Error when trying to add App to SharePoint 2013: Sorry, only tenant administrators can add or give access to this app RRS feed

  • Question

  • When I create a provider hosted app for SharePoint 2013 with the August 2013 CU applied I receive the error "Sorry, only tenant administrators can add or give access to this app" when deploying to an on-premise server if the app requests User Profile Read permissions. This worked when running the March 2013 PU and the June 2013 CU. This effectively blocks the app installation when User Profile read permissions are requested as the Trust It button is disabled.

    Can anyone verify whether this is a bug with the August 2013 CU for SharePoint 2013 and/or provide any workaround for this issue?


    • Visual Studio 2012 with Microsoft Office Developer Tools
    • SharePoint 2013 August 2013 CU (15.0.4535.1000) on premise

    Steps to reproduce:

    • Open Visual Studio 2013
    • Select File > New Project
    • Select ‘App for SharePoint 2013’ and click next
    • Select provider hosted and click next and finish
    • Open the AppManifest.xml file
    • In the permissions tab select Scope: User Profile (Social), Permission: Read
    • Click Start to deploy the project
    • When the app permission page opens the message “Sorry, only tenant administrators can add or give access to this app” is displayed and the Trust It button is disabled. This prevents calls to the user profile service and any other calls to the app web from the remote web. This is occurring even when the user installing the app is a farm administrator, has full control on the user profile service application and is a site collection administrator. It worked on previous CU’s (March PU, June CU).

    A similar error occurs when requesting permissions to the Search service.

    Friday, September 6, 2013 11:28 AM

All replies

  • Confirmed with MS that this is a bug in August 2013 CU.

    Workaround until they fix the problem:

    Navigate to C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\CONFIG. There you will see a bunch of AppPermissionProvider.*.xml files. Depending on your installation (Foundation, Server, PS) you will probably have different files. Open AppPermissionProvider.Search.xml and you will see the following settings:

    <Alias Name="Search" Value="http://sharepoint/search" RequiredRight="TenantAdmin" />

    Replace TenantAdmin with SiteCollectionAdmin (Closest permission to TenantAdmin). I would also ensure the account used for deployment be a farm administrator to simulate the TenantAdmin permission. Save the files and bounce IIS. Repeat on each SP Server. Deploy your application and you should be able to use the tenant admin permissions again.

    Search is not the only app permission that is mangled with this update. Just open all of the AppPermissionProvider.*.xml files and anything with the TenantAdmin permission is affected.

    I assume with the next CU this problem will be addressed.

    You should probably undo prior to installing future updates.

    Good luck,


    • Proposed as answer by Ashkan1974 Monday, September 23, 2013 5:29 AM
    • Unproposed as answer by Ashkan1974 Monday, September 23, 2013 5:29 AM
    • Edited by Ashkan1974 Monday, September 23, 2013 5:45 AM Updated response
    Monday, September 23, 2013 5:26 AM
  • Thanks Ashkan. We raised a support case with Microsoft who were able to confirm this is a bug with the August 2013 CU for SharePoint 2013. They mentioned another workaround is to add the user account installing the app directly into the local administrators group on the server the app is being deployed (not via a group). I believe they will fix this sometime in the future but they haven't confirmed this or provided dates at this stage.
    Friday, October 4, 2013 2:37 PM
  • There is another workaround for this issue. If you navigate to Site Contents and select ‘Permissions’ from the App context menu it shows a page with a link that will allow the user to trust the app without being explicitly added to the local Administrators group. Additionally Microsoft support have mentioned this will be fixed in the SharePoint 2013 Feb 2014 CU.
    Tuesday, November 5, 2013 12:00 PM
  • I like your workaround better :).

    I don;t experience the problem in October CU.

    Maybe they fixed.

    Tuesday, November 5, 2013 5:26 PM
  • Hi,

    Do you have any new Informations from the support case?

    Best regards 


    Wednesday, November 27, 2013 4:05 PM
  • August 27 2015, the same error occurs with my Office 365 E2. Someone has any idea?. Thanks
    Thursday, August 27, 2015 8:49 AM
  • I solve this. My Oficial Microsoft Account is This is the account for my development windows 8 PC, and for the Visual studio developer License, so when I deploy my app to sharepoint online, this is the default account.

    My Office 365 E2 trial (MCT benefit) admin account is, this is the tenant admin with rights to Trust my app for Sharepoint.

    So, I deploy my app, and in the trust window, change my accout to the tenant admin account.

    All this is because I must to create another account when I activate my Office 365 suscription, Why? I don´t know.

    • Proposed as answer by Rebeca65 Thursday, August 27, 2015 9:27 AM
    Thursday, August 27, 2015 9:27 AM
  • We are still facing this issue while accessing User profile from SharePoint hosted add-in. Is it fixed by Microsoft or still an open bug?
    Wednesday, August 10, 2016 10:18 AM
  • With SharePoint 2013 on premise (July 2017 CU) seeing the issue. Developer has site collection admin access. can't be the bug OP mentioned above.

    Any suggestion what else needed?

    Appreciate any feedback! Thanks!

    Please help and appreciate others by using forum features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Wednesday, January 17, 2018 3:56 PM