Set Up App-Only Access To Your Tenant to solve (401) Unathorized Errors

by Daniel Westerdale | Jun 26, 2020 | Microsoft 365, Office 365, SharePoint | 0 comments

Setting up an App-only principal in SharePoint Online is documented in Grant Access using SharePoint App-Only This post highlights how this approach can resolve: “Unauthorized (401) errors”, running tenant level PnPComandlets such as Set-PnPStorageEntity , under an global admin account with multi-factor authorisation (MFA) enforced.

The remote server returned an error: 401 Unauthorized

Advice

Store securely the generated Client Id (AppId) and Client Secret (AppSecret) generated in the step below as these will be used when connecting your tenant.

Create the Client Id and Secret
Go to following UL tenant: https://[yourtenant].sharepoint.com/_layouts/15/appregnew.aspx you can go to any site, but for now pick the root site. Click the Generate, to create the Client Id and Client Secret. Finally click Save.
Grant permssions
Now you have the app principal created, you need to grant tenant level permssions, via the /appinv.aspx page on the SharePoint admin site . https://[yourtenant]admin.sharepoint.com/_layouts/15/appinv.aspx . Next, enter your previously recorded Client Id and click Lookup. For the requisite “Full Control” permissions, you will neet to copy and paste the permission scope definition shown in the XML below.
Trust Dialog

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Connecting to Office 365 in PowerShell

The Set-PnPStorageEntity Commandlet, allows you to save a storage entity (property) , either in the tenant level application catalogue, to be accessible from any site or in a single site collection scoped application catlogue.

You may successfully connect to office 365 with your MFA Global Admin account with the Connect-PnPOnline commandlet:

Connect-PnPOnline https://yoursitesharepoint.com -SPOMangementShell

However, you could encounter annoying: (401) Unauthorized errors, if the account has MFA enforced.

To resolve the error, you can connect to your tenant with any site url, using the Client Id and Client Secret. Alternatively, you can also connect to a specific site, should you want to save the storage entity, scoped only to that site ( collection).

# tenant or farm level
Connect-PnPOnline -Url https://yourtenant.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"
# site level 
Connect-PnPOnline -Url https://yourtenant.sharepoint.com/sites/yoursite   -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"

The command only gives feedback when there is a error – to verify the storage entity is set, run the following command.

Tagged: App-only | Permissions

Let’s Chat

Subscribe

0 Comments

Newest

Oldest Most Voted

Inline Feedbacks

View all comments

The Random Read

The blog post lottery, discover something new today with a random post from any category

Connect Power BI Desktop to Azure SQL Edge or SQL Server 2019 on Docker

8 min read

On a Windows 11 machine, I recently connected Power BI Desktop to both Azure SQL Edge and SQL Server 2019, hosted on Docker. By running these servers locally, you avoid connecting to the cloud and certain Azure hosting subscription charges, e.g. Pay-AS-You-Go, when...

Also See

Set Up App-Only Access To Your Tenant to solve (401) Unathorized Errors

Connecting to Office 365 in PowerShell

The Random Read

Connect Power BI Desktop to Azure SQL Edge or SQL Server 2019 on Docker

Online Sizing Matters!

Microsoft 365 Roadmap: As Product Pages

Enable MFA for Users with Office 365 E3 and E5 Licenses

Set Up App-Only Access To Your Tenant to solve (401) Unathorized Errors

The Attempted operation is prohibited because it exceeds the SharePoint List View threshold

Pin It on Pinterest