Forum Discussion
Search API with Application Permissions returns no results, Delegated permissions do
As of August 26th critical software in our company started to fail.
All functionality involving getting results from Microsoft SharePoint Search failed to get any results.
This software is PowerShell, .NET Console applications, Runbooks (PowerShell), .NET Web API in an Azure App Service, ...
All this software - that was failing - was using an Application Registration with either a certificate or password.
To fully troubleshoot, I created a .NET Console application with no frameworks (like PnpCore SDK, Pnp.Framework, ...) but a simple HttpClient to get results from https://tenant.sharepoint.com/_api/search/query?...
This httpclient would have Bearer authorization, with an access token from either a PublicClientApplication (delegated permissions), or a ConfidentialClientApplication (application permissions)
The results were that delegated permissions always give the right results.
Application permissions however gave results when searching on "Title:", but gave no results (PrimaryResults were empty) when searching on any other: in our case: "{searchtext} Path:https://tenant.sharepoint.com/sites/X/Lists/Y/*"
At first we thought this was caused by searching on RefinableString00 and RefinableString01, but searching without specifying a managed property, fails as well.
Before August 26th, all was working just fine.
Appearantly, Microsoft deployed a patch to SharePoint Search somewhere around that date, to improve performance.
This caused incident #MO420476 to rise, but was fixed later on. However, our problems still exist, so this might not be related (although I would like to believe it does)
This issue caused me to have all applications to be reverted to delegated permissions (which in some cases is not preferrable at all, especially for f.i. runbooks).
Is there anyone, either having this issue as well, or either be able to help me solve this issue?
Best regards
31 Replies
- yesterday I tried again by deleting the permissions from the app registration, deleting the certificate, reloading the same certificate and restoring the permissions to the app registration and magically it started working again. Now, I don't know if it solved by microsoft or this operation woke up the app registration but it work, try it
Maybe good to know: I have a list, on which I try to find listitems. The list returns 0 results, searching using multiple options (no ManagedProperty, on RefinableString, ...) when using Application Permissions. Except for 1 listitem: this one I do find, with both permissions (application, delegated). I accidentally found out.
I tried to figure out what is different on this listitem, but couldn't find anything.Edit: the only difference I see, is that the Author of that one listitem is an actual user:
| upn | display_name | some_large_guid i:0#.f|membership|upn
The other listitem's Author's are an app:
| App name | some_large_guid i:0i.t|some guid|UPN_of_appEdit 2: I created a new listitem myself (not by the app above), and that one I can find as well, by any authentication.
- Bump ...
- appears to be no acknowledgement of the issue .....
- I also created a Github issue on https://github.com/SharePoint/sp-dev-docs/issues/8436
Maybe we should all reply on that one too, to show we are not alone?- Latest update from Microsoft Support ticket ->
"Just a warm follow to let you know that I have check the issue with seniors and the confirmed that the issue should handled by the SharePoint developer team. Please kindly use the following link and submit the issue to SharePoint developer channel", then a link to this channel.
So Question is now - "does anyone know how to contact the "SharePoint developer team"?- Maybe erinrifkin can help us?
I've been experiencing this issue across the board, here in Australia too. Search results through application permissions is returning 4 results for a request with row limit of 10 for some, 0 for others. Running the same query as a user returning dozens of pages, 200+ results with a few refiners selected. Running queries only returning back titles are working fine. I think this is in-line with the symptoms everyone else is experiencing.
I don't think there is much more to contribute except for getting Microsoft to notice the issue. SP Search has been an extremely useful way to surface large data sets across many sites and lists. It will be a shame if we are forced to offload to a different medium to achieve the same results in a more reliable fashion for business-critical operations, without exposing a service account with no MFA in conflict with Microsoft's best-practice security recommendations.- There you have it: getting Microsoft to notice the issue.
I already had 2 support tickets (one incidentely, because I called them, to get further, only to find that they just open a new ticket). Except for a lot of frustration, I'm not getting further than this forum, and the ServicesHub/supportforbusiness.
That ServicesHub does nothing but either redirecting me to 0365 Page (only create the exact same support request), or asking me for a support plan which I don't have, and cannot create because I am an AzureAd user 😕
Time for someone of Microsoft Technical support to pick this up!
- My client is currently experiencing this same issue. The search being conducted has worked for years without issue. It is queried via CSOM using a application ClientId and ClientSecret. The application has FullControl across the SharePoint tenant.
I can conduct an identical search with my user account and get the exact desired results.
Currently for the application, the the result count is 57 whereas it should be 98 - I imagine that will continue to drop towards 0 as the crawl progresses.- A question to all of us: which region are we in? Maybe Microsoft can narrow down.
I am from Belgium, so West-Europe, Roman Standard Time.- we are in Australia East, so its look a little global
We have the same problem, we have provisionally solved it by switching to authentication via service user but it is obviously not a solution. Has anyone tried registering an application with the old add-in model as I understand it is suggested here?
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly
- I did not try if that works, but I would not go down that route. The old model is disabled by default on a lot of tenants. It uses a really old authentication mechanism (ACS) In this case I'd opt for using a service account temporarily.
We're having the exact same issue over here! Search returning 0 results when signed in using Certificate / Application Only (with Sites.FullControl.All scope)
Multiple results though when running in delegated mode.
This is not continuous though. Sometimes we do get search results.- We had that case too: having results at some point, no results the other. After a few days, nothing returned, continuously.
As if SharePoint Search simply started running dry (I reckon because of crawling started returning nothing, from time to time, with no results anymore in the end?)- Do you have any idea how we can report this to Microsoft, besides posting in here?
I've tried Free Microsoft Support, but they only support out-of-the-box issues (fi not being able to log in to SharePoint, or something like that).
I've tried creating a Pay-Per-Incident, but I'm unable to add a subscription over there.
Leading all support to a dead end.
Just to add:
Application Permissions:
Path:https://tenant.sharepoint.com/sites/oursite/Lists/thelist/DispForm.aspx?ID=0000
0 Results
Delegated Permissions:
Path:https://tenant.sharepoint.com/sites/oursite/Lists/thelist/DispForm.aspx?ID=0000
1 Result
Additionally: we already created a new ClientId (Application Registration) to rule that out.
Can you make sure that you have given following permission under "Application Permission" in your Azure AD App registration?
- I've given all SharePoint permissions I could give, for both Application and Delegated permissions.
Also, all was working fine untill August 26th, while nothing had changed on our side, so something must have changed at the SharePoint Search API server side.
