westerdale.blog

A SharePoint Consultant's Journey, On The Road to Collaboration

You are here: Home / SharePoint / Set Up App-Only Access To Your Tenant to solve (401) Unathorized Errors

Set Up App-Only Access To Your Tenant to solve (401) Unathorized Errors

by Leave a Comment

Setting up an App-only principal in SharePoint Online is documented in Grant Access using SharePoint App-Only This post highlights how this approach can resolve: “Unauthorized (401) errors”, running tenant level PnPComandlets such as Set-PnPStorageEntity , under an global admin account with multi-factor authorisation (MFA) enforced.

The remote server returned an error: 401 Unauthorized

Advice

Store securely the generated Client Id (AppId) and Client Secret (AppSecret) generated in the step below as these will be used when connecting your tenant.

 

  1. Create the Client Id and Secret

    Go to following UL tenant: https://[yourtenant].sharepoint.com/_layouts/15/appregnew.aspx you can go to any site, but for now pick the root site. Click the Generate, to create the Client Id and Client Secret. Finally click Save.

  2. Grant permssions

    Now you have the app principal created, you need to grant tenant level permssions, via the /appinv.aspx page on the SharePoint admin site . https://[yourtenant]admin.sharepoint.com/_layouts/15/appinv.aspx . Next, enter your previously recorded Client Id and click Lookup. For the requisite “Full Control” permissions, you will neet to copy and paste the permission scope definition shown in the XML below. 

  3. Trust Dialog

     

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Connecting to Office 365 in PowerShell

The Set-PnPStorageEntity Commandlet, allows you to save a storage entity (property) , either in the tenant level application catalogue, to be accessible from any site or in a single site collection scoped application catlogue.

You may successfully connect to office 365 with your MFA Global Admin account with the Connect-PnPOnline commandlet:

Connect-PnPOnline https://yoursitesharepoint.com -SPOMangementShell

However, you could encounter annoying: (401) Unauthorized errors, if the account has MFA enforced.

To resolve the error, you can connect to your tenant with any site url, using the Client Id and Client Secret. Alternatively, you can also connect to a specific site, should you want to save the storage entity, scoped only to that site ( collection).

# tenant or farm level
Connect-PnPOnline -Url https://yourtenant.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"
# site level 
Connect-PnPOnline -Url https://yourtenant.sharepoint.com/sites/yoursite   -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"

The command only gives feedback when there is a error – to verify the storage entity is set, run the following command.

About Daniel Westerdale

Daniel Westerdale is a freelance SharePoint and Office 365 Consultant, helping both private and public sector clients get the most out of their investment in Microsoft's collaboration technologies.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *