Issue: Group.ReadWriteAll permission does not work for applying PNPTemplate to SharePoint Site
Description:
- Trying to apply PNPTemplate on SharePoint site, using modern authentication code. I have added "Group.ReadWrite.All" permission in AAD app (azure portal).
- Using below code to get "AccessToken".
AuthenticationContext authContext = new AuthenticationContext(Authority);
UserPasswordCredential credential = new UserPasswordCredential(userName, securePassword);
Authresult = Task.Run(() => authContext.AcquireTokenAsync(resourceUrl, ClientID, credential)).Result;
- Once accesstoken received, using below code to get "clientcontext" of "SharePoint" site.
ClientContext context = getContext(siteUrl);
context.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e)
{
e.WebRequestExecutor.WebRequest.UserAgent = "NONISV|Microsoft|CampusProjectSite/1.0";
e.WebRequestExecutor.RequestHeaders["Authorization"] = Authresult.CreateAuthorizationHeader();
};
context.Load(context.Web);
context.ExecuteQueryRetry();
- Using above clientcontext object to get PNPTemplate of "SharePoint" site, but it throws "access denied" error.
ProvisioningTemplateCreationInformation ptci = new ProvisioningTemplateCreationInformation(context.Web);
ProvisioningTemplate template1 = context.Web.GetProvisioningTemplate(ptci);
- Complete error: "Access denied. You do not have permission to perform this action or access this resource"
Solution:
- Moment I add "AllSites.FullControl" permission in "AAD app", above code works and issue resolves.
Question:
My understanding is even with "Group.ReadWrite.All" permission above code should work, no need to explicitly add "AllSites.FullControl" permission, please guide me on this.
Similar Issues:
- Same issue exist while "adding/updating" permission in SharePoint site and List/Library.
- Same issue exist while checking "GetUserEffectivePermissions" permission for any user.