locked
Which permissions does my SharePoint Add-in need to get Site Collections? RRS feed

  • Question


  • I am building a Provider-Hosted SharePoint Add-in. Given a SharePoint Online tenant (account) where my add-in is installed, I want to get a list of their Site Collections

    To get this done I am making a CSOM call that uses an add-in-only policy like so:

    var tenantAdminUri = new Uri("https://<tenant_name>-admin.sharepoint.com/");
    
    var realm = TokenHelper.GetRealmFromTargetUrl(tenantAdminUri);
    
    var token = TokenHelper.GetAppOnlyAccessToken(
        TokenHelper.SharePointPrincipal,
        tenantAdminUri.Authority, 
        realm)
        .AccessToken;
    
    using (var clientContext = TokenHelper.GetClientContextWithAccessToken(targetUrl, token))
    {
        var tenant = new Tenant(clientContext);
    
        var siteProperties = tenant.GetSiteProperties(0, true);
    
        clientContext.Load(siteProperties);
    
        clientContext.ExecuteQuery();
    }

    When I run this code an exception is thrown by the call to ExecuteQuery(). The error message is:

    "Access denied. You do not have permission to perform this action or access this resource."

    Which permission do I need to specify in my SharePoint Add-in's AppManifest.xml file to be able to get this working?

    .

    PS - In the Add-in's AppManifest.xml I've set the permission to "Tenant, Read" like so:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" />
    </AppPermissionRequests>

    Now I'm getting an exception that says:

    Current user is not a tenant admin.

    Googling this sentence yields no results (!)


    urig


    Tuesday, April 5, 2016 2:23 PM

Answers

  • The article below has description of each permission and scope that you can set in SharePoint AddIns.  Check it out.

    https://msdn.microsoft.com/en-us/library/office/fp142383.aspx

    I think you need to give "Manage" permissions to access the properties you are looking for. Read is not enough.  The best thing would be to test different permissions.


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    • Marked as answer by Uri Goldstein Tuesday, April 5, 2016 6:23 PM
    Tuesday, April 5, 2016 3:46 PM

All replies

  • The article below has description of each permission and scope that you can set in SharePoint AddIns.  Check it out.

    https://msdn.microsoft.com/en-us/library/office/fp142383.aspx

    I think you need to give "Manage" permissions to access the properties you are looking for. Read is not enough.  The best thing would be to test different permissions.


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    • Marked as answer by Uri Goldstein Tuesday, April 5, 2016 6:23 PM
    Tuesday, April 5, 2016 3:46 PM
  • Hi,

    Have you checked with "Full" control ? I assume that you pass the correct tenant user id and password.

    try to access O365 admin site through browser and use the user name and password

    https://portal.office.com/admin/default.aspx

    and if you are able to "Office 365 Admin Center", then thats the correct tenant user.


    Murugesa Pandian | MCPD | MCTS | SharePoint 2010 |


    Tuesday, April 5, 2016 6:20 PM
  • Thanks! Having my Add-in ask for "Modify" rights on the "Tenant" resource did the trick and the code now works.
    Here's the relevant bit from my AppManifest.xml file:

      <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" />
      </AppPermissionRequests>



    urig

    Tuesday, April 5, 2016 6:25 PM
  • Hi Uri,

    DO you have code for this project.

    I am trying to get all site collections but I ma getting errors . If possible could you please share me the project to mail id : edakotireddy@hotmail.com

    Friday, January 6, 2017 6:58 PM
  • Hi Koyi,

    Sorry but I no longer have access to that code base. If I remember correctly all the code you need is in this forum post. The C# that I included in my question worked for me once I made the change in the AppManifest.xml file.

    If you're still running into issues, consider posting a detailed question in this forum. Worked for me :)

    Best,

    Uri


    urig

    Saturday, January 7, 2017 5:29 PM