Office 365 / SharePoint Online – Sorry, only tenant administrators can add or give access to this app.

Hi All,

Today, new issue(my mistake) and learning 😊

Background: I was working on SharePoint online project. We were writing one console application which connects the Office 365 / SharePoint Online on be half of app. That means we were accessing SharePoint Online using an application context (app-only).

Our add-in requiring tenant admin permissions. We have registered our add-in using appregnew.aspx page

URL: https://[tenant].sharepoint.com/_layouts/15/appregnew.aspx

We have generated new client id and client secret. Now we went to appinv.aspx (_layouts/15/appinv.aspx) page, perform the look up for app id generated on appregnew.aspx page and provide following permission as

<AppPermissionRequests AllowAppOnlyPolicy=”true”> <AppPermissionRequest Scope=”http://sharepoint/content/tenant” Right=”FullControl” />

</AppPermissionRequests>

On Create button click, we get an error “Sorry, only tenant administrators can add or give access to this app.” as

Untitled
Figure 1: Office 365 – Assigning permissions to app – appinv.aspx page

What we tried: I was doing these steps with Global Administrator permissions. So really wondering what is the issue? Googled bit but no luck ☹

Then I changed the permissions rather than on permissions for Tenant, I have given permissions for SiteCollection as

<AppPermissionRequests AllowAppOnlyPolicy=”true”> <AppPermissionRequest Scope=”http://sharepoint/content/SiteCollection” Right=”FullControl” />

</AppPermissionRequests> and this worked like wonder.

Solution: As permissions for SiteCollection level working, I was really wondering what is the missing. After some time, I realize that I was trying to give tenant level permissions from my SharePoint site collection and not from admin site. As I generated the add-in id and client secret from my SharePoint site collection, there only I was trying give the tenant level permission.

So, we need to give tenant admin level permission from tenant admin site only as

https://[tenant]-admin.sharepoint.com/_layouts/15/appinv.aspx

But I think error is misleading since even Global Administrator trying to give the permissions and there is no tenant administrator right for Office 365, we have Global Administrator and then other administrators.

 

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.

Stay tuned on Knowledge-Junction, will come up with more such articles.

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.