SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Paulius Baltrėnas 261 Reputation points
2020-09-09T11:47:00.883+00:00

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?

I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,520 questions
{count} votes

Accepted answer
  1. Amos Wu-MSFT 4,051 Reputation points
    2020-09-10T09:35:56.287+00:00

    I would suggest you to create a service request in admin center,so our engineers could help you check this issue.

    ---------------------------------
    Updated---------------------------
    You could try to run below command:

    Set-SPOTenant -DisableCustomAppAuthentication $false  
    

    Tip:You need to update the SharePoint Online managed shell to the latest version.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

11 additional answers

Sort by: Most helpful
  1. Paulius Baltrėnas 261 Reputation points
    2020-11-18T07:52:11.46+00:00

    What is the solution to have an App-Only Add-In authenticaton but with DisableCustomAppAuthentication set to true?
    Basically have the Add-In working on a new Tenant without changing any tenant settings?

    1 person found this answer helpful.

  2. Paulius Baltrėnas 261 Reputation points
    2021-05-20T11:13:37.667+00:00

    Hi,
    for the Unauthorized there is also an additional settings in the SP Admin.

    1. Go to https://tenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl
    2. Apps that don't use modern authentication
    3. Allow access
    4. I does take time to apply
    5. Check the “Unmanaged devices” and make sure that “Allow full access from desktop apps, mobile apps and the web” is selected. (This only applicable if that feature is enabled on your tenant)

    Hope this help.

    The other option is to implement authentication using "Granting access via Azure AD App-Only"
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

    1 person found this answer helpful.
    0 comments No comments

  3. Jone 1 Reputation point
    2020-09-14T03:01:22.947+00:00

    I created a trial tenant on 25/8 and deployed my custom solution that uses app-only principals to do requests to SharePoint. It has a timer Azure Function running every hour and it worked fine until about 26/8 11pm UTC. After that it has only given the 401 unauthorized.

    To understand how wide issue this is, what regions your new tenants are located in? I created mine in Australia.


  4. Iain Lennox 1 Reputation point
    2020-09-28T08:07:05.423+00:00

    Same issue today on two new tenants created last week for customers, when we deploy our existing app and its tries to authenticate with the new tenant we get "The remote server returned an error: (401) Unauthorized."

    Both tenants located in EU/UK

    Tried running above suggested command Set-SPOTenant -DisableCustomAppAuthentication $false

    Still getting 401