Share via

Issue deleting terms from term store

ShaneMarsden 21 Reputation points
2021-06-29T10:41:58.453+00:00

Hi,

We're trying to resolve an exception occurring when we attempt to delete a term from the term store.

Connection to graph client:

var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(@"cert.pfx", "{password}");
IConfidentialClientApplication clientApp = ConfidentialClientApplicationBuilder
                .Create(appId)
                .WithTenantId(tenantId)
                .WithCertificate(cert)
                .Build();

            var authProvider = new ClientCredentialProvider(clientApp);
     graphClient = new  MicrosoftGraphBeta.Microsoft.Graph.GraphServiceClient(authProvider);

This is the code being used to attempt to delete a single term using the SharePoint API via the PnP Framework package:

string siteUrl = "https://xxxx.sharepoint.com";
using (var clientContext = new PnP.Framework.AuthenticationManager(
    appId,
    @"cert.pfx",
    "{password}",
    "xxxx.onmicrosoft.com")
    .GetContext("https://xxxx.sharepoint.com")) {
TaxonomySession taxonomySession =  TaxonomySession.GetTaxonomySession(clientContext);
TermGroup termGroup = termStore.Groups.GetByName("ADGroups");
    TermSet termSet = termGroup.TermSets.GetByName("TopLevel");
Term term = termSet.Terms.GetByName("GroupOne");
term.DeleteObject();
    termStore.CommitAll();
clientContext.ExecuteQuery();
}

Packages (note we have tried older versions of these packages too):

  • Microsoft.Graph.Auth (v1.0.0-preview.7)
  • Microsoft.Graph.Beta (v4.5.0-preview)
  • Microsoft.Identity.Client (v.4.33.0)
  • PnP.Framework (v.1.5.15-nightly)

The above code fails with the following error:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: 'The current user has insufficient permissions to perform this operation.'

Other attempts using previous versions of the packages has resulted in:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: 'Access denied. You do not have permission to perform this action or access this resource.'

These errors continue to occur when the following PowerShell command has been run to enable legacy authentication and waiting 24 hours:

    Set-SPOTenant -LegacyAuthProtocolsEnabled $True

The Azure App has been granted admin approval on the following permissions for the Graph API under both application and delegated contexts:

  • Directory.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • OrgContact.Read.All
  • Sites.FullControl.All
  • TermStore.Read.All
  • TermStore.ReadWrite.All
  • User.Read.All
  • User.ReadWrite.All

The Azure App has been granted admin approval on the following permissions for SharePoint under the delegated context:

  • AllSites.FullControl
  • AllSites.Manage
  • AllSites.Read
  • AllSites.Write
  • Sites.Search.All
  • TermStore.Read.All
  • TermStore.ReadWrite.All
  • User.Read.All
  • User.ReadWrite.All

The Azure App has been granted admin approval on the following permissions for SharePoint under the application context:

  • Sites.FullControl.All
  • Sites.Manage.All
  • Sites.Read.All
  • Sites.ReadWrite.All
  • TermStore.Read.All
  • TermStore.ReadWrite.All
  • User.Read.All
  • User.ReadWrite.All

Looking for assistance in how to resolve the error. Looks like there is a permission missing somewhere.

Thanks.

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments
Answer accepted by question author
  1. MichaelHan-MSFT 18,136 Reputation points
    2021-06-30T03:10:39.763+00:00

    Hi @ShaneMarsden ,

    Per my test, I got the same result as yours on my end. And I find the solution in this article: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/elevated-privileges-in-sharepoint-add-ins

    To allow to use app-only access for writing to Taxonomy Term Store, you'll need to explicitly add app@Srini M identity as a Term Store Administrator in the Taxonomy Term Store administrative user interface. This grants the app-only identity needed permissions for write operations. You do not need to perform this step for read operations.

    So you need to add app@sharepoint identity as a Term Store Administrator, like the below.
    Note: you need to add it in classic term store: https://xxxx-admin.sharepoint.com/_layouts/15/termstoremanager.aspx

    110362-image.png

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.