SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Paulius Baltrėnas 261

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?

I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879

Danny Thian 1 Reputation point

2020-09-11T02:17:08.777+00:00

We have experienced the same issue as well. It only happens in new tenant. No issue in old tenants.
Paulius Baltrėnas 261 Reputation points

2020-09-11T07:17:04.06+00:00

If you get anywhere, could you please update us on this?
Amos Wu-MSFT 4,051 Reputation points

2020-09-16T06:27:38.76+00:00

Hi @Paulius Baltrėnas ,@Danny Thian ,
You could try the updated command in my first answer.
Amos Wu-MSFT 4,051 Reputation points

2020-09-21T04:23:41.227+00:00

Hi @Paulius Baltrėnas ,
Does the updated solution in my first answer help you?
Paulius Baltrėnas 261 Reputation points

2020-09-24T06:02:27.793+00:00

Hi,
yes your updated command helped.
Amos Wu-MSFT 4,051 Reputation points

2020-09-24T06:29:40.327+00:00

Glad to here this.
barry bijoy 26 Reputation points

2021-05-14T14:47:57.657+00:00

I am also facing similar issue, I checked the DisableCustomAppAuthentication value it is already set to false in my environment. The web api was working till last month then it stopped, No changes were done to code. Suddenly it started throwing this error. Cient id and secret is still valid for few more months
Iain Lennox 21 Reputation points

2021-05-14T14:53:38.61+00:00

toggling it on then off and waiting 10/15 minutes worked for us, however we have since switched away from using this authentication (ACS) method with SharePoint, we now use - https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
barry bijoy 26 Reputation points

2021-05-19T06:32:53.227+00:00

I tried toggling the values as well, Still no luck
Chris Clum 26 Reputation points

2021-05-19T15:09:56.687+00:00

I'm having a similar issue with a SharePoint Add-In application attempting to acquire an app-only token. I'd be interested if you find a solution.
barry bijoy 26 Reputation points

2021-05-25T10:59:09.983+00:00

I was using Azure app service to host myapp, Adding following line of code in the startup.Auth.cs in App_start folder fixed my issue

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

Accepted answer

Amos Wu-MSFT 4,051 Reputation points

2020-09-10T09:35:56.287+00:00
I would suggest you to create a service request in admin center,so our engineers could help you check this issue.

---------------------------------
Updated---------------------------
You could try to run below command:

Set-SPOTenant -DisableCustomAppAuthentication $false

Tip:You need to update the SharePoint Online managed shell to the latest version.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

2 people found this answer helpful.
Jone 1 Reputation point

2020-09-18T01:30:52.033+00:00

I tried this in my affected tenant and it seems that it fixed the issue. Thanks a lot for resolving the issue!

Danny Thian 1 Reputation point

2020-09-18T03:17:06.28+00:00

This fixed the issue!

NigelH 11 Reputation points

2021-05-25T20:15:38.797+00:00

Unfortunately this didn’t work for me.
Sign in to comment

11 additional answers

Hicham BOUCHAOUI 1 Reputation point

2021-05-26T07:11:38.343+00:00

Hello,
Attached are the permissions of the Microsoft AD application

Thank you
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
terryr 1 Reputation point

2021-05-28T10:36:57.16+00:00

Can anyone outline what configuration changes are needed in the Add-in to get it set up with my new Azure Active Directory Application? I can see the application in Enterprise applications but I can't get my Add-in to install when I use it's applicationId as the clientId in the Add-in config. The install just times out when I try to upload it to my dev site.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Amit Tare 1 Reputation point

2021-10-01T10:06:42.737+00:00

I am having the same issue I am SharePoint App Only Authentication. Did anyone get any solution.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment