SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Paulius Baltrėnas 261

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?

I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879

Danny Thian 1 Reputation point

2020-09-11T02:17:08.777+00:00

We have experienced the same issue as well. It only happens in new tenant. No issue in old tenants.
Paulius Baltrėnas 261 Reputation points

2020-09-11T07:17:04.06+00:00

If you get anywhere, could you please update us on this?
Amos Wu-MSFT 4,051 Reputation points

2020-09-16T06:27:38.76+00:00

Hi @Paulius Baltrėnas ,@Danny Thian ,
You could try the updated command in my first answer.
Amos Wu-MSFT 4,051 Reputation points

2020-09-21T04:23:41.227+00:00

Hi @Paulius Baltrėnas ,
Does the updated solution in my first answer help you?
Paulius Baltrėnas 261 Reputation points

2020-09-24T06:02:27.793+00:00

Hi,
yes your updated command helped.
Amos Wu-MSFT 4,051 Reputation points

2020-09-24T06:29:40.327+00:00

Glad to here this.
barry bijoy 26 Reputation points

2021-05-14T14:47:57.657+00:00

I am also facing similar issue, I checked the DisableCustomAppAuthentication value it is already set to false in my environment. The web api was working till last month then it stopped, No changes were done to code. Suddenly it started throwing this error. Cient id and secret is still valid for few more months
Iain Lennox 21 Reputation points

2021-05-14T14:53:38.61+00:00

toggling it on then off and waiting 10/15 minutes worked for us, however we have since switched away from using this authentication (ACS) method with SharePoint, we now use - https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
barry bijoy 26 Reputation points

2021-05-19T06:32:53.227+00:00

I tried toggling the values as well, Still no luck
Chris Clum 26 Reputation points

2021-05-19T15:09:56.687+00:00

I'm having a similar issue with a SharePoint Add-In application attempting to acquire an app-only token. I'd be interested if you find a solution.
barry bijoy 26 Reputation points

2021-05-25T10:59:09.983+00:00

I was using Azure app service to host myapp, Adding following line of code in the startup.Auth.cs in App_start folder fixed my issue

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

Accepted answer

Amos Wu-MSFT 4,051 Reputation points

2020-09-10T09:35:56.287+00:00
I would suggest you to create a service request in admin center,so our engineers could help you check this issue.

---------------------------------
Updated---------------------------
You could try to run below command:

Set-SPOTenant -DisableCustomAppAuthentication $false

Tip:You need to update the SharePoint Online managed shell to the latest version.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

2 people found this answer helpful.
Jone 1 Reputation point

2020-09-18T01:30:52.033+00:00

I tried this in my affected tenant and it seems that it fixed the issue. Thanks a lot for resolving the issue!

Danny Thian 1 Reputation point

2020-09-18T03:17:06.28+00:00

This fixed the issue!

NigelH 11 Reputation points

2021-05-25T20:15:38.797+00:00

Unfortunately this didn’t work for me.
Sign in to comment

11 additional answers

Gaurav Goyal 1 Reputation point

2020-11-18T06:18:19.917+00:00
I am also facing the same issue with new tenant. This is a serious issue with newly created tenant.
The solution is only the command :

Set-SPOTenant -DisableCustomAppAuthentication $false

Thanks,
Gaurav Goyal
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
NigelH 11 Reputation points

2021-05-20T10:33:13.07+00:00

I've been experiencing the same issue since 22/04, however it's on a tenant that has existed for a couple of years.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
barry bijoy 26 Reputation points

2021-05-25T10:59:43.023+00:00

I was using Azure app service to host my app and facing this issue, Adding following line of code in the startup.Auth.cs in App_start folder fixed my issue

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
Please sign in to rate this answer.
NigelH 11 Reputation points

2021-05-25T20:24:02.067+00:00

I can see why this would work, by forcing it to use TLS1.2

Premier Support finally got back to me after almost 2 weeks to suggest recompiling the applications using .NET Framework 4.8, which only uses TLS1.2.

Doing this fixed one application, and partially fixed another one (some new errors cropped up in the second one now but that seems to relate to changes in the SDK)

It would be nice if the original error messages actually provided some information relating the the cause, instead of simply saying “unauthorised - token invalid”. To me, that indicates an issue with… well… the token. I’m not sure how you’re supposed to figure out that it’s actually TLS from that message.
Sign in to comment
Hicham BOUCHAOUI 1 Reputation point

2021-05-25T18:08:31.777+00:00

Good morning all ,
I need your help
I tried to upload files to a SharePoint online site via an application

Protocol Commands: >>POST https://xxxxxx.sharepoint.com/sites/Transfert_secure/Documents/_api/web/GetFolderByServerRelativeUrl('/sites/Transfert_secure/Documents/Targetfolder')/Files/Add(url='file.txt',overwrite=true) HTTP/1.1

<<HTTP/1.1 401 Unauthorized

I believe that the site should be granted permission through the AD application but I don't know how I could do it ?

Thank you
Please sign in to rate this answer.

0 comments No comments
Sign in to comment