
administrator
Set-SPOTenant -DisableCustomAppAuthentication $false
Press
Check button at the 2nd step on the app again.
Q: I
get message “Your SharePoint admin doesn’t allow site owners to create an
Azure Access Control (ACS) principal. Please contact your SharePoint
administrator.”
-
Launch SharePoint Online Management Shell on your computer. If you don’t
have it on your computer download and install it from Microsoft site: https://www.microsoft.com/en-US/download/details.aspx?id=35588
-
Run it and paste the command:
Connect-SPOService -Url https:// tenant-admin.sharepoint.com //change tenant name to
your own and connect as
administrator
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
More
info: https://m365admin.handsontek.net/sharepoint-admin-control-for-app-registration-update/