We have a Multi-Tenant application. It is a Provider-hosted SharePoint Add-in. The app can be found and installed from the SharePoint Store. The remote web application and data source connected to the app is running on Azure. For authentication we use Azure AD.
Admin users of various office 365 tenants install our app from the market. Then they can provision their own instance of our app. Then our back-end azure services (i.e. web app service and web jobs) must be able to interact with SharePoint Components (i.e. Users/Permission/Document Libraries/etc.) of each SharePoint app instance. In short, we need to manage the SharePoint App Web of each tenant via CSOM.
To access SharePoint online (i.e. App Web only) from Azure application context we use CSOM and for authenticating we use a mechanism called “SharePoint App-Only”. This was working fine without any issue until 2020 September. For new Office 365 tenants who install our app will get a “401 unauthorized” error when the CSOM try to execute any query against SharePoint Online via the ClientContext (i.e. created using the ClientID and ClientSecret). Then we found a temporary fix for this error via the following link.
https://learn.microsoft.com/en-us/answers/questions/90187/sharepoint-app-only-add-ins-throwing-401-unauthori.html
But because of our app model we do not know who are the new tenants that will install our app. Also, we cannot ask their admin to run the command “Set-SPOTenant -DisableCustomAppAuthentication $false” just for our app since this setting is something global and default. This is not practical.
Now we need to find a new solution for authentication.
Going through Microsoft documentation we found that the other way is to do it via “Azure AD App-Only”. The link we referred is the following.
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
This method requires API permissions called “Application permissions” to access and modify SharePoint Online via an application context (Note that we cannot use “Delegated Permissions”). Just to work with the App Web we need Admin Consent against “Sites.FullControl.All”. But this is too much for our app since we only need the full control over the App Web. We do not need permission to manage all SharePoint Sites or even the Host Web. In fact, a new Office 365 tenant who installs our app will not approve this consent at all. Hence this solution is not practical to use in our business model.
I assume this should be a common issue for Multi-Tenant Provider hosted SharePoint Add-ins. But I am unable to find any problems raised or any solutions given against such scenario.
Can you please help me in finding a practical solution for the new O365 tenants who install our app from SharePoint Store marketplace and facing “401 unauthorized” error?