Need a practical solution for the new O365 tenants who install our multi-tenant app from SharePoint Store and facing “401 unauthorized” error

Uditha Ranasinghe 1 Reputation point
2021-01-04T12:13:39.723+00:00

We have a Multi-Tenant application. It is a Provider-hosted SharePoint Add-in. The app can be found and installed from the SharePoint Store. The remote web application and data source connected to the app is running on Azure. For authentication we use Azure AD.

Admin users of various office 365 tenants install our app from the market. Then they can provision their own instance of our app. Then our back-end azure services (i.e. web app service and web jobs) must be able to interact with SharePoint Components (i.e. Users/Permission/Document Libraries/etc.) of each SharePoint app instance. In short, we need to manage the SharePoint App Web of each tenant via CSOM.

To access SharePoint online (i.e. App Web only) from Azure application context we use CSOM and for authenticating we use a mechanism called “SharePoint App-Only”. This was working fine without any issue until 2020 September. For new Office 365 tenants who install our app will get a “401 unauthorized” error when the CSOM try to execute any query against SharePoint Online via the ClientContext (i.e. created using the ClientID and ClientSecret). Then we found a temporary fix for this error via the following link.

https://learn.microsoft.com/en-us/answers/questions/90187/sharepoint-app-only-add-ins-throwing-401-unauthori.html

But because of our app model we do not know who are the new tenants that will install our app. Also, we cannot ask their admin to run the command “Set-SPOTenant -DisableCustomAppAuthentication $false” just for our app since this setting is something global and default. This is not practical.

Now we need to find a new solution for authentication.

Going through Microsoft documentation we found that the other way is to do it via “Azure AD App-Only”. The link we referred is the following.

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

This method requires API permissions called “Application permissions” to access and modify SharePoint Online via an application context (Note that we cannot use “Delegated Permissions”). Just to work with the App Web we need Admin Consent against “Sites.FullControl.All”. But this is too much for our app since we only need the full control over the App Web. We do not need permission to manage all SharePoint Sites or even the Host Web. In fact, a new Office 365 tenant who installs our app will not approve this consent at all. Hence this solution is not practical to use in our business model.

I assume this should be a common issue for Multi-Tenant Provider hosted SharePoint Add-ins. But I am unable to find any problems raised or any solutions given against such scenario.

Can you please help me in finding a practical solution for the new O365 tenants who install our app from SharePoint Store marketplace and facing “401 unauthorized” error?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,805 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,061 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee
    2021-01-04T22:22:56.757+00:00

    You can share product feedback on user voice. https://feedback.azure.com/

    I have also reached out to the product team to get input on a solution.

    Edit: Product team has confirmed as well that leaving product feedback is the best approach. Thanks to @MichaelHan-MSFT for the detailed response.

    0 comments No comments

  2. MichaelHan-MSFT 18,036 Reputation points
    2021-01-05T06:40:16.49+00:00

    Hi @Uditha Ranasinghe ,

    According to the documentation https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly, currently there are only two approaches for doing app-only for SharePoint:

    So, there is no other practical soultions that would solve your issue currently. You could submit feedback on user voice :https://sharepoint.uservoice.com/forums/329220-sharepoint-dev-platform

    Currently, you could only run the command “Set-SPOTenant -DisableCustomAppAuthentication $false” for new O365 tenants.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.