Skip to main content

How to Create and Use a SharePoint App Registration

SharePoint App Registrations are incredibly useful for unattended tasks to read or update SharePoint sites. It's similar to a user service account but more secure. They cannot be used as a user sign-in. They are used in custom applications or automated scripted processes. They are made even more secure with a certificate, in which case, they may only run from the machine that owns the certificate.

SharePoint Things to Do with App Registrations

  • Read data and write the data to another process
    • Write CSV, text, or XML files
    • Useful for data for to import into report software
    • Writing the data to other APIs such as ERPs, Project software, or work authorization systems
  • Changing the data
    • Check the data based on a schedule. Update the data based on constraints
    • Change permissions of items in a SharePoint list once an item is past due
  • Work with partners and vendors to provide just-in-time, specific access to necessary data

Simple Process

  1. Create the application either in SharePoint or in App Registrations of portal.azure.com
  2. Grant the app registration permission to the SharePoint resource using the appinv.aspx SharePoint API
  3. Scope the app registration to the site using Read, Write, Manage, or Full Control
  4. Verify the access

Detailed Process

    Generate the App Registration

    App Registrations Can Be Created in Two Different Ways

      1. App Registration can be created in the Azure App Registrations App registrations - Microsoft Azure. Click new registration. (I prefer this way because now all my app registrations can be centrally managed, and it provides greater detail to me and other administrators.)
      2. SharePoint Site for creating the app: https://<tenant>.sharepoint.com/_layouts/15/appregnew.aspx. (This is the old way that works with on-prem SharePoint servers too.)
      3. Store the client ID and Client Secret. The Client Secret cannot be retrieved after this screen and will be lost once you navigate away. Another benefit of the Azure Portal App Registration method is you can easily create a new Client Secret if you mess up or forget this step.

    Grant Access within the Admin Center

    1. Lookup using the previously created Client ID. 
      1. If you used the Azure Portal, this can easily be found in the list of App Registrations.
      2. If you used the SharePoint "appregnew.aspx" web page, be sure to copy the ID.
    2. Go to https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx and paste the App Registration ID into the App ID box and click Lookup.


    3. The app domain and redirect URL are not important and can be any value, but I like to put the site collection for which I am giving the app permission into the redirect URL. It has no effect on permissions. It is just more information that helps me remind myself what site the app is for.

    Scoping the Permissions - Permission Request XML schema

    This is the part that makes the app registration work. You can copy and paste the example and change the Scope and the Right. I highlight AllowAppOnlyPolicy, Scope URI, and Right because each one impacts how your app registration functions. If you forget the AllowAppOnlyPolicy="true", the app registration will give you a 403 error. The scope URI indicates at what level the right is applied. Do you want to grant access to the entire tenant (including all sites), just one site, or maybe just one list on the site. This is a really important decision to make to ensure you grant the app least privilege.

    The XML Schema:

    <AppPermissionRequests  AllowAppOnlyPolicy="true"> 
    <AppPermissionRequest Scope="<Scope URI>"  Right="<Right>" /> 
    </AppPermissionRequests> 

    A Working Example:

    <AppPermissionRequests   AllowAppOnlyPolicy="true>

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/> 

    </AppPermissionRequests> 

    Possible Values of Scope URI from Most Permissions to Least Permissions

    • http://sharepoint/content/tenant – Permissions are granted to the Add-in at tenant level. Tenant level permissions are granted when tenant level operations need to perform like creating a site collection etc. or performing the operations across different Site Collections.
    • http://sharepoint/content/sitecollection – Permissions are granted to the Add-in at one Site Collection level.
    • http://sharepoint/content/sitecollection/web– Permissions are granted to the Add-in at one web level.
    • http://sharepoint/content/sitecollection/web/list – Permissions are granted to the Add-in at one list level.

    Possible Values of Right from Least Permissions to Most Permissions

    Right: Rights given Add-in. SharePoint supports four right levels:
    • Read - only read information
    • Write - Update information, create new items
    • Manage - More than write, you can also alter permissions
    • FullControl - create lists, document libraries, manage the site and delete content

    Verify

    How to View Apps on a Site

    Examples:

    How to Verify It's Working

    1. Using Connect-PnPOnline -url <your_url> -ClientID <your_app_registration_id> -clientsecret <your_client_secret> lets you know if you created and trusted your app registration correctly
    2. Get-PnPSite or Get-PnPList will confirm if you scoped your access correctly.
      1. Sometimes you can connect to the site but can't read anything on the site because your scope wasn't set correctly.
    3. Once it is working, you can also use PowerShell cmdlets such as Invoke-RestMethod to access SharePoint APIS or use tools like Postman to access the site as well.

    References


    Comments

    Popular posts from this blog

    The Fix: npm ERR! code SELF_SIGNED_CERT_IN_CHAIN [SOLVED]

    npm ERR! code SELF_SIGNED_CERT_IN_CHAIN npm ERR! errno SELF_SIGNED_CERT_IN_CHAIN npm ERR! request to https://registry.npmjs.org/gulp-cli failed, reason: self signed certificate in certificate chain What does it even mean? How does one fix this? There are so much information, it's hard to parse what I'm supposed to do. The Solution: Disable the Company VPN This is not ideal and you should work in cooperation with your IT security operations to let them know what you are doing and why you need it. It was reading this article:  https://stackoverflow.com/questions/54611707/request-to-https-registry-npmjs-org-co-failed  and the comments that finally clued me into our VPN causing the conflict. I previously did not have any issues but our company hired a new CISO who has been very active in hardening our corporate environment. What didn't work: gulp untrust-dev-cert Removing package-lock.json file Reinstall Node.js What I wasn't going to try (and you shouldn't either): npm...

    PowerApps Productivity Timer

    I like to track activities . I have several workout apps and a Fitbit . Measuring things allows us to monitor our performance and journal our success. But not all activities have ready-made, easy to use apps - a problem measuring things that don’t fit into popular categories. Early in my IT career I was an IT procurement specialist for a large enterprise. Procurement specialists process 20-60 requisitions a day. It’s a lot of paperwork (even with a digital process.) I oversaw making it more digital and less paper based. I succeeded in reducing a typical requisition from 8 minutes to 2 minutes. The process allowed procurement to reduce person hours by almost a whole position. I’ve always said that computers allow us to do more and there was always more to do. Being able to measure that efficiency improvement is the impetus for having an easy-to-use timer. I have learned many times over the years that productivity is lost or gained in the moments between activities. I waste a lot...