none
Access denied while accessing User Profile Properties in Provider Hosted Add-In RRS feed

  • Question

  • Hi,

    In my MVC 5 low trust on-premise provider hosted add-in, I am trying to access user profile properties for any user. I am trying the below code but it says access denied while executing query- clientContext.ExecuteQuery(); . Could anyone please assist?

    AppManifest.xml:

    // Controller method:

    public JsonResult getStaffProfileList(string userName) { Uri sharepointUrl = new Uri("https://mydomain.org/site/apps"); string contextTokenString = TokenHelper.GetContextTokenFromRequest(Request); SharePointContextToken contextToken = TokenHelper.ReadAndValidateContextToken(contextTokenString, Request.Url.Authority); string addinOnlyAccessToken = TokenHelper.GetAppOnlyAccessToken(contextToken.TargetPrincipalName, sharepointUrl.Authority, contextToken.Realm).AccessToken; using (ClientContext clientContext = TokenHelper.GetClientContextWithAccessToken(sharepointUrl.ToString(), addinOnlyAccessToken)) { if (clientContext != null) { Web webUrl = clientContext.Web; PeopleManager peopleManager = new PeopleManager(clientContext); ClientResult<string> userTitle = peopleManager.GetUserProfilePropertyFor("userName", "Title"); ClientResult<string> userEmail = peopleManager.GetUserProfilePropertyFor("userName", "Email"); clientContext.ExecuteQuery(); // get Access Denied Here ............................ ............................ } } return Json(lstUser, JsonRequestBehavior.AllowGet); }



    Monday, April 29, 2019 4:58 AM

All replies

  • Hi,

    User Profile API can't be used in app-only authentication policy due to the limitation below:

    This need to authentication with Farm Administrtor Account when using User Profile API instead of app-only policy.

    Here is a detailed official document for your reference:

    Elevated privileges in SharePoint Add-ins

    Similiar thread:

    SharePoint Online - Update User Profile Properties via CSOM App

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, April 30, 2019 6:39 AM
  • Hi Jerry,

    Thanks for your reply.

    I understood your point. Now, could you please suggest which approach should I use with app-only policy?

    Thanks in advance.

    Tuesday, April 30, 2019 8:06 AM
  • Hi,

    Due to this limitation for app-only policy, suggest to write a method for clientContext,  assign a common administrator account to read user profile properties:

       System.Net.NetworkCredential cred = new System.Net.NetworkCredential("myname", "mypassword","mydomain"); 
        ClientContext clientContext = new ClientContext(URL);
    
        clientContext.Credentials = cred;

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, April 30, 2019 8:53 AM
  • Hi Jerry,

    For some reason, I cannot have administrator account for this purpose. 

    Is there any alternate approach where admin account is not required? I need only to read the site user properties.

    Thanks. 

    Wednesday, May 1, 2019 3:41 AM
  • Hi,

    Due to this limitation in App-Only authentication, I would suggest to create a Cosnole application alone, read the user profile properties and store into a Database Table.

    Then in the Provider Hosted App, could directly query the Database instead of communicate with SharePoint, so that it could overcome this limitation.

    In the Console Application, you could refer the following code demo to read user profile properties:

    Retrieve user profile properties by using the .NET client object model in SharePoint

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, May 2, 2019 5:49 AM
  • Hi,

    Thanks for your all replies. One more question.

    Is there any way that I can retrieve SP site users from user group (AD / Domain group) without providing any credentials?

    Thanks again.

    Thursday, May 2, 2019 5:05 PM
  • Hi,

    Yes, in the Console Application, could get site users property without any credential, as you are using On-Premise environment, you could use Server Object Model and save into SQL Datatable:

    How to: Retrieve User Profile Properties

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Friday, May 3, 2019 2:18 AM