Get the associated site collection to the AppID that is registered #7321
Comments
|
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible. |
ghost
added
Needs: Triage 🔍
|
I know you can create an app registration via Azure Active Directory, then take that AppID to the /AppRegNew.aspx page in SharePoint tenant, then apply permissions and start using it. This alternative, although not sure it's recommended by Microsoft, does give you the ability to fetch the properties of the AppID via Graph API, and get owner info. Is this suggested over simply going to /AppRegNew.aspx? |
bforsyt4
changed the title
VesaJuvonen
added
area:add-ins
There is more on Sp hosted app registration. |
|
I agree @funzel1 If there was a way to grab the full properties plus owner and related site collection via Graph API, one could dump them to a DB table and process each sending out a communication to the owner to take care of it. As far as renewing the secret, it doesn't always work. So we end up just creating a new AppID / Secret. And there have been occasions where you attempt to delete the AppID from the App Registration Inventory page, and errors out. We then pull out the trusty PowerShell script to force delete. If it doesn't delete, then it sits there, not managed. |
|
Hello @bforsyt4 Regarding graph we got from MS: Resources: |
|
@VesaJuvonen any internal noise on this one? |
|
We ended up writing a custom C# application to meet our needs:
I do take care of service principals that no longer exist, cleaning up records in our database so they don't show up on the report. (but for service principals deleted from the SharePoint side, they still exist in Azure Portal as @funzel1 mentioned - that is for another team to clean up). Now we can send out email notifications to site owners where the service principal will be expiring soon, or is expired, and also instructions to take responsibility to clean up and delete unused ones. Hope this helps others experiencing this pain! |
|
@bforsyt4 , is it possible that you can share the 2nd console application ? |
|
@KuotingChiu - unfortunately it is proprietary to my company and I cannot share. |
|
Fascinating thread. Does anyone know if it is possible to completely disable SharePoint app registration page across the tenant? |
|
@robertcaretta not sure. If you are thinking what most may be thinking, which is to abandon this process and move toward Azure App Registrations - need Microsoft weigh in on this - @VesaJuvonen thoughts? |
|
Here is an interesting write-up. We recently implemented a POC using Option 3 (Hybrid). We created an Azure app then granted specific permissions at site level via "AppInv.aspx". This page still allows for setting read access to the site and read/write to a list. There is the option for Sites.Selected on the Azure app, but it's still not granular enough. So as far as I can tell there is still a gap. Disabling "AppRegNew.aspx" while leaving "AppInv.aspx" available would be ideal for us... at least for now. I can definitely understand all of the other points made in this thread in regards to reporting, secret expiration, ownership, orphaned cleanup, etc. |
|
Hello @robertcaretta with the hybrid way you cannot restrict the app to a specific site, reusable on other sites, you will have other problems |
Hello @funzel1 - Agreed, it would be nice if the Azure app could be locked down to a URL pattern. The use case required Graph API permissions, so that's the setup we had to use. I haven't worked through all the links listed above in this thread, but this is just an observation in my testing so far. I created a new SPO native app. Then in Azure AD, on the Enterprise applications page remove all the filters for "Application type" and "Applications ID starts with". Click the X next to each one. At that point ALL apps will be listed. Then I find the native SPO app. Under the audit logs I can see that the Activity = "Add Service Principal"; Initiated by (actor) = "spo_service@support.onmicrosoft.com"; then under the modified properties tab it shows AppAddress = "https://MYDOMAIN.sharepoint.com/sites/MYSITE". Perhaps that activity could be monitored, datawarehoused, and connected up with the site owners? Yeah, there really should be another column indicating where the app was sourced from though. Similar to how Groups are classified by Security, Microsoft 365, Dynamic, etc. |
|
Now this topic should have higher priority |
|
We enabled the feature as well using PowerShell command Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true We have also blocked the appregnew.aspx page via a SharePoint Framework extension (overwrite content using JavaScript) and display a message to move forward and create Azure App Registrations using Azure Portal. We are also keeping the appinv.aspx page open to allow users to continue to utilize it to trust the newly created Azure Application Registrations to their site collections. This hybrid approach allows the older ACS created App Registrations to fall off eventually while the customer base moves forward using new modern approach. Much like @robertcaretta described above. Next step is to Use PnP to set permissions for user's App Registrations using Sites.Selected to scope it to specific site collection(s). https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html @funzel1 - if a custom solution is not feasible from your end, then maybe a design change request to Microsoft is your next step |
|
Hello @bforsyt4 |
|
Also for the new way, in an Azure AD app registration audit you will never see the spo sites got assigned site.selected. |
I don't see a way to get the associated site collection to the AppID that is registered. I'd like to be able to report out all site collections and their respective owners where an AppID is registered using Graph API
These AppIDs do show up in Azure Portal under Azure Active Directory > App Registrations (filter by Enterprise Applications), but with little information and no owner to tie back to the related site collection.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: