Forum Discussion
Programmatically creation of Office 365 Groups
I can create an Office 365 Group with PnP PowerShell (https://msdn.microsoft.com/en-us/pnp_articles/modern-experience-customizations-provisioning-sites) with no problems at all - both the Office 365 group and underlying modern SharePoint site is created. The article mentioneded that "app-only" operations against the Microsoft Graph is not supported.
But now, I found this documentation page (https://graph.microsoft.io/en-us/docs/authorization/app_only) walking through the "app-only" scenario. The code works, because the Office 365 group is created a few seconds after. But the underlying modern team site is not. It throws an "ResourceNotFound" with "Resource provisioning is in progress. Please try again later" as mentioned in this issue too: https://github.com/microsoftgraph/microsoft-graph-docs/issues/631
Two-part question:
1) Can anyone confirm, that we can make "app-only" (daemon apps) against the Microsoft Graph?
2) If so, how can we work around the unknown pending period? If the group was created with a user access token, both the group and the site beneath it is ready in seconds (besides the mailbox etc..) but the modern team site is my focus area.
Thanks in advance
You are one lazy.... ;)
Tenant tenant = new Tenant(clientContext);
var site = tenant.GetSitePropertiesByUrl(siteUrl, false);
clientContext.Load(site, s => s.Status);
site.Context.ExecuteQueryRetry();
var status = site.Status;
Hi folks,
So after a few months, I'm trying to this again in order to automate the process and I'm facing the same challenge. Office 365 groups creation is of course disable in the organization, otherwise people will just create a mess, so I plan to do provisioning using app-only delegated tokens. Group creates, without logo and always public (even though I specify imagare stream and private) but no site before I call the URL mentioned below..however I cannot just call the URL, it can only be called under some user. For that you need to have username/password..then site creates, at some point. You do not know when, so keep waiting and checking if site exists..when done, you can start customizing it to your company needs.
Quite a complicated process to provision group and site from C# . Is this really the only way ? It's on the edge of hacking the system. I can't believe Microsoft made it that hard for enterprise customers to work with this. Anyone has some new findings ?
Group creation with app-only works fine for me, now. The SharePoint site creation is started instantly and public/private is working as expected.
Currently, I see though an issue where the SharePoint site is in creating state for quite a while, e.g. 75 minutes.
Then I'm really wondering how you do it :) . I digged into PnPCore in GIT
UnifiedGroupsUtility.CreateUnifiedGroup
function and App-only token will create the group, add members and that's it. When its adding logo, it returns "Message: Access is denied. Check credentials and try again." and when creating site it returns "AccessDenied Message: Either scp or roles claim need to be present in the token." In order this to work I have to request token based on users token that is calling the app. With this token I can upload the logo and set it to private/public.
I tried whatever possible, but still the same. Today I will try to delete the site, but I'm nearly sure if I delete the group as api-only perm. it will leave the site orphaned, because this is connected with the user token again. So it is the user who should do the action.
Thank you for your advice.
cc: Mikael Svenson
- Private works fine for me, and not that hard to handle the missing site in a workflow imo - but annoying for sure. And today using app only it's the only way.
Hi Jonas,
A quick question and directions would be really helpful. I can create an Office 365 PnP PowerShell, but the many options under Site Settings are missing from the SharePoint site that is created with the group. I have tested this in multiple tenants and the bahviour is the same across :(
Do you face the same issue or any suggestions? Thanks in advance.
- This is expected. Modern groups have less options. But, you can enable scripting on the site which will open more options. You can do that with set-pnptenantsite -noscriptsite:$false
- Thank you Mikael. I will give that a go and see if that helps. Thanks a ton for the directions.
I had also noticed that if the group is set to private, it will take a while to provision a site. I assume this also as per the design and provisioning solution need a wait condition.
Regards,
Vishwa
If I grab the access token returned from PnP PowerShell using Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All" and use this in the same code, it works just fine. So, the Graph can do it, if the access token contains the correct permissions.
PnP PowerShell requires the two mentioned application permissions, but it also presents some delegated permissions in the consent dialog, so I'm not sure which permissions are requested during this consent approach.
I have a PR in place which is merged to support app-only tokens in the PnP commandlet. Using app-only tokens is also supported for creating Groups (https://developer.microsoft.com/en-us/graph/docs/overview/release_notes#groups).
The commandlet has this added signature.
Connect-PnPMicrosoftGraph -AppId <id> -AppSecret <secret> -AADDomain yourtenant.onmicrosoft.com
The sample to set up and consent to the app can found in the PnP dev branch at: https://github.com/SharePoint/PnP-PowerShell/tree/dev/Samples/Graph.ConnectUsingAppPermissions
You need User.Read.All and Groups.ReadWrite.All scopes in your app for this to work.
- Most likely, the token you are "grabbing" contains delegated permissions.
For what its worth, i´m also doing some Unified Groups PNP wizardry. and when i create a Group with PNP powershell, it will be created faster if i set it to public instead of private.
when i create private groups it takes about 5 mins before i can run commands on the underlying site.
I would image that you seeing problems because using the app-only operation is not supported. (The graph.microsoft.io page you cite only discusses app-only tokens. It does not state that you can use it to create O365 groups.) I would not expect your process to work.
You can submit ideas for new features at https://officespdev.uservoice.com/
Can you explain the difference beteween app-only operations and app-only tokens?
... on the release notes they state the following: "Examples of group features that support delegated and app-only permissions:
- Creating and deleting groups
- Getting and updating group properties pertaining to group administration or management ..."
(https://graph.microsoft.io/en-us/docs/overview/release_notes). Furthermore, in the permission section of the same article, they have a known issue when using Group.ReadWrite.All in the v1.0 endpoint:
Cannot enumerate groups or group memberships, create groups, update group memberships or delete groups. Can still read and update group content for Office groups. Also select Directory.ReadWrite.All. NOTE: Group deletion will not be possible. I've tried to also select the Directory.ReadWrite.All permission in Azure AD, but no effect yet. The above tells me, that it might be possible, or am I missing something?
Another question - are there any documented delay after changing Azure AD app permissions? I have granted the app again (after the change), but still the token looks the same to me. Thanks in advance.
An app-only operation is one where the effective permissions consider only the app principal, not the current user. To assert privilege for an operation you need a token. If you acquire a token using a client id/secret without user consent , that is called an app token.
After changing permission requests for an app principal, you will need to re-consent. Append "prompt=consent" to the auth endpoint to invoke the consent flow.
In addition to the above - if the group was created with an app-only access token, if we browse to https://tenant.sharepoint.com/_layouts/groupstatus.aspx?id=groupid&target=documents with the tenant name and group id, the modern team site is provisioned in matter of ~30 seconds. To be, the seems like the provisioning process doesn't quite finish when requested in Microsoft Graph.
- I cannot confirm in regards of the App Only support when working with the Microsoft Graph but I can confirm that the Group creation process works in the way you are seeing because same is happening when you do it from the UI:
(1) When you create the Group from OWA or Outlook, the EXO part is first created and then the Group site
(2) When you create a Modern Team site from the SPO landing page, the site is first created and then the EXO part
So in both cases, required artifacts for a Group are not being created at the same time
