Forum Discussion
The app@sharepoint principal is not resolving in newly created tenants
This is a followup thread to a github post (https://github.com/SharePoint/sp-dev-docs/issues/6155) which has been closed. It has been asked to reopen this topic here.
Thanks to the original creator Michael Jensen for opening this topic in GitHub.
We experienced the same problems in three new developer Tenants we have created in the last two weeks.
Describe the bug
In the elevated privileges page there is an important tip about adding the app@sharepoint user as a term store administrator if you need app-only write access to the term store (I believe @wobba originally wrote about this in a post a couple of years ago).
Unfortunately we were not able to add the app@sharepoint user to the term store administrators group in a couple of tenants that we created in the past couple of days - that account will not resolve in the old and new term store UI (as shown in the following screenshots)
Old page
New page
It appears this issue is not isolated to the term store, as that user would not resolve in other user management areas (i.e. site collection admin, etc.)
What made this even more confusing was I was able to get the app@sharepoint account to resolve in one of our newly created tenants this afternoon, but that only worked via the old term store UI - the other tenant we created yesterday is still not able to resolve that account.
I also tried adding the full username i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint and experienced the same result as trying to simply add app@sharepoint.
Steps to reproduce
- Create a new tenant
- Go to the term store in the SharePoint admin center (you can try this in both the old and new UI)
- Add app@sharepoint to the term store administrators and try to resolve that account (and/or save your change)
- See the error saying no match found in the old UI (or no error, but no user resolution in the new UI)
Expected behavior
I expect the app@sharepoint account to resolve, so we can continue to use app only principals to write to the term store.
Environment details (development & target environment)
- Your Developer Environment: N/A
- Target Environment: SharePoint Online
- Framework: N/A
- Browser(s): Chrome v84
- Tooling: N/A
- Additional details: N/A
Additional context
My concern is this app@sharepoint account may be in the process of being removed, which means our app only apps will no longer be able to write to the term store (which would obviously be a significant issue).
Thanks for your contribution! Sharing is caring.
9 Replies
I think I finally have the solution for it!
The tricky part is, that you have ONE term store per tenant, but it behaves independently depending on how you access it (I mean, depending on the context of the site collection you are accessing it from)
https://MySite/_layouts/15/termstoremanager.aspx
and
https://MySite/_layouts/15/termstoremanager.aspx
and
https://MySite/_layouts/15/termstoremanager.aspx
both point to the same term store but differently from what you could expect, they don't behave exactly the same.
After reading this:
https://sharepoint.stackexchange.com/questions/168160/what-is-sharepoint-app-principal-shown-in-appprincipals-aspx-and-what-created-it
I found out the mailto:app@sharepoint is created when you add an app file and 'approve' it.
If you add the app file one sitecoll01 and then go to term store using the sitecoll02 URL it won't exist there... but will exist on sitecoll01.In my case, we were adding the app file to many site collections, but accessing the term store based on the root site collection https://MySite/_layouts/15/termstoremanager.aspx Is the same term store, ofc. But the account doesn't exist there.
Go figure...
- Thanks for this!
Saved me a lot of hours 🙂
I am experiencing the same issue in a newly created tenant as well, app@sharepoint won't resolve in the new or old term store experience and Mikael Svenson's workaround is not working unfortunately. Anyone?
AnnieJohnson We have just retested this in a brand new O365 Developer tenant and the same problem occurred.
And yes the workaround from Mikael Svenson' has not been working for this anymore too. Since this was a developer tenant we can not open a ticket there.
If anyone has this problem on a productive tenant please open a ticket and maybe get back here if you get any new status from Microsoft.
QuantumrunnerI actually did open a support ticket and they essentially copy/pasted the previous fix into an email:
- Create a new app with app-only permissions following https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
- Connect to PNP-Online using the article - https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline?view=sharepoint-ps
- Please use the URL https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmtspo20-admin.sharepoint.com%2F&data=04%7C01%7Cajohnson%40rightpoint.com%7Ca2ed100487454aabd69d08d8961140f3%7C5fbbce2ac3e64b5ea51f222674fdb44d%7C1%7C0%7C637424348142592384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kt%2BGt7u5S9wEIK2EFq%2B2hqNScYDUkgGPvDBo%2BCCQcCc%3D&reserved=0 to connect to PNP-Online
- Connected to -admin and was able to resolve Get-PnPUser -Identity "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint"
- Added i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint as a user in term store
Thank you for being part of Microsoft Family.
I replied with the outputs of the powershell script showing that the app@sharepoint principal does not resolve when connected to admin, but does resolve when connected to the root site. Regardless the principal is not available to add in the term store. I am awaiting their next response.
Quantumrunner we have the same Issue within two tenants. The registry of a dummy app doesn't resolve the problem. Also setting -DisableCustomAppAuthentication to false has no effect.
Has anyone another solution?
