The app@sharepoint principal is not resolving in newly created tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-1595572%22%20slang%3D%22en-US%22%3EThe%20app%40sharepoint%20principal%20is%20not%20resolving%20in%20newly%20created%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595572%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--1293484112%22%20id%3D%22toc-hId--1293484083%22%3EThis%20is%20a%20followup%20topic%20to%20this%20GitHub%20Thread%3A%3C%2FH2%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fissues%2F6155%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fissues%2F6155%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Thread%20has%20been%20closed%20and%20mentioned%20that%20it%20should%20be%20reopened%20in%20this%20forum.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20some%20more%20details%20from%20my%20side%3A%20The%20problem%20has%20occured%20in%20three%20new%20tenants%20we%20have%20created%20in%20the%20last%20two%20weeks.%20The%20tenants%20were%20only%20used%20internally%20using%20the%20developer%20tenant%20feature%20therefore%20we%20can't%20open%20official%20tickets%20for%20these%20tenants.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20documentation%20always%20includes%20this%20step%20because%20we%20still%20use%20the%20Termstore%20quite%20heavily%20in%20our%20software%20(even%20though%20the%20performance%20is%20quite%20bad).%20Without%20adding%20this%20account%20a%20lot%20of%20functionality%20does%20not%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1194028721%22%20id%3D%22toc-hId-1194028750%22%3EThefore%20here%20is%20the%20quote%20from%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmichael-jensen%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emichael-jensen%3C%2FA%3E%3CEM%3E%20(a%20big%20thank%20you%20to%20him%20for%20opening%20the%20original%20thread)%3A%3C%2FEM%3E%3C%2FH2%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId--613425742%22%20id%3D%22toc-hId--613425713%22%3E%3CEM%3EDescribe%20the%20bug%3C%2FEM%3E%3C%2FH2%3E%3CP%3E%3CEM%3EIn%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fblob%2Fe49588c642eac9aff573ba84ffde2ca35ee07546%2Fdocs%2Fsolution-guidance%2Felevated-privileges-in-sharepoint-add-ins.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eelevated%20privileges%20page%3C%2FA%3E%20there%20is%20an%20important%20tip%20about%20adding%20the%20app%40sharepoint%20user%20as%20a%20term%20store%20administrator%20if%20you%20need%20app-only%20write%20access%20to%20the%20term%20store%20(I%20believe%20wobba%20originally%20wrote%20about%20this%20in%20a%20%3CA%20href%3D%22https%3A%2F%2Fwww.techmikael.com%2F2018%2F08%2Fmodifying-terms-using-app-only-tokens.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epost%3C%2FA%3E%20a%20couple%20of%20years%20ago).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EUnfortunately%20we%20were%20not%20able%20to%20add%20the%20app%40sharepoint%20user%20to%20the%20term%20store%20administrators%20group%20in%20a%20couple%20of%20tenants%20that%20we%20created%20in%20the%20past%20couple%20of%20days%20-%20that%20account%20will%20not%20resolve%20in%20the%20old%20and%20new%20term%20store%20UI%20(as%20shown%20in%20the%20following%20screenshots)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EOld%20page%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22termstore.png%22%20style%3D%22width%3A%20691px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213045iDAC5A9BCACDF6C42%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22termstore.png%22%20alt%3D%22termstore.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ENew%20page%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22termstore2.png%22%20style%3D%22width%3A%20448px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213046i2A05B6ACFC52AE6F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22termstore2.png%22%20alt%3D%22termstore2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EIt%20appears%20this%20issue%20is%20not%20isolated%20to%20the%20term%20store%2C%20as%20that%20user%20would%20not%20resolve%20in%20other%20user%20management%20areas%20(i.e.%20site%20collection%20admin%2C%20etc.)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EWhat%20made%20this%20even%20more%20confusing%20was%20I%20was%20able%20to%20get%20the%20app%40sharepoint%20account%20to%20resolve%20in%20one%20of%20our%20newly%20created%20tenants%20this%20afternoon%2C%20but%20that%20only%20worked%20via%20the%20old%20term%20store%20UI%20-%20the%20other%20tenant%20we%20created%20yesterday%20is%20still%20not%20able%20to%20resolve%20that%20account.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EI%20also%20tried%20adding%20the%20full%20username%20i%3A0i.t%7C00000003-0000-0ff1-ce00-000000000000%7Capp%40sharepoint%20and%20experienced%20the%20same%20result%20as%20trying%20to%20simply%20add%20app%40sharepoint.%3C%2FEM%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1874087091%22%20id%3D%22toc-hId-1874087120%22%3E%3CEM%3ESteps%20to%20reproduce%3C%2FEM%3E%3C%2FH2%3E%3COL%3E%3CLI%3E%3CEM%3ECreate%20a%20new%20tenant%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EGo%20to%20the%20term%20store%20in%20the%20SharePoint%20admin%20center%20(you%20can%20try%20this%20in%20both%20the%20old%20and%20new%20UI)%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EAdd%20app%40sharepoint%20to%20the%20term%20store%20administrators%20and%20try%20to%20resolve%20that%20account%20(and%2For%20save%20your%20change)%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3ESee%20the%20error%20saying%20no%20match%20found%20in%20the%20old%20UI%20(or%20no%20error%2C%20but%20no%20user%20resolution%20in%20the%20new%20UI)%3C%2FEM%3E%3C%2FLI%3E%3C%2FOL%3E%3CH2%20id%3D%22toc-hId-66632628%22%20id%3D%22toc-hId-66632657%22%3E%3CEM%3EExpected%20behavior%3C%2FEM%3E%3C%2FH2%3E%3CP%3E%3CEM%3EI%20expect%20the%20app%40sharepoint%20account%20to%20resolve%2C%20so%20we%20can%20continue%20to%20use%20app%20only%20principals%20to%20write%20to%20the%20term%20store.%3C%2FEM%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1740821835%22%20id%3D%22toc-hId--1740821806%22%3E%3CEM%3EEnvironment%20details%20(development%20%26amp%3B%20target%20environment)%3C%2FEM%3E%3C%2FH2%3E%3CUL%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EYour%20Developer%20Environment%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3E%3CSTRONG%3ETarget%20Environment%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3A%20SharePoint%20Online%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EFramework%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EBrowser(s)%3C%2FSTRONG%3E%3A%20Chrome%20v84%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3ETooling%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EAdditional%20details%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CH3%20id%3D%22toc-hId--1050260361%22%20id%3D%22toc-hId--1050260332%22%3E%3CEM%3EAdditional%20context%3C%2FEM%3E%3C%2FH3%3E%3CP%3E%3CEM%3EMy%20concern%20is%20this%20app%40sharepoint%20account%20may%20be%20in%20the%20process%20of%20being%20removed%2C%20which%20means%20our%20app%20only%20apps%20will%20no%20longer%20be%20able%20to%20write%20to%20the%20term%20store%20(which%20would%20obviously%20be%20a%20significant%20issue).%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

This is a followup topic to this GitHub Thread:

https://github.com/SharePoint/sp-dev-docs/issues/6155

 

The Thread has been closed and mentioned that it should be reopened in this forum.

 

Just some more details from my side: The problem has occured in three new tenants we have created in the last two weeks. The tenants were only used internally using the developer tenant feature therefore we can't open official tickets for these tenants.

 

Our documentation always includes this step because we still use the Termstore quite heavily in our software (even though the Termstore performance in general is quite bad). Without adding this account a lot of functionality does not work.

 

Thefore here is the quote from michael-jensen (a big thank you to him for opening the original thread):

 

 

Describe the bug

In the elevated privileges page there is an important tip about adding the app@sharepoint user as a term store administrator if you need app-only write access to the term store (I believe wobba originally wrote about this in a post a couple of years ago).

Unfortunately we were not able to add the app@sharepoint user to the term store administrators group in a couple of tenants that we created in the past couple of days - that account will not resolve in the old and new term store UI (as shown in the following screenshots)

Old page
termstore.png

 

 

New page

 

termstore2.png

 

 

It appears this issue is not isolated to the term store, as that user would not resolve in other user management areas (i.e. site collection admin, etc.)

What made this even more confusing was I was able to get the app@sharepoint account to resolve in one of our newly created tenants this afternoon, but that only worked via the old term store UI - the other tenant we created yesterday is still not able to resolve that account.

I also tried adding the full username i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint and experienced the same result as trying to simply add app@sharepoint.

Steps to reproduce

  1. Create a new tenant
  2. Go to the term store in the SharePoint admin center (you can try this in both the old and new UI)
  3. Add app@sharepoint to the term store administrators and try to resolve that account (and/or save your change)
  4. See the error saying no match found in the old UI (or no error, but no user resolution in the new UI)

Expected behavior

I expect the app@sharepoint account to resolve, so we can continue to use app only principals to write to the term store.

Environment details (development & target environment)

  • Your Developer Environment: N/A
  • Target Environment: SharePoint Online
  • Framework: N/A
  • Browser(s): Chrome v84
  • Tooling: N/A
  • Additional details: N/A

Additional context

My concern is this app@sharepoint account may be in the process of being removed, which means our app only apps will no longer be able to write to the term store (which would obviously be a significant issue).

0 Replies