question

smauglys avatar image
9 Votes"
smauglys asked ·

SharePoint App-Only Add-ins throwing 401 Unauthorized on newly created O365 tenants

Hi,

we have noticed that our SharePoint AddIn cannot get permissions on a newly created trial O365 tenant.

While getting the ClientContext with ClientID and ClientSecret we get this error "The remote server returned an error: (401) Unauthorized."

We have tried to register a new app-only principal to test if it works on a new tenant by following this documentation from Microsoft:

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
After registering and trying again, on the new tenant we got the exact same error "The remote server returned an error: (401) Unauthorized."

But when we tried on an older tenant that we had, it worked fine for both our SharePoint Add-In and for a newly registered principal.

Very simple call using OfficeDevPnP nuget.

OfficeDevPnP.Core.AuthenticationManager am = new OfficeDevPnP.Core.AuthenticationManager();
using (Microsoft.SharePoint.Client.ClientContext context = am.GetAppOnlyAuthenticatedContext(createEntity.AppUrl, clientId, clientSecret))
{
Web web = context.Web;
context.Load(web, w => w.Id, w => w.Title);
context.ExecuteQueryRetry();
}

Is anyone else having the same issue on fresh newly created O365 tenants?

Or maybe there is some new setting to allow using "SharePoint App-Only" authentication?



I have posted the same question to another forum, but was redirected to post here also.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint-mso_win10-mso_o365b/sharepoint-app-only-add-ins-throwing-401/962bfaa2-8604-4e94-ae1c-36ef5b453ed2?tm=1599640808879


office-sharepoint-online
· 6
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have experienced the same issue as well. It only happens in new tenant. No issue in old tenants.


0 Votes 0 · ·
smauglys avatar image smauglys DannyThian-7352 ·

If you get anywhere, could you please update us on this?

0 Votes 0 · ·

Hi @smauglys ,@DannyThian-7352 ,
You could try the updated command in my first answer.

0 Votes 0 · ·

Hi @smauglys ,
Does the updated solution in my first answer help you?

0 Votes 0 · ·
Show more comments
AmosWu-MSFT avatar image
2 Votes"
AmosWu-MSFT answered ·

I would suggest you to create a service request in admin center,so our engineers could help you check this issue.
---------------------------------Updated---------------------------
You could try to run below command:

 Set-SPOTenant -DisableCustomAppAuthentication $false

Tip:You need to update the SharePoint Online managed shell to the latest version.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I tried this in my affected tenant and it seems that it fixed the issue. Thanks a lot for resolving the issue!

0 Votes 0 · ·

This fixed the issue!

0 Votes 0 · ·
Jone-2512 avatar image
0 Votes"
Jone-2512 answered ·

I created a trial tenant on 25/8 and deployed my custom solution that uses app-only principals to do requests to SharePoint. It has a timer Azure Function running every hour and it worked fine until about 26/8 11pm UTC. After that it has only given the 401 unauthorized.

To understand how wide issue this is, what regions your new tenants are located in? I created mine in Australia.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @jone-2512,
can you provide more details around the issue which you are seeing. This change should not have impacted any existing tenants, so we are now collecting more details on those kind of reports. Can you share more details on the setup you have either in here or by using our SharePoint dev issue list at https://aka.ms/spdev-issues.

Region was Australia for you. When was the impacted tenant created? Which permissions your custom solution is using? - what's the overall setup? Does the PowerShell update fix the issue for you?

Thanks for your details advance.

0 Votes 0 · ·

Hi @Jone-2512,
we just confirmed internally that the default setting in tenant level was already valid for the 25th of August tenants or we enabled the default setting on 26th of August for all tenants which were created on 25th of August or newer. This is why you have seen the solution to work without issues for a while. Explains the situation.

0 Votes 0 · ·
IainLennox-5924 avatar image
0 Votes"
IainLennox-5924 answered ·

Same issue today on two new tenants created last week for customers, when we deploy our existing app and its tries to authenticate with the new tenant we get "The remote server returned an error: (401) Unauthorized."

Both tenants located in EU/UK

Tried running above suggested command Set-SPOTenant -DisableCustomAppAuthentication $false

Still getting 401

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This setting might take a bit of time to work (5 minutes or so).
I have tried setting to $true and $false to make sure this is the right property, and this new property was causing the 401 in our case.

0 Votes 0 · ·

Yes, fixed now, I was just being impatient.

0 Votes 0 · ·