SharePoint and Search Add-Ins

Copper Contributor

As you probably already know, search add-ins requires user principal to work, so you cannot use app-only permission (actually you can, be you get "access denied"). This can be achieved by adding QueryAsUserIgnoreAppPrincipal right (https://dev.office.com/sharepoint/docs/general-development/search-add-ins-in-sharepoint). That is fairly obvious.

But, what about e.g. remote event receiver? You need some service account which can be authenticated and authorized by SharePoint. And RER have to run with this account credentials. The impact of this approach is that search results will be trimmed for this service account.

What is not so obvious is that you have to add this service account to user profiles or you can occasionally get ‘access denied’. Not always, but this completely different story.

(This behavior was observed in SharePoint 2016, May 2017 CU, claims based authentication with NTLM – I will soon check up with Kerberos).

It brings another interesting question – how to give read-only access rights to all site collections in SharePoint Online for this kind of service account?

0 Replies