Azure ACS App based authentication fails for Tenant Level Operation

[wizneeraj]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

C# based code

Describe the bug / error

We are currently using CSOM based model to setup properties of a Site. The context is built using GetACSAppOnlyContext(clientid, clientsecret).

var adminURL = "https://tenant-admin.sharepoint.com/";
var context = TokenHelperTenant.GetContext(adminURL);

var tenant = new Tenant(context);
var siteProperties = tenant.GetSitePropertiesByUrl("https://tenant.sharepoint.com/sites/portal", true);
context.Load(siteProperties, s =] s.SharingCapability);
context.ExecuteQuery(); //line where the error occurs - "Attempted to perform an unauthorized operation"

The Client App being used has Tenant level Full control permission which was created using appregnew.aspx page and I have ensured DisableCustomAppAuthentication setting is not enabled at the tenant level.

We have started facing the issue starting today. Kindly assist. The issue happens when Get-PnPTenantSite cmdlet is also used.

Steps to reproduce

1. Register an app with tenant level full control permission using the appregnew.aspx & appinv.aspx page
2. Use the generated client id & secret to access the site properties using Get-PnPTenantSite

Expected behavior

Should be able to access the properties of the Site from the Tenant

[lucacosta1]

You're not alone. We started to have problems with some security calls, and removing sitecollections by code using Apps. Testing code manually with real user is ok. Problem is in CSOM and PNP calls.

[wizneeraj]

Seems like the calls are failing when using App based authentication. Executing Get-PnPTenantSite works for user context, fails for App based context. I have raised a MS case as well, but so far no traction.

[pdl5p]

I'm seeing something similar that started earlier today.

• Using App Only ACS context with client id and client secret. App is granted full control of tenant, secret current and not expired.
• CSOM calls to tenant and site collection level operations are failing with "Attempted to perform an unauthorized operation"
• Calls to web level operations still ok

[lucacosta1]

we changed the connection to clientid and certificate and fixed on the PNP side. the certificate should be uploaded to the app.

$bytes = Get-Content '.\PnPPowerShell.pfx' -AsByteStream
$encodedPfx = [System.Convert]::ToBase64String($bytes)
Connect-PnPOnline [tenant].sharepoint.com -ClientId [clientid] -Tenant [tenant].onmicrosoft.com -CertificateBase64Encoded $encodedPfx

from https://pnp.github.io/powershell/articles/connecting.html

[chandan805]

this issue is resolved now by MS

[pdl5p]

https://admin.microsoft.com/#/servicehealth/history/:/alerts/SP791794