Group.ReadWriteAll permission does not work for applying PNPTemplate to SharePoint Site

asked 2021-04-20T11:19:06.353+00:00
Pradeep Kumar Mishra 21 Reputation points

Issue: Group.ReadWriteAll permission does not work for applying PNPTemplate to SharePoint Site

Description:

  • Trying to apply PNPTemplate on SharePoint site, using modern authentication code. I have added "Group.ReadWrite.All" permission in AAD app (azure portal).
  • Using below code to get "AccessToken".

AuthenticationContext authContext = new AuthenticationContext(Authority);
UserPasswordCredential credential = new UserPasswordCredential(userName, securePassword);
Authresult = Task.Run(() => authContext.AcquireTokenAsync(resourceUrl, ClientID, credential)).Result;

  • Once accesstoken received, using below code to get "clientcontext" of "SharePoint" site.

ClientContext context = getContext(siteUrl);
context.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e)
{
e.WebRequestExecutor.WebRequest.UserAgent = "NONISV|Microsoft|CampusProjectSite/1.0";
e.WebRequestExecutor.RequestHeaders["Authorization"] = Authresult.CreateAuthorizationHeader();
};
context.Load(context.Web);
context.ExecuteQueryRetry();

  • Using above clientcontext object to get PNPTemplate of "SharePoint" site, but it throws "access denied" error.

ProvisioningTemplateCreationInformation ptci = new ProvisioningTemplateCreationInformation(context.Web);
ProvisioningTemplate template1 = context.Web.GetProvisioningTemplate(ptci);

  • Complete error: "Access denied. You do not have permission to perform this action or access this resource"

Solution:

  • Moment I add "AllSites.FullControl" permission in "AAD app", above code works and issue resolves.

Question:
My understanding is even with "Group.ReadWrite.All" permission above code should work, no need to explicitly add "AllSites.FullControl" permission, please guide me on this.

Similar Issues:

  • Same issue exist while "adding/updating" permission in SharePoint site and List/Library.
  • Same issue exist while checking "GetUserEffectivePermissions" permission for any user.
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
5,977 questions
Microsoft Graph SDK
Microsoft Graph SDK
A Microsoft software developer kit designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
724 questions
{count} votes

Accepted answer
  1. answered 2021-04-21T03:05:56.693+00:00
    Jerryzy 10,301 Reputation points

    Hi @Pradeep Kumar Mishra ,

    "Group.ReadWrite.All" is used to create groups and read all group properties and memberships, this permission type have nothing related with SharePoint Site.

    Applying PnPProvisionTemplate is expected to work with "Site.FullControl.All" as it will provision much content into the new SharePoint site, such as permission level/Site Groups/Unique Permissions for List/Library, all these contents needs to be set with full control permission of the new site.

    Hope this will clear up your concern.

    Thanks
    Best Regards


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful