Hello SharePoint guys,

In my day-to-day and research tasks, I often create app principals in SharePoint Online. They might have various privileges according to my needs. (Read-Only, Write, Full Control on Lists, Webs or Site collections). One thing I never needed to use so far is an App Principal with Full Control privileges on the whole tenant. Actually, there are some unusual steps to achieve comparing to other scenarios. I then decided to write down a few words about my own investigations and hope it will help ! My external management app (not a SharePoint add-in) requires app-only full privileges on the whole tenant.

Trying the usual way

I go to the default site collection of my tenant and reach the usual appregnew.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appregnew.aspx) and register my app principal.

As usual, I need to keep the generated info in a safe location... (Client Id, Client Secret). The usual second step to achieve is to grant my app principal the permissions I want it to have, I need to go to the appinv.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appinv.aspx). Lookup my app Id and give it the proper permissions XML.

I know the XML must be

<AppPermissionRequests AllowAppOnlyPolicy="true"> 
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> 
</AppPermissionRequests>

And I know I'll be redirected to a page asking me if I trust this application, but...

There are 2 unusual things here:

1. A red message that reads "Your tenant administrator has to approve this app."
2. The greyed out "Trust it" button that I usually need to click

Well, pretty annoying since I am currently the tenant administrator....

Ok, Let's adapt...

I suspect, for some security reasons I need to do it from the SharePoint admin center. I will probably have to register the app principal from https://yourtenant-admin.sharepoint.com/_layouts/15/appregnew.aspx ...

Dead end...

By the way, it is a quite odd error message because, I am still logged in as the tenant administrator.     OK, I cannot create a new app principal from the SharePoint Admin center but maybe I can grant permissions to the one I created previously ? Let's try it ! I go to https://yourtenant-admin.sharepoint.com/_layouts/15/appinv.aspx, Hey I reach a page!

 

Except some different styling, this page looks familiar! I try to lookup for my App Id and I find it !  

             

Let's enter the permissions XML here and click Create. It looks like it is working!   OK, Last thing is to make sure my app principal has the proper permissions. In a PowerShell console with PnP PowerShell properly installed, enter the following commands

Connect-PnPOnline https://<your-tenant>-admin.sharepoint.com -AppId <your-app-id> -AppSecret <your-app-secret> 
Get-PnPTenantSite

 

I get the list of the available site collections which means my credentials are valid !  

Note

This seems to be a behavior that changed over time (at least on SharePoint Online, you might find some outdated content on the Internet saying you can use the regular way to give tenant-scope privileges to app principals but it is no longer valid since august 2016. After my own investigations, I wanted to confirm them and after a bit of googling I found this : https://msdn.microsoft.com/en-us/pnp_articles/how-to-provide-add-in-app-only-tenant-administrative-permissions-in-sharepoint-online (as always a PnP article ;) Damn, they cover so much ! Thanks guys !)

I hope this will help people who encountered the same issue as I did. Do not hesitate to leave comments!

See ya!

Yannick