Setting up an app-only principal with tenant permissions

1.     Navigate to a site in your tenant and then call the appregnew.aspx page   https://tenant-admin.sharepoint.com/_layouts/15/appregnew.aspx. (Change tenant to your own).

2.     In this page click on the Generate button to generate a client id and client secret and fill the remaining information.

 

Title

Sekasoft.EIDEasySign

App Domain

sekasofteideasysign.azurewebsites.net

Redirect URI 

https://sekasofteideasysign.azurewebsites.net

 Important

Store the retrieved information (client id and client secret) since you'll need this in the next step!

3.     Next step is granting permissions to the newly created principal. Since we're granting tenant scoped permissions this granting can only be done via the appinv.aspx page on the tenant administration site. You can reach this site via 
https://tenant-admin.sharepoint.com/_layouts/15/appinv.aspx.

Once the page is loaded add your client id and look up the created principal:

To grant permissions, you'll need to provide the permission XML that describes the needed permissions. Since this application needs to be able to access all sites + also uses search with app-only it needs below permissions:

XMLCopy

<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" /></AppPermissionRequests>

When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions:

 Important

Please safeguard the created client id/secret combination as would it be your administrator account. Using this client id/secret one can read/update all data in your SharePoint Online environment!

____________________________________________________

Questions and answers

Q: I get notification that App Client ID and Secret IDs are incorrect. What to do?

A: Check if your tenant settings are as follow: DisableCustomAppAuthentication is set to false.

 How to set this parameter DisableCustomAppAuthentication?

-        Launch SharePoint Online Management Shell on your computer. If you don’t have it on your computer download and install it from Microsoft site: https://www.microsoft.com/en-US/download/details.aspx?id=35588

-        Run it and paste the command:

Connect-SPOService -Url https:// tenant-admin.sharepoint.com  //change tenant name to your own and connect as administrator

Set-SPOTenant -DisableCustomAppAuthentication $false

Press Check button at the 2nd step on the app again.

 

Q: I get message “Your SharePoint admin doesn’t allow site owners to create an Azure Access Control (ACS) principal. Please contact your SharePoint administrator.”

-        Launch SharePoint Online Management Shell on your computer. If you don’t have it on your computer download and install it from Microsoft site: https://www.microsoft.com/en-US/download/details.aspx?id=35588

-        Run it and paste the command:

Connect-SPOService -Url https:// tenant-admin.sharepoint.com  //change tenant name to your own and connect as administrator

Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

More info: https://m365admin.handsontek.net/sharepoint-admin-control-for-app-registration-update/