The app@sharepoint principal is not resolving in newly created tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-1595624%22%20slang%3D%22en-US%22%3EThe%20app%40sharepoint%20principal%20is%20not%20resolving%20in%20newly%20created%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595624%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--1293483304%22%20id%3D%22toc-hId--1293483275%22%3E%3CEM%3EThis%20is%20a%20followup%20thread%20to%20a%20github%20post%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fissues%2F6155%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fissues%2F6155%3C%2FA%3E)%20which%20has%20been%20closed.%20It%20has%20been%20asked%20to%20reopen%20this%20topic%20here.%3C%2FEM%3E%3C%2FH2%3E%3CP%3EThanks%20to%20the%20original%20creator%20Michael%20Jensen%20for%20opening%20this%20topic%20in%20GitHub.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWe%20experienced%20the%20same%20problems%20in%20three%20new%20developer%20Tenants%20we%20have%20created%20in%20the%20last%20two%20weeks.%3C%2FSTRONG%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1194029529%22%20id%3D%22toc-hId-1194029558%22%3E%3CEM%3EDescribe%20the%20bug%3C%2FEM%3E%3C%2FH2%3E%3CP%3E%3CEM%3EIn%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fblob%2Fe49588c642eac9aff573ba84ffde2ca35ee07546%2Fdocs%2Fsolution-guidance%2Felevated-privileges-in-sharepoint-add-ins.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eelevated%20privileges%20page%3C%2FA%3E%26nbsp%3Bthere%20is%20an%20important%20tip%20about%20adding%20the%20app%40sharepoint%20user%20as%20a%20term%20store%20administrator%20if%20you%20need%20app-only%20write%20access%20to%20the%20term%20store%20(I%20believe%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwobba%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40wobba%3C%2FA%3E%26nbsp%3Boriginally%20wrote%20about%20this%20in%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.techmikael.com%2F2018%2F08%2Fmodifying-terms-using-app-only-tokens.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epost%3C%2FA%3E%26nbsp%3Ba%20couple%20of%20years%20ago).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EUnfortunately%20we%20were%20not%20able%20to%20add%20the%20app%40sharepoint%20user%20to%20the%20term%20store%20administrators%20group%20in%20a%20couple%20of%20tenants%20that%20we%20created%20in%20the%20past%20couple%20of%20days%20-%20that%20account%20will%20not%20resolve%20in%20the%20old%20and%20new%20term%20store%20UI%20(as%20shown%20in%20the%20following%20screenshots)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EOld%20page%3C%2FEM%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22termstore3.png%22%20style%3D%22width%3A%20809px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213056iFABA998ECE270026%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22termstore3.png%22%20alt%3D%22termstore3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ENew%20page%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EIt%20appears%20this%20issue%20is%20not%20isolated%20to%20the%20term%20store%2C%20as%20that%20user%20would%20not%20resolve%20in%20other%20user%20management%20areas%20(i.e.%20site%20collection%20admin%2C%20etc.)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EWhat%20made%20this%20even%20more%20confusing%20was%20I%20was%20able%20to%20get%20the%20app%40sharepoint%20account%20to%20resolve%20in%20one%20of%20our%20newly%20created%20tenants%20this%20afternoon%2C%20but%20that%20only%20worked%20via%20the%20old%20term%20store%20UI%20-%20the%20other%20tenant%20we%20created%20yesterday%20is%20still%20not%20able%20to%20resolve%20that%20account.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EI%20also%20tried%20adding%20the%20full%20username%20i%3A0i.t%7C00000003-0000-0ff1-ce00-000000000000%7Capp%40sharepoint%20and%20experienced%20the%20same%20result%20as%20trying%20to%20simply%20add%20app%40sharepoint.%3C%2FEM%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId--613424934%22%20id%3D%22toc-hId--613424905%22%3E%3CEM%3ESteps%20to%20reproduce%3C%2FEM%3E%3C%2FH2%3E%3COL%3E%3CLI%3E%3CEM%3ECreate%20a%20new%20tenant%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EGo%20to%20the%20term%20store%20in%20the%20SharePoint%20admin%20center%20(you%20can%20try%20this%20in%20both%20the%20old%20and%20new%20UI)%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EAdd%20app%40sharepoint%20to%20the%20term%20store%20administrators%20and%20try%20to%20resolve%20that%20account%20(and%2For%20save%20your%20change)%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3ESee%20the%20error%20saying%20no%20match%20found%20in%20the%20old%20UI%20(or%20no%20error%2C%20but%20no%20user%20resolution%20in%20the%20new%20UI)%3C%2FEM%3E%3C%2FLI%3E%3C%2FOL%3E%3CH2%20id%3D%22toc-hId-1874087899%22%20id%3D%22toc-hId-1874087928%22%3E%3CEM%3EExpected%20behavior%3C%2FEM%3E%3C%2FH2%3E%3CP%3E%3CEM%3EI%20expect%20the%20app%40sharepoint%20account%20to%20resolve%2C%20so%20we%20can%20continue%20to%20use%20app%20only%20principals%20to%20write%20to%20the%20term%20store.%3C%2FEM%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-66633436%22%20id%3D%22toc-hId-66633465%22%3E%3CEM%3EEnvironment%20details%20(development%20%26amp%3B%20target%20environment)%3C%2FEM%3E%3C%2FH2%3E%3CUL%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EYour%20Developer%20Environment%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3E%3CSTRONG%3ETarget%20Environment%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3A%20SharePoint%20Online%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EFramework%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EBrowser(s)%3C%2FSTRONG%3E%3A%20Chrome%20v84%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3ETooling%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSTRONG%3EAdditional%20details%3C%2FSTRONG%3E%3A%20N%2FA%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CH3%20id%3D%22toc-hId-757194910%22%20id%3D%22toc-hId-757194939%22%3E%3CEM%3EAdditional%20context%3C%2FEM%3E%3C%2FH3%3E%3CP%3E%3CEM%3EMy%20concern%20is%20this%20app%40sharepoint%20account%20may%20be%20in%20the%20process%20of%20being%20removed%2C%20which%20means%20our%20app%20only%20apps%20will%20no%20longer%20be%20able%20to%20write%20to%20the%20term%20store%20(which%20would%20obviously%20be%20a%20significant%20issue).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThanks%20for%20your%20contribution!%20Sharing%20is%20caring.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

This is a followup thread to a github post (https://github.com/SharePoint/sp-dev-docs/issues/6155) which has been closed. It has been asked to reopen this topic here.

Thanks to the original creator Michael Jensen for opening this topic in GitHub.

 

We experienced the same problems in three new developer Tenants we have created in the last two weeks.

Describe the bug

In the elevated privileges page there is an important tip about adding the app@sharepoint user as a term store administrator if you need app-only write access to the term store (I believe @wobba originally wrote about this in a post a couple of years ago).

Unfortunately we were not able to add the app@sharepoint user to the term store administrators group in a couple of tenants that we created in the past couple of days - that account will not resolve in the old and new term store UI (as shown in the following screenshots)

Old page
termstore3.png

 

 

New page

 

 

It appears this issue is not isolated to the term store, as that user would not resolve in other user management areas (i.e. site collection admin, etc.)

What made this even more confusing was I was able to get the app@sharepoint account to resolve in one of our newly created tenants this afternoon, but that only worked via the old term store UI - the other tenant we created yesterday is still not able to resolve that account.

I also tried adding the full username i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint and experienced the same result as trying to simply add app@sharepoint.

Steps to reproduce

  1. Create a new tenant
  2. Go to the term store in the SharePoint admin center (you can try this in both the old and new UI)
  3. Add app@sharepoint to the term store administrators and try to resolve that account (and/or save your change)
  4. See the error saying no match found in the old UI (or no error, but no user resolution in the new UI)

Expected behavior

I expect the app@sharepoint account to resolve, so we can continue to use app only principals to write to the term store.

Environment details (development & target environment)

  • Your Developer Environment: N/A
  • Target Environment: SharePoint Online
  • Framework: N/A
  • Browser(s): Chrome v84
  • Tooling: N/A
  • Additional details: N/A

Additional context

My concern is this app@sharepoint account may be in the process of being removed, which means our app only apps will no longer be able to write to the term store (which would obviously be a significant issue).

Thanks for your contribution! Sharing is caring.

0 Replies