SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Paulius Baltrėnas 271 Reputation points


we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?

I have posted the same question to another forum, but was redirected to post here also.

A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,211 questions
{count} votes

Accepted answer
  1. Amos Wu-MSFT 4,051 Reputation points

    I would suggest you to create a service request in admin center,so our engineers could help you check this issue.

    You could try to run below command:

    Set-SPOTenant -DisableCustomAppAuthentication $false  

    Tip:You need to update the SharePoint Online managed shell to the latest version.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

11 additional answers

Sort by: Most helpful
  1. Paulius Baltrėnas 271 Reputation points

    What is the solution to have an App-Only Add-In authenticaton but with DisableCustomAppAuthentication set to true?
    Basically have the Add-In working on a new Tenant without changing any tenant settings?

    1 person found this answer helpful.

  2. Paulius Baltrėnas 271 Reputation points

    for the Unauthorized there is also an additional settings in the SP Admin.

    1. Go to
    2. Apps that don't use modern authentication
    3. Allow access
    4. I does take time to apply
    5. Check the “Unmanaged devices” and make sure that “Allow full access from desktop apps, mobile apps and the web” is selected. (This only applicable if that feature is enabled on your tenant)

    Hope this help.

    The other option is to implement authentication using "Granting access via Azure AD App-Only"

    1 person found this answer helpful.
    0 comments No comments

  3. Jone 1 Reputation point

    I created a trial tenant on 25/8 and deployed my custom solution that uses app-only principals to do requests to SharePoint. It has a timer Azure Function running every hour and it worked fine until about 26/8 11pm UTC. After that it has only given the 401 unauthorized.

    To understand how wide issue this is, what regions your new tenants are located in? I created mine in Australia.

  4. Iain Lennox 1 Reputation point

    Same issue today on two new tenants created last week for customers, when we deploy our existing app and its tries to authenticate with the new tenant we get "The remote server returned an error: (401) Unauthorized."

    Both tenants located in EU/UK

    Tried running above suggested command Set-SPOTenant -DisableCustomAppAuthentication $false

    Still getting 401