Forum Discussion
The app@sharepoint principal is not resolving in newly created tenants
QuantumrunnerI actually did open a support ticket and they essentially copy/pasted the previous fix into an email:
- Create a new app with app-only permissions following https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
- Connect to PNP-Online using the article - Connect-PnPOnline (SharePointPnPPowerShell) | Microsoft Docs
- Please use the URL https://companyname-admin.sharepoint.com/ to connect to PNP-Online
- Connected to -admin and was able to resolve Get-PnPUser -Identity "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint"
- Added i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint as a user in term store
Thank you for being part of Microsoft Family.
I replied with the outputs of the powershell script showing that the app@sharepoint principal does not resolve when connected to admin, but does resolve when connected to the root site. Regardless the principal is not available to add in the term store. I am awaiting their next response.
AnnieJohnson When we did the testing this week we added the SharePoint App with app only permissions to the Admin Site Collection (https://companyname-admin.sharepoint.com/ ) instead of the root site collection.
Afterwards the user could be resolved in PowerShell by conncecting to https://companyname-admin.sharepoint.com/ and setting Get-PnPUser -Identity "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint".
But the user still did not show up in the user selection on the modern or the classic TermStore Admin Page.
- AnnieJohnsonDec 03, 2020Copper Contributor
Quantumrunner Here is the latest from Microsoft support. I answered some basic questions about my particular use case and am awaiting their next reply:
We would like to inform you that the Account app@sharepoint is related to the SharePoint Applications (Auditing logs/Virus check), it is a system account, belongs to the SharePoint Farms infrastructure, it was created to run on all Site Collections/Personal sites to collect auditing information. When the user provides some changes for his own Site Collection, or enables features or activates the site Auditing logs, his own account does not have the write permissions on the SharePoint Farm and this account it will be used to run and collect all the necessary information to be provided to the customer. Microsoft has set up a few security accounts to run in all Farms, in order for our customer to do some tasks, and get the required information. Also it is necessary for user security, for these accounts to always track the Site Collection searching for viruses that can be uploaded into SharePoint. Microsoft will not change that, all Farms have the same configuration and this same system account, and all Site Collections will use this account if they need to do it.
What Activities Should the customer expect from this account?
From the Customer side nothing will be expected, everything will be running normal, as should be, this account will not affect the Site Collection functionality or personal site, all the information on the Site Collection will be secure, and only the Site Owners and all people who have permissions to the site can see the information inside and share the same. This account can be visible if we create an auditing for our Site Collection or personal site. All private information is safe and, nothing will be collected, as we said before this account only gets information for auditing and looks for possible virus attack.
- QuantumrunnerJan 04, 2021Brass Contributor
AnnieJohnson Did you get any more updates from the Microsoft Support?
We did some more testing. We created an Azure AD Application with Site.Read.All Application permission and connected to the SharePoint Central administration ((https://companyname-admin.sharepoint.com/) site using SharePoint Client API (CSOM). Afterwards the user was available.
I'm not sure why this did not work when using the PNP PowerShell library and a SharePoint App (instead of the Azure AD App).