Taxonomy operations using App Context RRS feed

  • Question

  • Hi,

    I have created a provider hosted app and a web job. I wanted to create Taxonomy group, term set and terms using web job. The web job gets app only context and it doesn't contain user context. It gets app context using below snippet. 

    accessToken = TokenHelper.GetAppOnlyAccessToken(TokenHelper.SharePointPrincipal, siteUri.Authority, realm).AccessToken;

    The app also requests for writing in taxonomy with below app manifest file.

    <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
        <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Write" />

    I have below code in my web job that tries to create a Group in Term Store.

    using (context = this.CreateClientContext(SiteUrl))
                        TaxonomySession taxonomySession = TaxonomySession.GetTaxonomySession(context);
                        if (taxonomySession != null)
                            TermStore termStore = taxonomySession.GetDefaultSiteCollectionTermStore();
                            if (termStore != null)
                                TermGroup termGroup = termStore.CreateGroup(this.GroupName, Guid.NewGuid());

    The app is added in Office 365 site. When I execute above code, it throws be access denied error as below.

    Access denied. You do not have permission to perform this action or access this resource.

       at Microsoft.SharePoint.Client.ClientRequest.ProcessResponseStream(Stream responseStream)
       at Microsoft.SharePoint.Client.ClientRequest.ProcessResponse()
       at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)
       at Microsoft.SharePoint.Client.ClientRequest.ExecuteQuery()
       at Microsoft.SharePoint.Client.ClientRuntimeContext.ExecuteQuery()
       at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()


    Tuesday, August 11, 2015 11:21 PM

All replies

  • Try switching to using user level permissions and see if it will work. Certain API's in SPO require a user context like search, the taxonomy API may as well.


    Blog | SharePoint Field Notes Dev Tools | SPFastDeploy | SPRemoteAPIExplorer

    Wednesday, August 12, 2015 3:15 AM
  •  Due to application constraint, I wanted to use the web job to do it. Is there any way to make it working from Web Job. I am surprised that although I am making application request for taxonomy write permission. It still throws access denied error... :(
    Wednesday, August 12, 2015 12:35 PM
  • Hi guys,

    This is the same issue I've faced since 08/19/2015. Please do not hesitate to contact me or post here if you find a solution of this problem.

    Friday, August 21, 2015 5:26 AM
  • I'm facing a similar issue while using a Azure AD app with "Read and write managed metadata" app permissions and a certificate for authentication.
    Wednesday, April 27, 2016 1:09 PM
  • Thanks to my colleague Ronnie!

    In my case creating an app only context with the tenant url and then adding app@sharepoint to the term storm permissions worked. Apparently it is a undocumented token.

    Sunday, May 8, 2016 5:43 PM
  • Turns out that in order to have a sharepoint hosted app be able to modify the taxonomy store, you need to add a funny user account as Termstore administrator: "app@sharepoint"

    After adding such user, you script will work.

    • Proposed as answer by Holylander Tuesday, January 7, 2020 4:42 PM
    Tuesday, January 7, 2020 4:42 PM