Granting access using SharePoint App-Only (use when Legacy Authentication mode is not allowed)
Granting access using SharePoint App-Only (use when Legacy Authentication mode is not allowed) |
Update of 3rd of July, 2024 - In case that after configuring everything, you try to connect and get 401-Unauthorized error message, please check via PowerShell if DisableCustomAppAuthentication is set to true or false:
Get-SPOSite https://replacemagic.sharepoint.com | select DisableCustomAppAuthentication
In case of true, run Set-SPOTenant -DisableCustomAppAuthentication $false to allow AppOnly. This might take 10-15 minutes refresh time.
Update of 27th of September, 2023 - Microsoft changed security model and it might happen that when you tried to register and assign application permissions, you are getting technical error (without a lot of description). To resolve this problem:
- Install latest version of SharePoint.Online.Management.Shell (https://www.microsoft.com/en-us/download/details.aspx?id=35588) where is important to have SharePoint Online Management Shell version 16.0.23710.12000 or later version
- Start it with Runs as Administrator
- Connect to your tenant (admin part) by running Connect-SPOService -URL https://company-admin.sharepoint.com
- Execute Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
- If you get error when executing previous error then your SharePoint.Online.Management.Shell is of lower version so please ensure that 16.0.23710.12000 or later is installed and used.
- Source: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/apps/cannot-register-app-update-permissions
- Follow-up with text below
Update 13th of September, 2023 - New app registration method:
- Go to https://portal.azure.com and register application
- Take Application (client) ID and click on Client credentials.
- Create new client secret:
Set validity that you need but do not forget to delete app when you are done. - Ensure to copy value somewhere as this will be only option to see it:
- Go to https://YOURTENANT-admin.sharepoint.com/_layouts/15/appinv.aspx and lookup for app ID and in App’s Permissions enter:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope=http://sharepoint/content/tenant Right="FullControl" />
</AppPermissionRequests>
(redirect URL is optional) - Set that you trust ReplaceMagic:
- Go to ReplaceMagic and add SharePoint site with AppOnly authentication mode, AppID and secret:
- Afterwards select location for processing and continue using ReplaceMagic normally
- Do not forget to delete app registration when you are done
OLD METHOD
Important: Use in case that Legacy Authentication mode is disabled in your SharePoint sites
From Microsoft article: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs:
SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online. Below steps show how to setup an app principal with tenant full control permissions, but obviously you could also grant just read permissions using this approach.
Setting up an app-only principal with tenant permissions
Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx). In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below.
Next step is granting permissions to the newly created principal. Since we're granting tenant scoped permissions this granting can only be done via the appinv.aspx page on the tenant administration site. You can reach this site via https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx. Once the page is loaded add your client id and look up the created principal:
To grant permissions, you'll need to provide the permission XML that describes the needed permissions. Since this application needs to be able to access all sites + also uses search with app-only it needs below permissions:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
ReplaceMagic remark - possible options for Right (in XML example you see FullControl) are:
- Read
- Write
- Manage
- FullControl
To allow enough privileges for ReplaceMagic, to be able to keep last modified date, editor, approval and publish status ... we recommend to use FullControl.
When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions:
Of course, please replace contoso with your site name.
================================================
Important: After setting App-Only for ReplaceMagic in your SharePoint you will need to restart ReplaceMagic before you can use this mode!
================================================
To use App-Only authentication in ReplaceMagic in form where you can create SharePoint connection select over drop down "Authentication mode" option "App-Only Authentication [BETA]" and in Client/APP ID and Client Secret enter generated data:
and connect to your SharePoint site.
Important: Use in case that Legacy Authentication mode is disabled in your SharePoint sites.