Office 365: SharePoint Online – Assigning Permissions to SharePoint Add-In

Hi All,

In last article – Office 365: SharePoint online – SharePoint Add-in registration – Why, How and What happen when we register the SharePoint Add-in we discussed SharePoint Add-In registration. Once we registered the Add-in it is security principal and has identity same as users and groups.

Our Add-in is ready, and we can execute the code on behalf of our Add-in rather using user’s credentials. But before using Add-in we need to assign permissions to Add-in.

Assigning permissions to SharePoint Add-in from UI:

We can assign permission to Add-in using the “AppInv.aspx” page. Following is the URL for assigning the permissions to SharePoint Add-in as

      _layouts/15/appinv.aspx (my sample tenant)
fig1 appinv page
Figure 1: Office 365 – SharePoint Online – “appinv.aspx” – assigning permissions to SharePoint Add-in

In the “App Id” field as shown in figure 1, please enter the Add-in id for which we need to grant the permissions and click on “Lookup” button. Once we clicked on button, we will get all the details like Title, App Domain, Redirect URL.

Next, we need to put the “Permission Request XML”.  Following is the schema for “Permission Request XML” as

 <AppPermissionRequest Scope="<Scope URI>" 
  Right="<Right>" />

In above schema there are following two parameters which we need to specify:

Scope URI: Add-in can perform the SharePoint operation within the requested scope.

Right: Rights given Add-in. SharePoint supports four right levels in content database –  Read, Write, Manage and FullControl.

Possible values of Scope URI:

http://sharepoint/content/tenant   – Permissions are granted to the Add-in at tenant level. Tenant level permissions are granted when tenant level operations need to perform like creating a site collection etc. or performing the operations across different Site Collections.

http://sharepoint/content/sitecollection – Permissions are granted to the Add-in at one Site Collection level.

http://sharepoint/content/sitecollection/web– Permissions are granted to the Add-in at one web level.

http://sharepoint/content/sitecollection/web/list – Permissions are granted to the Add-in at one list level.

What happen when permissions are granted to SharePoint Add-in:

  1. Permissions assigned to the admin are stored in Tenant content database (in case of SharePoint farm those are stored in content database of SharePoint farm).
  2. When permissions are assigned to the Add-in, SharePoint get the details of the Add-in (like Add-in client id, title, domain, redirect url etc.) from Microsoft Azure Control Service (ACS).
  3. SharePoint stored these Add-in details in add-in management service and in content database.
  4. When Add-in is removed, all permissions are given to Add-in are revoked.

What Next: Next we will discuss permission policies, how to use the SharePoint Add-in to connect our tenant and perform respective operation in SharePoint Online.

References: Add-in permissions in SharePoint

Thanks for reading 🙂

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.