SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Paulius Baltrėnas 261

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?

I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879

Danny Thian 1 Reputation point

2020-09-11T02:17:08.777+00:00

We have experienced the same issue as well. It only happens in new tenant. No issue in old tenants.
Paulius Baltrėnas 261 Reputation points

2020-09-11T07:17:04.06+00:00

If you get anywhere, could you please update us on this?
Amos Wu-MSFT 4,051 Reputation points

2020-09-16T06:27:38.76+00:00

Hi @Paulius Baltrėnas ,@Danny Thian ,
You could try the updated command in my first answer.
Amos Wu-MSFT 4,051 Reputation points

2020-09-21T04:23:41.227+00:00

Hi @Paulius Baltrėnas ,
Does the updated solution in my first answer help you?
Paulius Baltrėnas 261 Reputation points

2020-09-24T06:02:27.793+00:00

Hi,
yes your updated command helped.
Amos Wu-MSFT 4,051 Reputation points

2020-09-24T06:29:40.327+00:00

Glad to here this.
barry bijoy 26 Reputation points

2021-05-14T14:47:57.657+00:00

I am also facing similar issue, I checked the DisableCustomAppAuthentication value it is already set to false in my environment. The web api was working till last month then it stopped, No changes were done to code. Suddenly it started throwing this error. Cient id and secret is still valid for few more months
Iain Lennox 21 Reputation points

2021-05-14T14:53:38.61+00:00

toggling it on then off and waiting 10/15 minutes worked for us, however we have since switched away from using this authentication (ACS) method with SharePoint, we now use - https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
barry bijoy 26 Reputation points

2021-05-19T06:32:53.227+00:00

I tried toggling the values as well, Still no luck
Chris Clum 26 Reputation points

2021-05-19T15:09:56.687+00:00

I'm having a similar issue with a SharePoint Add-In application attempting to acquire an app-only token. I'd be interested if you find a solution.
barry bijoy 26 Reputation points

2021-05-25T10:59:09.983+00:00

I was using Azure app service to host myapp, Adding following line of code in the startup.Auth.cs in App_start folder fixed my issue

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

Accepted answer

Amos Wu-MSFT 4,051 Reputation points

2020-09-10T09:35:56.287+00:00
I would suggest you to create a service request in admin center,so our engineers could help you check this issue.

---------------------------------
Updated---------------------------
You could try to run below command:

Set-SPOTenant -DisableCustomAppAuthentication $false

Tip:You need to update the SharePoint Online managed shell to the latest version.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

2 people found this answer helpful.
Jone 1 Reputation point

2020-09-18T01:30:52.033+00:00

I tried this in my affected tenant and it seems that it fixed the issue. Thanks a lot for resolving the issue!

Danny Thian 1 Reputation point

2020-09-18T03:17:06.28+00:00

This fixed the issue!

NigelH 11 Reputation points

2021-05-25T20:15:38.797+00:00

Unfortunately this didn’t work for me.
Sign in to comment

11 additional answers

Paulius Baltrėnas 261 Reputation points

2020-11-18T07:52:11.46+00:00

What is the solution to have an App-Only Add-In authenticaton but with DisableCustomAppAuthentication set to true?
Basically have the Add-In working on a new Tenant without changing any tenant settings?
Please sign in to rate this answer.

1 person found this answer helpful.
Gaurav Goyal 1 Reputation point

2020-11-18T10:11:53.987+00:00

If I am creating context with CreateUserClientContextForSPHost function , it is working fine but when I am using CreateAppOnlyClientContextForSPHost function in Provider hosted app, it is throwing same error which you mentioned above.

One more thing, I checked the out of Get-SPOTenant command. It does not have "DisableCustomAppAuthentication" property but after running the command Set-SPOTenant, it is showing the property "DisableCustomAppAuthentication" in output.
Sign in to comment
Paulius Baltrėnas 261 Reputation points

2021-05-20T11:13:37.667+00:00
Hi,
for the Unauthorized there is also an additional settings in the SP Admin.

Go to https://tenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl

Apps that don't use modern authentication

Allow access

I does take time to apply

Check the “Unmanaged devices” and make sure that “Allow full access from desktop apps, mobile apps and the web” is selected. (This only applicable if that feature is enabled on your tenant)

Hope this help.

The other option is to implement authentication using "Granting access via Azure AD App-Only"
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Jone 1 Reputation point

2020-09-14T03:01:22.947+00:00

I created a trial tenant on 25/8 and deployed my custom solution that uses app-only principals to do requests to SharePoint. It has a timer Azure Function running every hour and it worked fine until about 26/8 11pm UTC. After that it has only given the 401 unauthorized.

To understand how wide issue this is, what regions your new tenants are located in? I created mine in Australia.
Please sign in to rate this answer.
Vesa Juvonen 1 Reputation point

2020-09-22T08:38:18.077+00:00

Hey @Jone ,
can you provide more details around the issue which you are seeing. This change should not have impacted any existing tenants, so we are now collecting more details on those kind of reports. Can you share more details on the setup you have either in here or by using our SharePoint dev issue list at https://aka.ms/spdev-issues.

Region was Australia for you. When was the impacted tenant created? Which permissions your custom solution is using? - what's the overall setup? Does the PowerShell update fix the issue for you?

Thanks for your details advance.

Vesa Juvonen 1 Reputation point

2020-09-22T18:32:28.84+00:00

Hi @Jone ,
we just confirmed internally that the default setting in tenant level was already valid for the 25th of August tenants or we enabled the default setting on 26th of August for all tenants which were created on 25th of August or newer. This is why you have seen the solution to work without issues for a while. Explains the situation.

Iain Lennox 21 Reputation points

2021-02-16T16:17:44.047+00:00

This still seems to be an issue and we need to run the command on tenants for new customers who want to use our app, will this always be the case for new tenants now? Thanks.
Sign in to comment
Iain Lennox 1 Reputation point

2020-09-28T08:07:05.423+00:00

Same issue today on two new tenants created last week for customers, when we deploy our existing app and its tries to authenticate with the new tenant we get "The remote server returned an error: (401) Unauthorized."

Both tenants located in EU/UK

Tried running above suggested command Set-SPOTenant -DisableCustomAppAuthentication $false

Still getting 401
Please sign in to rate this answer.
Paulius Baltrėnas 1 Reputation point

2020-09-28T08:11:40.963+00:00

This setting might take a bit of time to work (5 minutes or so).
I have tried setting to $true and $false to make sure this is the right property, and this new property was causing the 401 in our case.

Iain Lennox 1 Reputation point

2020-09-28T08:32:37.153+00:00

Yes, fixed now, I was just being impatient.
Sign in to comment