sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard

Published 20 hours ago verified publisher icon SharePoint

What's the least privileged permissions need to grant permissions to the newly created principal on sites operation

Open Jingshu923 opened this issue 2 years ago • 8 comments

[Enter feedback here]

We need operate with SharePoint site and we use app-only ACS authentication to do. Refer to your doc and want to confirm: To grant permissions to the newly created principal via [https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx], what's the least privileged permissions? We can do it work by site owner before, but currently just site admin can work.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Jingshu923 avatar Aug 04 '22 07:08 Jingshu923

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

ghost avatar Aug 04 '22 07:08 ghost

@Jingshu923 you can find this information in the Add-in permissions in SharePoint documentation.

CallumCrowley avatar Aug 04 '22 09:08 CallumCrowley

Seems this doc can't help me. I want to know what the least privileged permission can grant add-in permission, not about granting which permission. To grant permissions to the newly created principal via https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx, what's the least privileged permissions can do this grant?

Jingshu923 avatar Aug 04 '22 09:08 Jingshu923

You need full control permissions to add an app from the SharePoint store, so it's likely that the same applies in your situation:

"You must have Full Control permissions to add apps from the SharePoint Store. You already have this if you are a Site Owner."

CallumCrowley avatar Aug 04 '22 10:08 CallumCrowley

image My "app" means using service principal to have permission on SharePoint, not "an app". Do you know the least privileged permissions to do this as the picture show?

Jingshu923 avatar Aug 05 '22 02:08 Jingshu923

The user would need to be a SharePoint administrator, since the page above is part of the SharePoint admin center (https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx).

CallumCrowley avatar Aug 05 '22 07:08 CallumCrowley

Thanks. Could you help confirm this with developer since we can make it work before by using Owner permission. But can't work now. Are there any changes recently?

Jingshu923 avatar Aug 05 '22 12:08 Jingshu923

The page you're referring to in the admin center (https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx) has always been inaccessible to those who are not SharePoint administrators. You cannot access the SharePoint admin center without being a SharePoint administrator.

You might be referring to a site level app registration page e.g. https://mytenant.sharepoint.com/sites/mysite/_layouts/15/appinv.aspx

CallumCrowley avatar Aug 05 '22 12:08 CallumCrowley

Closing this issue as "answered". If you encounter a similar issue(s), please open up a new issue. See our wiki for more details: Issue-List: Our approach to closed issues

ghost avatar Aug 22 '22 10:08 ghost