question

smauglys avatar image
11 Votes"
smauglys asked AmitTare-2232 published

SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?



I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879


office-sharepoint-online
· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am also facing similar issue, I checked the DisableCustomAppAuthentication value it is already set to false in my environment. The web api was working till last month then it stopped, No changes were done to code. Suddenly it started throwing this error. Cient id and secret is still valid for few more months

1 Vote 1 ·

toggling it on then off and waiting 10/15 minutes worked for us, however we have since switched away from using this authentication (ACS) method with SharePoint, we now use - https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

0 Votes 0 ·

I tried toggling the values as well, Still no luck

0 Votes 0 ·
Show more comments

We have experienced the same issue as well. It only happens in new tenant. No issue in old tenants.


0 Votes 0 ·

If you get anywhere, could you please update us on this?

0 Votes 0 ·

Hi @smauglys ,@DannyThian-7352 ,
You could try the updated command in my first answer.

0 Votes 0 ·

Hi @smauglys ,
Does the updated solution in my first answer help you?

0 Votes 0 ·
Show more comments
AmosWu-MSFT avatar image
2 Votes"
AmosWu-MSFT answered NigelH-1818 commented

I would suggest you to create a service request in admin center,so our engineers could help you check this issue.
---------------------------------Updated---------------------------
You could try to run below command:

 Set-SPOTenant -DisableCustomAppAuthentication $false

Tip:You need to update the SharePoint Online managed shell to the latest version.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I tried this in my affected tenant and it seems that it fixed the issue. Thanks a lot for resolving the issue!

0 Votes 0 ·

This fixed the issue!

0 Votes 0 ·

Unfortunately this didn’t work for me.

0 Votes 0 ·
Jone-2512 avatar image
0 Votes"
Jone-2512 answered IainLennox-Betasoft commented

I created a trial tenant on 25/8 and deployed my custom solution that uses app-only principals to do requests to SharePoint. It has a timer Azure Function running every hour and it worked fine until about 26/8 11pm UTC. After that it has only given the 401 unauthorized.

To understand how wide issue this is, what regions your new tenants are located in? I created mine in Australia.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @jone-2512,
can you provide more details around the issue which you are seeing. This change should not have impacted any existing tenants, so we are now collecting more details on those kind of reports. Can you share more details on the setup you have either in here or by using our SharePoint dev issue list at https://aka.ms/spdev-issues.

Region was Australia for you. When was the impacted tenant created? Which permissions your custom solution is using? - what's the overall setup? Does the PowerShell update fix the issue for you?

Thanks for your details advance.

0 Votes 0 ·

Hi @Jone-2512,
we just confirmed internally that the default setting in tenant level was already valid for the 25th of August tenants or we enabled the default setting on 26th of August for all tenants which were created on 25th of August or newer. This is why you have seen the solution to work without issues for a while. Explains the situation.

0 Votes 0 ·

This still seems to be an issue and we need to run the command on tenants for new customers who want to use our app, will this always be the case for new tenants now? Thanks.

0 Votes 0 ·
IainLennox-5924 avatar image
0 Votes"
IainLennox-5924 answered IainLennox-5924 commented

Same issue today on two new tenants created last week for customers, when we deploy our existing app and its tries to authenticate with the new tenant we get "The remote server returned an error: (401) Unauthorized."

Both tenants located in EU/UK

Tried running above suggested command Set-SPOTenant -DisableCustomAppAuthentication $false

Still getting 401

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This setting might take a bit of time to work (5 minutes or so).
I have tried setting to $true and $false to make sure this is the right property, and this new property was causing the 401 in our case.

0 Votes 0 ·

Yes, fixed now, I was just being impatient.

0 Votes 0 ·
GauravGoyal5 avatar image
0 Votes"
GauravGoyal5 answered

I am also facing the same issue with new tenant. This is a serious issue with newly created tenant.
The solution is only the command :

  Set-SPOTenant -DisableCustomAppAuthentication $false

Thanks,
Gaurav Goyal

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

smauglys avatar image
1 Vote"
smauglys answered GauravGoyal5 commented

What is the solution to have an App-Only Add-In authenticaton but with DisableCustomAppAuthentication set to true?
Basically have the Add-In working on a new Tenant without changing any tenant settings?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I am creating context with CreateUserClientContextForSPHost function , it is working fine but when I am using CreateAppOnlyClientContextForSPHost function in Provider hosted app, it is throwing same error which you mentioned above.

One more thing, I checked the out of Get-SPOTenant command. It does not have "DisableCustomAppAuthentication" property but after running the command Set-SPOTenant, it is showing the property "DisableCustomAppAuthentication" in output.

0 Votes 0 ·
NigelH-1818 avatar image
0 Votes"
NigelH-1818 answered

I've been experiencing the same issue since 22/04, however it's on a tenant that has existed for a couple of years.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

smauglys avatar image
1 Vote"
smauglys answered smauglys edited

Hi,
for the Unauthorized there is also an additional settings in the SP Admin.
1) Go to https://tenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl
2) Apps that don't use modern authentication
3) Allow access
4) I does take time to apply
5) Check the “Unmanaged devices” and make sure that “Allow full access from desktop apps, mobile apps and the web” is selected. (This only applicable if that feature is enabled on your tenant)

Hope this help.

The other option is to implement authentication using "Granting access via Azure AD App-Only"
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

barrybijoy-4229 avatar image
0 Votes"
barrybijoy-4229 answered NigelH-1818 commented

I was using Azure app service to host my app and facing this issue, Adding following line of code in the startup.Auth.cs in App_start folder fixed my issue

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can see why this would work, by forcing it to use TLS1.2

Premier Support finally got back to me after almost 2 weeks to suggest recompiling the applications using .NET Framework 4.8, which only uses TLS1.2.

Doing this fixed one application, and partially fixed another one (some new errors cropped up in the second one now but that seems to relate to changes in the SDK)

It would be nice if the original error messages actually provided some information relating the the cause, instead of simply saying “unauthorised - token invalid”. To me, that indicates an issue with… well… the token. I’m not sure how you’re supposed to figure out that it’s actually TLS from that message.

0 Votes 0 ·
HichamBOUCHAOUI-7688 avatar image
0 Votes"
HichamBOUCHAOUI-7688 answered

Good morning all ,
I need your help
I tried to upload files to a SharePoint online site via an application

Protocol Commands: >>POST https://xxxxxx.sharepoint.com/sites/Transfert_secure/Documents/_api/web/GetFolderByServerRelativeUrl('/sites/Transfert_secure/Documents/Targetfolder')/Files/Add(url='file.txt',overwrite=true) HTTP/1.1

<<HTTP/1.1 401 Unauthorized

I believe that the site should be granted permission through the AD application but I don't know how I could do it ?

Thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HichamBOUCHAOUI-7688 avatar image
0 Votes"
HichamBOUCHAOUI-7688 answered

Hello,
Attached are the permissions of the Microsoft AD application




99734-image.png



Thank you


image.png (72.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.