pnpframework icon indicating copy to clipboard operation
pnpframework copied to clipboard
verified publisher icon pnp

System.UnauthorizedAccessException when creating communication site with hubsite association using delgated permissions

Open eduardpaul opened this issue 3 years ago • 3 comments

Hi all, we are using PnP framework to create communication sites and link them to the root hub site. System account and delegated app permissions (specific AAD user with ROPC auth flow / selected.sites is not an option here).

After deploying the solution to the production environment, we got System.UnauthorizedAccessException: Attempted to perform an unauthorized operation during the create site call. After some investigation, we confirmed that we get this error ONLY when using the HubSiteId parameter in the creation call even with the SharePoint admin account. It's also straightforward to replicate from PnP PowerShell (which makes the same call as our backend internally):

This works fine: New-PnPSite -Type CommunicationSite -Title xxx -Url https://xxxx.sharepoint.com/sites/xxxx

This will fail: New-PnPSite -Type CommunicationSite -Title xxx -Url https://xxxx.sharepoint.com/sites/xxxx -HubSiteId 'xxxxxxx-4536-4270-814c-fb6bc6cb1c05'

Error response (using pnp powershell): New-PnPSite: {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":"Attempted to perform an unauthorized operation."}}

The same configuration was performed in all 3 tenants (delegated permissions, system account has hub association permissions, site collection admin on the hub,....). The only relevant difference between production and other environments is that the system account is a local AD user synchronized to the AAD. We are working to discard this as the source of the issue.

Also, we found a very similar issue in pnpjs: https://github.com/pnp/pnpjs/issues/2317

We are investigating if the _api/GroupSiteManager/CreateGroupEx API is changing to _api/SPSiteManager/create for communication sites or something like that.

Any help is appreciated.

eduardpaul avatar Jul 13 '22 20:07 eduardpaul

Workaround for this issue, also should be very easy to implement in pnp framework code. Instead of creating the site with hubsiteid, make the hub association afterward.

        private async Task SiteToHubAssociation(ILogger log, ClientContext siteCtx, Guid hubsite)
        {
            log.LogDebug("Site {siteurl} will be associated with hub {hubsiteID}", siteCtx.Url, hubsite);
            var pnpclient = PnPHttpClient.Instance.GetHttpClient(siteCtx);
            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, $"{siteCtx.Url}/_api/site/JoinHubSite('{hubsite.ToString("D")}')")
            {
                Content = null
            };
            request.Headers.Add("accept", "application/json;odata.metadata=none");
            request.Headers.Add("odata-version", "4.0");
            await PnPHttpClient.AuthenticateRequestAsync(request, siteCtx).ConfigureAwait(false);
            HttpResponseMessage response = await pnpclient.SendAsync(request, new System.Threading.CancellationToken());
            if (!response.IsSuccessStatusCode)
                throw new Exception($"Site to hub association failed: {response.StatusCode}");
            log.LogDebug("Site {siteurl} was successfully associated with hub {hubsiteID}", siteCtx.Url, hubsite);
        }

eduardpaul avatar Jul 14 '22 11:07 eduardpaul

Is there any news on this? I've getting the same error. Strange behaviour is, that it has worked some days...

Constey avatar Mar 09 '23 07:03 Constey