Group.ReadWriteAll permission does not work for applying PNPTemplate to SharePoint Site

Pradeep Kumar Mishra 21 Reputation points
2021-04-20T11:19:06.353+00:00

Issue: Group.ReadWriteAll permission does not work for applying PNPTemplate to SharePoint Site

Description:

  • Trying to apply PNPTemplate on SharePoint site, using modern authentication code. I have added "Group.ReadWrite.All" permission in AAD app (azure portal).
  • Using below code to get "AccessToken".

AuthenticationContext authContext = new AuthenticationContext(Authority);
UserPasswordCredential credential = new UserPasswordCredential(userName, securePassword);
Authresult = Task.Run(() => authContext.AcquireTokenAsync(resourceUrl, ClientID, credential)).Result;

  • Once accesstoken received, using below code to get "clientcontext" of "SharePoint" site.

ClientContext context = getContext(siteUrl);
context.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e)
{
e.WebRequestExecutor.WebRequest.UserAgent = "NONISV|Microsoft|CampusProjectSite/1.0";
e.WebRequestExecutor.RequestHeaders["Authorization"] = Authresult.CreateAuthorizationHeader();
};
context.Load(context.Web);
context.ExecuteQueryRetry();

  • Using above clientcontext object to get PNPTemplate of "SharePoint" site, but it throws "access denied" error.

ProvisioningTemplateCreationInformation ptci = new ProvisioningTemplateCreationInformation(context.Web);
ProvisioningTemplate template1 = context.Web.GetProvisioningTemplate(ptci);

  • Complete error: "Access denied. You do not have permission to perform this action or access this resource"

Solution:

  • Moment I add "AllSites.FullControl" permission in "AAD app", above code works and issue resolves.

Question:
My understanding is even with "Group.ReadWrite.All" permission above code should work, no need to explicitly add "AllSites.FullControl" permission, please guide me on this.

Similar Issues:

  • Same issue exist while "adding/updating" permission in SharePoint site and List/Library.
  • Same issue exist while checking "GetUserEffectivePermissions" permission for any user.
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,692 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,711 questions
Accepted answer
  1. Jerryzy 10,566 Reputation points
    2021-04-21T03:05:56.693+00:00

    Hi @Pradeep Kumar Mishra ,

    "Group.ReadWrite.All" is used to create groups and read all group properties and memberships, this permission type have nothing related with SharePoint Site.

    Applying PnPProvisionTemplate is expected to work with "Site.FullControl.All" as it will provision much content into the new SharePoint site, such as permission level/Site Groups/Unique Permissions for List/Library, all these contents needs to be set with full control permission of the new site.

    Hope this will clear up your concern.

    Thanks
    Best Regards

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest