SOLVED

Full control app permission on one site works on Lists, but partially fails on another (same tenant)

%3CLINGO-SUB%20id%3D%22lingo-sub-1093263%22%20slang%3D%22en-US%22%3EFull%20control%20app%20permission%20on%20one%20site%20works%20on%20Lists%2C%20but%20partially%20fails%20on%20another%20(same%20tenant)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093263%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EScenario%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20working%20InTapp%20application%20registered%20in%20Azure%20with%20an%20application%20ID%20and%20secret%20key%2C%20that%20Read%2FWrites%2FUpdates%20Lists%20on%20a%20SharePoint%20Online%20site.%20However%2C%20when%20we%20attempt%20to%20use%20it%20on%20another%20site%20on%20the%20same%20tenant%2C%20it%20will%20return%20the%20metadata%20of%20the%20list%2C%20but%20will%20fail%20to%20return%20any%20information%20the%20list%20items.%20It's%20registered%20on%20both%20SPO%20sites%20with%20full%20control%20(via%20_layouts%2F15%2FAppInv.aspx)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20921px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F163955i546682F8F18D3236%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22app-permission.png%22%20title%3D%22app-permission.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EApp%20Permission%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESAMPLESITE-WORKS%20(working)%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMethod%3A%20GET%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EURL%3A%3C%2FSTRONG%3E%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople%3C%2FA%3E')%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ERESULT%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%7B%22d%22%3A%7B%22__metadata%22%3A%7B%22id%22%3A%22%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea-e805-495a-9610-cf29e14cb000')%26quot%3B%2C%26quot%3Buri%26quot%3B%3A%26quot%3Bhttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea-e805-495a-9610-cf29e14cb000')%22%2C%22uri%22%3A%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea%3C%2FA%3E...%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMethod%3A%20GET%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EURL%3A%3C%2FSTRONG%3E%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople')%2Fitems%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople')%2Fitems%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ERESULT%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%7B%22d%22%3A%7B%22results%22%3A%5B%7B%22__metadata%22%3A%7B%22id%22%3A%2223df63b0-b494-44d3-a6b3-0c16ff531cbd%22%2C%22uri%22%3A%22%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-WORKS%2F_api%2FWeb%2FLists(guid'b6dc17ea%3C%2FA%3E...%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESAMPLESITE-DOES-NOT-WORK%20(not%20completely%20working)%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMethod%3A%20GET%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EURL%3A%3C%2FSTRONG%3E%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2Fweb%2Flists%2FGetByTitle('ListOfPeople%3C%2FA%3E')%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ERESULT%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%7B%22d%22%3A%7B%22__metadata%22%3A%7B%22id%22%3A%22%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2FWeb%2FLists(guid'28ffc036-b111-4c74-8921-2644b4bde1d9')%26quot%3B%2C%26quot%3Buri%26quot%3B%3A%26quot%3Bhttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2FWeb%2FLists(guid'28ffc036%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2FWeb%2FLists(guid'28ffc036-b111-4c74-8921-2644b4bde1d9')%22%2C%22uri%22%3A%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2FWeb%2FLists(guid'28ffc036%3C%2FA%3E...%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMethod%3A%20GET%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EURL%3A%3C%2FSTRONG%3E%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CA%20href%3D%22https%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2Flists%2FGetByTitle('ListOfPeople%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLEDOMAIN.sharepoint.com%2Fsites%2FSAMPLESITE-DOES-NOT-WORK%2F_api%2Flists%2FGetByTitle('ListOfPeople%3C%2FA%3E')%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3E%2Fitems%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ERESULT%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23FF0000%22%3E%7B%22d%22%3A%7B%22results%22%3A%5B%5D%7D%7D%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EDo%20any%20of%20you%20have%20an%20idea%20why%20the%20%22%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%2Fitems%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%22%20end%20point%20would%20fail%3F%20Thanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094121%22%20slang%3D%22en-US%22%3ERe%3A%20Full%20control%20app%20permission%20on%20one%20site%20works%20on%20Lists%2C%20but%20partially%20fails%20on%20another%20(same%20ten%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094121%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F298744%22%20target%3D%22_blank%22%3E%40Noel_Suarez%3C%2FA%3E%26nbsp%3BIt%20seems%20to%20me%20your%20call%20is%20successfull%20but%20does%20not%20retrieve%20any%20items.%20This%20can%20be%20either%20because%20there%20simply%20are%20no%20items%2C%20or%20maybe%20because%20permissions%20on%20the%20listitems%20are%20broken%20and%20the%20app%20has%20no%20inherited%20permissions%20on%20the%20libraries%20items.%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20try%20using%20%2Fitems%3Fselect%3D*%26nbsp%3B%3CBR%20%2F%3EStandard%20everything%20should%20be%20returned%2C%20but%20maybe%20you%20have%20a%20specific%20filter%20already%20there%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20misinterpreted%20the%20documentation%2C%20replacing%20the%20scope%20with%20OUR%20site%2C%20which%20was%20wrong.%20So%20it%20really%20was%20as%20it%20was%20written%20in%20the%20documentation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CAPPPERMISSIONREQUESTS%20allowapponlypolicy%3D%22%26quot%3Btrue%26quot%3B%22%3E%20%3C%2FAPPPERMISSIONREQUESTS%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%3CAPPPERMISSIONREQUEST%3E%3C%2FAPPPERMISSIONREQUEST%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%26nbsp%3B%20Scope%3D%22%3CSTRONG%3Ehttp%3A%2F%2Fsharepoint%2Fcontent%2Fsitecollection%3C%2FSTRONG%3E%22%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3ERight%3D%22FullControl%22%20%2F%26gt%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20times%20that%20it%20is%20fine%20to%20just%20copy%20and%20paste%20the%20documentation.%20Hope%20this%20post%20helps%20others.%20Thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101638%22%20slang%3D%22en-US%22%3ERe%3A%20Full%20control%20app%20permission%20on%20one%20site%20works%20on%20Lists%2C%20but%20partially%20fails%20on%20another%20(same%20ten%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F508889%22%20target%3D%22_blank%22%3E%40IshtarOnline%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20taking%20a%20stab%20at%20it.%20Sorry%20for%20the%20delay%20in%20responding.%20Actually%2C%20it%20something%20insanely%20dumb.%20On%20our%20site%20-%20in%20the%20permissions%20XML%2C%20we%20created%20is%20as%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CAPPPERMISSIONREQUESTS%20allowapponlypolicy%3D%22%26quot%3Btrue%26quot%3B%22%3E%3C%2FAPPPERMISSIONREQUESTS%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%3CAPPPERMISSIONREQUEST%3E%3C%2FAPPPERMISSIONREQUEST%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Scope%3D%22%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2FSAMPLESITE.sharepoint.com%2Fsites%2FSAMPLE%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FSAMPLESITE.sharepoint.com%2Fsites%2FSAMPLE%3C%2FA%3E%3C%2FSTRONG%3E%22%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3ERight%3D%22FullControl%22%20%2F%26gt%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20misinterpreted%20the%20documentation%2C%20replacing%20the%20scope%20with%20%3CEM%3EOUR%3C%2FEM%3E%20site%2C%20which%20was%20wrong.%20So%20it%20really%20%3CEM%3Ewas%3C%2FEM%3E%20as%20it%20was%20written%20in%20the%20documentation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CAPPPERMISSIONREQUESTS%20allowapponlypolicy%3D%22%26quot%3Btrue%26quot%3B%22%3E%20%3C%2FAPPPERMISSIONREQUESTS%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%3CAPPPERMISSIONREQUEST%3E%3C%2FAPPPERMISSIONREQUEST%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%26nbsp%3B%20%26nbsp%3B%20Scope%3D%22%3CSTRONG%3Ehttp%3A%2F%2Fsharepoint%2Fcontent%2Fsitecollection%3C%2FSTRONG%3E%22%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3ERight%3D%22FullControl%22%20%2F%26gt%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20times%20that%20it%20is%20fine%20to%20just%20copy%20and%20paste%20the%20documentation.%20Hope%20this%20post%20helps%20others.%20Thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E
Occasional Contributor

Scenario:

 

We have a working InTapp application registered in Azure with an application ID and secret key, that Read/Writes/Updates Lists on a SharePoint Online site. However, when we attempt to use it on another site on the same tenant, it will return the metadata of the list, but will fail to return any information the list items. It's registered on both SPO sites with full control (via _layouts/15/AppInv.aspx)

 

App PermissionApp Permission

 

 

SAMPLESITE-WORKS (working):

 

Method: GET 
URL: https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-WORKS/_api/web/lists/GetByTitle('ListOfPeople')

RESULT:
{"d":{"__metadata":{"id":"https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-WORKS/_api/Web/Lists(guid'b6dc17ea-e805-495a-96......

 

Method: GET
URL: https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-WORKS/_api/web/lists/GetByTitle('ListOfPeople')...

RESULT:
{"d":{"results":[{"__metadata":{"id":"23df63b0-b494-44d3-a6b3-0c16ff531cbd","uri":"https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-WORKS/_api/Web/Lists(guid'b6dc17ea...

 

SAMPLESITE-DOES-NOT-WORK (not completely working):

 

Method: GET
URL: https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-DOES-NOT-WORK/_api/web/lists/GetByTitle('ListOf...')

RESULT:
{"d":{"__metadata":{"id":"https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-DOES-NOT-WORK/_api/Web/Lists(guid'28ffc036-b111......

 

Method: GET
URL: https://SAMPLEDOMAIN.sharepoint.com/sites/SAMPLESITE-DOES-NOT-WORK/_api/lists/GetByTitle('ListOfPeop...')/items

RESULT:
{"d":{"results":[]}}


Do any of you have an idea why the "/items" end point would fail? Thanks in advance.

 

2 Replies

@Noel_Suarez It seems to me your call is successfull but does not retrieve any items. This can be either because there simply are no items, or maybe because permissions on the listitems are broken and the app has no inherited permissions on the libraries items.

Maybe try using /items?select=* 
Standard everything should be returned, but maybe you have a specific filter already there?


best response confirmed by Noel_Suarez (Occasional Contributor)
Solution

@IshtarOnline - Thanks for taking a stab at it. Sorry for the delay in responding. Actually, it something insanely dumb. On our site - in the permissions XML, we created is as:

 

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest

      Scope="https://SAMPLESITE.sharepoint.com/sites/SAMPLE"

      Right="FullControl" />
</AppPermissionRequests>

 

We misinterpreted the documentation, replacing the scope with OUR site, which was wrong. So it really was as it was written in the documentation. 

 

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest

    Scope="http://sharepoint/content/sitecollection"

    Right="FullControl" />
</AppPermissionRequests>

 

There are times that it is fine to just copy and paste the documentation. Hope this post helps others. Thanks!