Sharepoint Online AppOnly Access 403 errors after registering app

Mario Menor Gisbert 1 Reputation point
2022-03-16T07:59:51.527+00:00

I have been trying to access a Sharepoint site (from a Teams Group) from ADF or via Rest Services with no luck:

Here is what we've done:

  • We have followed instructions to register the app in the appregnew.aspx menu.
  • Also we have granted read access in te appreginv.aspx menu with the following config
    <AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest
    Scope="http://sharepoint/content/sitecollection/web"
    Right="Read"/></AppPermissionRequests>
  • And we can see the app correctly registered in the appprincipals.aspx of the site.

And here what we got

  • We can get a token by calling https://accounts.accesscontrol.windows.net/XXXXX/tokens/OAuth/2
  • We can call correctly to Connect-PnPOnline
  • We only get 403 errors when trying to call the _api/web endpoints
  • We also get 403 errors when trying to use Get-Pnpxxx commands from PowerShell
  • We get a coud not get OData-metadata error when trying to create a Linked Service in Azure Data Factory with this credentials.

We've done this in two different sharepoint online domains. It turns it works just fine in the one used as a Proof-of-Concept where I am the admin/owner/creator of the Teams Group that holds de Sharepoint (I'm not an admin for the ShP domain). For the other one I still not have confirmation that the person that registered the app and set the permissions is the owner/creator of the Teams Group but he does have permission to grant access to users.

¿What could be the reasons of this forbidden access response? I can only think of two reasons for it but I don't know how to check them:

  • AppOnly access disabled in the Sharepoint Online domain (¿How can we check?)
  • Granting user not being the site Owner/Creator (I'm currently trying to check) since I've read some responses in this direction but I cannot find an explanation.

Sharepoint Online admins might not be easily available since the sharepoint domain is owned by a big holding and we are working for a newly created growing subsidiary ,so we tried this approach that seemed to need only Sharepoint site admins to register the permission.

Edit
It is Working now. A Teams Channel is a sharepoint site by itself and grants given at the sharepoint site of the Teams Group holding the channel do not pass through.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,465 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,843 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Tong Zhang_MSFT 9,121 Reputation points
    2022-03-17T02:20:40.91+00:00

    Hi @Mario Menor Gisbert ,
    According to my testing and research, this may be a permission issue ,please try to use full control and check if any errors are reported.
    Here is a document you can refer to:
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs#setting-up-an-app-only-principal-with-tenant-permissions


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.