From 41d53700d0e59f865534f46abf2342cad623ac74 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Fri, 24 Mar 2023 22:27:40 +0800 Subject: [PATCH 01/32] Add Addin API doc --- docs/apis/addin-restful-apis.md | 325 ++++++++++++++++++++++++++++++++ 1 file changed, 325 insertions(+) create mode 100644 docs/apis/addin-restful-apis.md diff --git a/docs/apis/addin-restful-apis.md b/docs/apis/addin-restful-apis.md new file mode 100644 index 000000000..48399c7fc --- /dev/null +++ b/docs/apis/addin-restful-apis.md @@ -0,0 +1,325 @@ +--- +title: SharePoint Add-in related APIs +description: We provided some Add-in related APIs to get Add-in's installation info and uninstall the Add-in. +audience: admin +ms.date: 03/28/2023 +ms.localizationpriority: medium +--- + +# SharePoint Add-in restful APIs +This documentation will introduce some APIs which related to SharePoint Add-ins. They could help to have a clear view +and better management of the Add-ins in tenant level, including these: +- Get available Add-ins in sites +- Get Add-in permissions in site collections +- Get tenant ACS service principals +- Get Add-in principals in site collections +- Uninstall Add-ins +- Get uninstall Add-in job status + +For more information about SharePoint Add-in, see [SharePoint Add-ins](../sp-add-ins/sharepoint-add-ins.md) + +## Prerequisites +- App-only mode token. [Get token example](https://github.com/pnp/pnpcore/blob/dev/docs/polyglot/Getting%20started%20-%20application%20permissions.ipynb) +- Called on the admin site. Example: https://www.contoso-admin.sharepoint.com +- For uninstall Add-in API, the app needs to have Sites.FullControl.All permission. For others, the app needs at least Sites.Read.All permission. + +## Get available Add-ins in sites + +This API will return the Add-ins that could be used on the given sites. This contains two kinds of install, one is the Add-in installed on the site. +The other is the Add-in installed on the tenant level app catalog site, and it matches the conditions to use the Add-in. +For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md) + +This API needs the app to have at least Sites.Read.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/AvailableAddIns +``` + +### Request body + +| Name | Required | Type | Description | +|--------------------|----------|----------|-------------------------------------------------------------------------------------------------------| +| serverRelativeUrls | yes | string[] | List of the server relative url of sites that want to get the available Add-ins. Maximum size is 500. | + +### Responses + +| Name | Type | Description | +|-----------------------------|--------------------------------|--------------------------------------------------------------------------------------| +| addins | SPAddinInstanceInfo[] | Available Add-in instance object. | +| errorsWithServerRelativeUrl | SPErrorWithServerRelativeUrl[] | Server relative urls that failed to get available add-ins and corresponding reasons. | + +#### SPAddinInstanceInfo + +| Name | Type | Description | +|-------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| title | string | Title of the Add-in. | +| appInstanceId | Guid | Id of the installation. | +| launchUrl | String | The Add-in's launch page address. | +| installedSiteId | Guid | Site collection id where the Add-in installed. | +| installedWebId | Guid | Site id where the Add-in installed. | +| installedWebName | string | Site name where the Add-in installed. | +| installedWebUrl | string | Site url where the Add-in installed. | +| currentSiteId | Guid | Site collection id of current site. | +| currentWebId | Guid | Site id of current site. | +| currentWebName | string | Site name of current site. | +| currentWebUrl | string | Site url of current site. | +| status | string | The status of current Add-in. | +| appWebFullUrl | string | The full url of the app web. The SharePoint components are generally in a special child web of the host web called the app web. The app web will be created during install the add-in. | +| appWebId | Guid | Id of the app web. | +| appWebName | string | Name of the app web. | +| installedBy | string | User name of who installed the add-in. | +| appIdentifier | string | The identifier of the app principal. It could be used to get the Add-in's permission. | +| creationTimeUtc | DateTime | Date time when installed the add-in. | +| productId | Guid | The global unique id of the add-in. It is same for all tenants. | +| assetId | string | The id of the app in the office store, this will be empty for app catalog user uploaded apps. | +| purchaserIdentity | string | The identify of person who bought the license of the add-in. | +| licensePurchaseTime | DateTime | When purchased the app license. | +| locale | string | which locale installed on the site. | +| appSource | string | Indicate where the app come from. | +| tenantAppData | string | After the Add-in installed in the tenant app catalog site. It could enable tenant level usage. This data indicates the conditions how to filter the sites. If this field is not empty, it means this Add-in installed on tenant app catalog site, deployed to tenant level, and current site matches the conditions. For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md) | +| tenantAppDataUpdateTime | DateTime | The tenant app data update time. | + +### SPErrorWithServerRelativeUrl + +| Name | Type | Description | +|-------------------|--------|--------------------------------------------------------| +| serverRelativeUrl | string | The serverRelativeUrl in the request body. | +| errorMessage | string | The error message why fetch the site's Add-ins failed. | + +## Get Add-in permissions in site collections + +This API will return the permissions that were granted to the add-in. For more information, see [Add-in permissions in SharePoint](../sp-add-ins/add-in-permissions-in-sharepoint.md) + +This API needs the app to have at least Sites.Read.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/AddinPermissions +``` + +### Request body + +| Name | Required | Type | Description | +|--------|----------|----------------------------|----------------------------------------------------------------------------------| +| addins | yes | SPAddinPermissionRequest[] | List of the Add-in that want to get the permissions. Maximum Add-in size is 500. | + +#### SPAddinPermissionRequest + +| Name | Type | Description | +|-------------------|----------|--------------------------------------------------------------------------------------------------------------------------------| +| serverRelativeUrl | string | The server relative url of the site collection. It will return site collection scope permissions of the given site collection. | +| appIdentifiers | string[] | The identifier list of the Add-ins. | + +### Responses + +| Name | Type | Description | +|------------------|-------------------------------|-----------------------------------------------------------------------| +| addinPermissions | SPAddinPermissionInfo[] | The returned permissions. | +| failedAddins | SPAddinPermissionFailedInfo[] | The Add-ins that failed to get permissions and corresponding reasons. | + +#### SPAddinPermissionInfo + +| Name | Type | Description | +|---------------------------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| tenantScopedPermissions | SPTenantScopedPermissionInfo[] | This is the permissions grant in tenant scope level. | +| siteCollectionScopedPermissions | SPSiteCollectionScopedPermissionInfo[] | This is the permissions grant in site collection scope level. | +| appIdentifier | string | The identifier of the Add-in. | +| serverRelativeUrl | string | The server relative url of the site collection. | +| allowAppOnly | bool | This identifies if the Add-in allows app only mode. For more information, see [Add-in authorization policy types in SharePoint](../sp-add-ins/add-in-authorization-policy-types-in-sharepoint.md) | + +#### SPTenantScopedPermissionInfo + +| Name | Type | Description | +|---------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| feature | string | The feature name of the permissions, it should be one of these:
  • Taxonomy
  • Social
  • ProjectServer
  • Search
  • BcsConnection
  • Content | +| scope | string | The scope of the permission. | +| right | string | The right of the permission. | +| id | Guid | The id of the resource that the Add-in have permission to. For example, it may be the id of one specific project when the feature is ProjectServer and the scope is projectserver/projects/project. | + + +#### SPSiteCollectionScopedPermissionInfo + +| Name | Type | Description | +|--------|--------|------------------------------------------------------------------------------------------------------------------------------------------------| +| siteId | Guid | The site collection id which the Add-in has access to. | +| webId | Guid | The site id which the Add-in has access to. If this field is empty, then the permission grant in site collection level. | +| listId | Guid | The list id which the Add-in has access to. If this field is empty, then the permission grant in site collection level or grant is site level. | +| right | string | Available rights: Guest, Read, Write, Manage, FullControl. | + + +#### SPAddinPermissionFailedInfo + +| Name | Type | Description | +|-------------------|--------|-----------------------------------------------------------| +| serverRelativeUrl | string | The server relative url of the site collection. | +| appIdentifier | string | The identifier list of the Add-in. | +| errorMessage | string | The error message why fetch the Add-in permission failed. | + +## Get tenant ACS service principals + +This API takes the app id list as input, it will filter the ones that present ACS service principals. +For more information, see [Register SharePoint Add-ins](../sp-add-ins/register-sharepoint-add-ins.md) + +This API needs the app to have at least Sites.Read.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/GetACSServicePrincipals +``` + +### Request body + +| Name | Required | Type | Description | +|--------|----------|--------|------------------------------------| +| appIds | yes | Guid[] | List app ids. Maximum size is 500. | + +### Responses + +| Name | Type | Description | +|------|-----------------------------|-------------------------------------| +| | SPACSServicePrincipalInfo[] | The SPACSServicePrincipalInfo list. | + +#### SPACSServicePrincipalInfo + +| Name | Type | Description | +|---------------|----------|-----------------------------------------------------------------------------------------------| +| appIdentifier | string | The app identifier of the Add-in. | +| appId | Guid | The app id of the Add-in. | +| title | string | A user friendly title. | +| redirectUri | string | The endpoint in your remote application or service to which ACS sends an authentication code. | +| appDomains | string[] | The host name of the remote component of the SharePoint Add-in. | + +## Get Add-in principals in site collections + +This API takes the site collections' server relative url as input, it will return the Add-in principals that have permissions in given sites. + +This API needs the app to have at least Sites.Read.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/GetAddinPrincipalsHavingPermissionsInSites +``` + +### Request body + +| Name | Required | Type | Description | +|--------------------|----------|----------|-------------------------------------------------------------------| +| serverRelativeUrls | yes | string[] | List site collections' server relative url. Maximum size is 500. | + +### Responses + +| Name | Type | Description | +|-----------------------------|--------------------------------|-------------| +| addinPrincipals | SPAddinPrincipalInfo[] | | +| errorsWithServerRelativeUrl | SPErrorWithServerRelativeUrl[] | | + +#### SPAddinPrincipalInfo + +| Name | Type | Description | +|-------------------|--------|-------------------------------------------------| +| title | string | The title of the Add-in. | +| appIdentifier | string | The app identifier. | +| serverRelativeUrl | string | The server relative url of the site collection. | + + +#### SPErrorWithServerRelativeUrl + +| Name | Type | Description | +|-------------------|--------|----------------------------------------------------------| +| serverRelativeUrl | string | The site collection's server relative url. | +| errorMessage | string | The error message why fetch the Add-in principal failed. | + +## Uninstall Add-ins + +This API will trigger an async job to uninstall the Add-in. If the job triggered successfully, the job id will be returned. + +This API needs the app to have Sites.FullControl.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/UninstallAddins +``` + +### Request body + +| Name | Required | Type | Description | +|-----------------|----------|---------------------------|---------------------------------------------------------------| +| uninstallAddins | yes | SPUninstallAddinRequest[] | List of Add-ins need to uninstall. Maximum Add-in size is 50. | + +#### SPUninstallAddinRequest + +| Name | Type | Description | +|-------------------|--------|----------------------------------| +| serverRelativeUrl | string | The site's server relative url. | +| appInstanceIds | Guid[] | The instance ids of the Add-ins. | + +### Responses + +| Name | Type | Description | +|-----------|--------------------------------------------|---------------------------------------------------------------------------| +| executing | SPTriggeredUninstallAddinJobResponse[] | This field contains the ones that successed to trigger the uninstall job. | +| failed | SPFailToTriggerUninstallAddinJobResponse[] | This field contains the ones that failed to trigger the uninstall job. | + +#### SPTriggeredUninstallAddinJobResponse + +| Name | Type | Description | +|-------------------|--------|---------------------------------| +| appInstanceId | Guid | The instance id of the Add-in. | +| serverRelativeUrl | string | The site's server relative url. | +| uninstallJobId | Guid | The triggered uninstall job id. | + +#### SPFailToTriggerUninstallAddinJobResponse + +| Name | Type | Description | +|-------------------|--------|---------------------------------------------------------| +| appInstanceId | Guid | The instance id of the Add-in. | +| serverRelativeUrl | string | The site's server relative url. | +| errorMessage | Guid | The error message why the uninstall job trigger failed. | + + +## Get uninstall Add-in job status + +Since the uninstall Add-in is an async process, this API will provide the ability to check if the uninstall ends successfully. +If the job ends successfully, then the job will be not found. If the job ends with failure, then it will return the error detail. + +This API needs the app to have at least Sites.Read.All permission. + +### HTTP request + +```HTTP +POST {adminSiteUrl}/_api/web/GetAddinUninstallJobDetail +``` + +### Request body + +| Name | Required | Type | Description | +|-------------------|----------|--------|---------------------------------| +| jobId | yes | Guid | This uninstall job id. | +| serverRelativeUrl | yes | string | The site's server relative url. | + +### Responses + +| Name | Type | Description | +|-------------------|-------------------------------|--------------------------------------------------| +| serverRelativeUrl | string | The site's server relative url. | +| taskStartTime | DateTime | The time when the task starts executing. | +| jobId | Guid | The uninstall job id. | +| siteId | Guid | The site collection id. | +| appInstanceId | Guid | The id of the app instance. | +| errorDetails | SPUninstallAddinErrorDetail[] | The error details for the job ends with failure. | + +#### SPUninstallAddinErrorDetail + +| Name | Type | Description | +|------------------|--------|-------------------------------------| +| detail | string | The error detail. | +| exceptionMessage | string | The exception message of the error. | +| source | string | The source of the error. | +| type | string | The type of the error. | +| correlationId | Guid | The job's correlation id. | From 2113807c00a4a4a85406ef2a2ada84399dc0734b Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Fri, 24 Mar 2023 22:37:19 +0800 Subject: [PATCH 02/32] add toc.yml file --- docs/apis/{addin-restful-apis.md => addin-management-apis.md} | 4 ++-- docs/toc.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) rename docs/apis/{addin-restful-apis.md => addin-management-apis.md} (99%) diff --git a/docs/apis/addin-restful-apis.md b/docs/apis/addin-management-apis.md similarity index 99% rename from docs/apis/addin-restful-apis.md rename to docs/apis/addin-management-apis.md index 48399c7fc..cabe5f363 100644 --- a/docs/apis/addin-restful-apis.md +++ b/docs/apis/addin-management-apis.md @@ -2,11 +2,11 @@ title: SharePoint Add-in related APIs description: We provided some Add-in related APIs to get Add-in's installation info and uninstall the Add-in. audience: admin -ms.date: 03/28/2023 +ms.date: 03/25/2023 ms.localizationpriority: medium --- -# SharePoint Add-in restful APIs +# SharePoint Add-in Management APIs This documentation will introduce some APIs which related to SharePoint Add-ins. They could help to have a clear view and better management of the Add-ins in tenant level, including these: - Get available Add-ins in sites diff --git a/docs/toc.yml b/docs/toc.yml index d146793af..8b67da1dd 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2130,6 +2130,8 @@ href: /dotnet/api/?term=Officedevpnp - name: PnP Sites Core API reference - Extension methods href: /dotnet/api/?term=microsoft.sharepoint + - name: SharePoint Add-in Management APIs + href: /apis/addin-management-apis.md - name: SharePoint schema reference href: schema/schema-reference-for-sharepoint.md items: From 452a213daafad7cd209b10aed55c467d7396f245 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Fri, 24 Mar 2023 22:44:55 +0800 Subject: [PATCH 03/32] update the path --- docs/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toc.yml b/docs/toc.yml index 8b67da1dd..c48272280 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2131,7 +2131,7 @@ - name: PnP Sites Core API reference - Extension methods href: /dotnet/api/?term=microsoft.sharepoint - name: SharePoint Add-in Management APIs - href: /apis/addin-management-apis.md + href: apis/addin-management-apis.md - name: SharePoint schema reference href: schema/schema-reference-for-sharepoint.md items: From 357a2476f6d19d3d88b0c743dc4eee9fc01341d9 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Fri, 24 Mar 2023 23:10:52 +0800 Subject: [PATCH 04/32] add some end mark --- docs/apis/addin-management-apis.md | 78 +++++++++++++++--------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/docs/apis/addin-management-apis.md b/docs/apis/addin-management-apis.md index cabe5f363..876d35b95 100644 --- a/docs/apis/addin-management-apis.md +++ b/docs/apis/addin-management-apis.md @@ -16,7 +16,7 @@ and better management of the Add-ins in tenant level, including these: - Uninstall Add-ins - Get uninstall Add-in job status -For more information about SharePoint Add-in, see [SharePoint Add-ins](../sp-add-ins/sharepoint-add-ins.md) +For more information about SharePoint Add-in, see [SharePoint Add-ins](../sp-add-ins/sharepoint-add-ins.md). ## Prerequisites - App-only mode token. [Get token example](https://github.com/pnp/pnpcore/blob/dev/docs/polyglot/Getting%20started%20-%20application%20permissions.ipynb) @@ -27,7 +27,7 @@ For more information about SharePoint Add-in, see [SharePoint Add-ins](../sp-add This API will return the Add-ins that could be used on the given sites. This contains two kinds of install, one is the Add-in installed on the site. The other is the Add-in installed on the tenant level app catalog site, and it matches the conditions to use the Add-in. -For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md) +For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md). This API needs the app to have at least Sites.Read.All permission. @@ -52,34 +52,34 @@ POST {adminSiteUrl}/_api/web/AvailableAddIns #### SPAddinInstanceInfo -| Name | Type | Description | -|-------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| title | string | Title of the Add-in. | -| appInstanceId | Guid | Id of the installation. | -| launchUrl | String | The Add-in's launch page address. | -| installedSiteId | Guid | Site collection id where the Add-in installed. | -| installedWebId | Guid | Site id where the Add-in installed. | -| installedWebName | string | Site name where the Add-in installed. | -| installedWebUrl | string | Site url where the Add-in installed. | -| currentSiteId | Guid | Site collection id of current site. | -| currentWebId | Guid | Site id of current site. | -| currentWebName | string | Site name of current site. | -| currentWebUrl | string | Site url of current site. | -| status | string | The status of current Add-in. | -| appWebFullUrl | string | The full url of the app web. The SharePoint components are generally in a special child web of the host web called the app web. The app web will be created during install the add-in. | -| appWebId | Guid | Id of the app web. | -| appWebName | string | Name of the app web. | -| installedBy | string | User name of who installed the add-in. | -| appIdentifier | string | The identifier of the app principal. It could be used to get the Add-in's permission. | -| creationTimeUtc | DateTime | Date time when installed the add-in. | -| productId | Guid | The global unique id of the add-in. It is same for all tenants. | -| assetId | string | The id of the app in the office store, this will be empty for app catalog user uploaded apps. | -| purchaserIdentity | string | The identify of person who bought the license of the add-in. | -| licensePurchaseTime | DateTime | When purchased the app license. | -| locale | string | which locale installed on the site. | -| appSource | string | Indicate where the app come from. | -| tenantAppData | string | After the Add-in installed in the tenant app catalog site. It could enable tenant level usage. This data indicates the conditions how to filter the sites. If this field is not empty, it means this Add-in installed on tenant app catalog site, deployed to tenant level, and current site matches the conditions. For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md) | -| tenantAppDataUpdateTime | DateTime | The tenant app data update time. | +| Name | Type | Description | +|-------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| title | string | Title of the Add-in. | +| appInstanceId | Guid | Id of the installation. | +| launchUrl | String | The Add-in's launch page address. | +| installedSiteId | Guid | Site collection id where the Add-in installed. | +| installedWebId | Guid | Site id where the Add-in installed. | +| installedWebName | string | Site name where the Add-in installed. | +| installedWebUrl | string | Site url where the Add-in installed. | +| currentSiteId | Guid | Site collection id of current site. | +| currentWebId | Guid | Site id of current site. | +| currentWebName | string | Site name of current site. | +| currentWebUrl | string | Site url of current site. | +| status | string | The status of current Add-in. | +| appWebFullUrl | string | The full url of the app web. The SharePoint components are generally in a special child web of the host web called the app web. The app web will be created during install the add-in. | +| appWebId | Guid | Id of the app web. | +| appWebName | string | Name of the app web. | +| installedBy | string | User name of who installed the add-in. | +| appIdentifier | string | The identifier of the app principal. It could be used to get the Add-in's permission. | +| creationTimeUtc | DateTime | Date time when installed the add-in. | +| productId | Guid | The global unique id of the add-in. It is same for all tenants. | +| assetId | string | The id of the app in the office store, this will be empty for app catalog user uploaded apps. | +| purchaserIdentity | string | The identify of person who bought the license of the add-in. | +| licensePurchaseTime | DateTime | When purchased the app license. | +| locale | string | which locale installed on the site. | +| appSource | string | Indicate where the app come from. | +| tenantAppData | string | After the Add-in installed in the tenant app catalog site. It could enable tenant level usage. This data indicates the conditions how to filter the sites. If this field is not empty, it means this Add-in installed on tenant app catalog site, deployed to tenant level, and current site matches the conditions. For more information, see [Tenancies and deployment scopes for SharePoint Add-ins](../sp-add-ins/tenancies-and-deployment-scopes-for-sharepoint-add-ins.md). | +| tenantAppDataUpdateTime | DateTime | The tenant app data update time. | ### SPErrorWithServerRelativeUrl @@ -90,7 +90,7 @@ POST {adminSiteUrl}/_api/web/AvailableAddIns ## Get Add-in permissions in site collections -This API will return the permissions that were granted to the add-in. For more information, see [Add-in permissions in SharePoint](../sp-add-ins/add-in-permissions-in-sharepoint.md) +This API will return the permissions that were granted to the add-in. For more information, see [Add-in permissions in SharePoint](../sp-add-ins/add-in-permissions-in-sharepoint.md). This API needs the app to have at least Sites.Read.All permission. @@ -122,13 +122,13 @@ POST {adminSiteUrl}/_api/web/AddinPermissions #### SPAddinPermissionInfo -| Name | Type | Description | -|---------------------------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| tenantScopedPermissions | SPTenantScopedPermissionInfo[] | This is the permissions grant in tenant scope level. | -| siteCollectionScopedPermissions | SPSiteCollectionScopedPermissionInfo[] | This is the permissions grant in site collection scope level. | -| appIdentifier | string | The identifier of the Add-in. | -| serverRelativeUrl | string | The server relative url of the site collection. | -| allowAppOnly | bool | This identifies if the Add-in allows app only mode. For more information, see [Add-in authorization policy types in SharePoint](../sp-add-ins/add-in-authorization-policy-types-in-sharepoint.md) | +| Name | Type | Description | +|---------------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| tenantScopedPermissions | SPTenantScopedPermissionInfo[] | This is the permissions grant in tenant scope level. | +| siteCollectionScopedPermissions | SPSiteCollectionScopedPermissionInfo[] | This is the permissions grant in site collection scope level. | +| appIdentifier | string | The identifier of the Add-in. | +| serverRelativeUrl | string | The server relative url of the site collection. | +| allowAppOnly | bool | This identifies if the Add-in allows app only mode. For more information, see [Add-in authorization policy types in SharePoint](../sp-add-ins/add-in-authorization-policy-types-in-sharepoint.md). | #### SPTenantScopedPermissionInfo @@ -161,7 +161,7 @@ POST {adminSiteUrl}/_api/web/AddinPermissions ## Get tenant ACS service principals This API takes the app id list as input, it will filter the ones that present ACS service principals. -For more information, see [Register SharePoint Add-ins](../sp-add-ins/register-sharepoint-add-ins.md) +For more information, see [Register SharePoint Add-ins](../sp-add-ins/register-sharepoint-add-ins.md). This API needs the app to have at least Sites.Read.All permission. From 6db58f0bcdf9b5fc00d967a9e22be5d10f2f84fa Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Mon, 3 Apr 2023 13:01:56 +0800 Subject: [PATCH 05/32] add
      and add surrounding line breaks --- docs/apis/addin-management-apis.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/apis/addin-management-apis.md b/docs/apis/addin-management-apis.md index 876d35b95..4615949a3 100644 --- a/docs/apis/addin-management-apis.md +++ b/docs/apis/addin-management-apis.md @@ -7,8 +7,10 @@ ms.localizationpriority: medium --- # SharePoint Add-in Management APIs + This documentation will introduce some APIs which related to SharePoint Add-ins. They could help to have a clear view and better management of the Add-ins in tenant level, including these: + - Get available Add-ins in sites - Get Add-in permissions in site collections - Get tenant ACS service principals @@ -19,6 +21,7 @@ and better management of the Add-ins in tenant level, including these: For more information about SharePoint Add-in, see [SharePoint Add-ins](../sp-add-ins/sharepoint-add-ins.md). ## Prerequisites + - App-only mode token. [Get token example](https://github.com/pnp/pnpcore/blob/dev/docs/polyglot/Getting%20started%20-%20application%20permissions.ipynb) - Called on the admin site. Example: https://www.contoso-admin.sharepoint.com - For uninstall Add-in API, the app needs to have Sites.FullControl.All permission. For others, the app needs at least Sites.Read.All permission. @@ -134,7 +137,7 @@ POST {adminSiteUrl}/_api/web/AddinPermissions | Name | Type | Description | |---------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| feature | string | The feature name of the permissions, it should be one of these:
    • Taxonomy
    • Social
    • ProjectServer
    • Search
    • BcsConnection
    • Content | +| feature | string | The feature name of the permissions, it should be one of these:
      • Taxonomy
      • Social
      • ProjectServer
      • Search
      • BcsConnection
      • Content
      | | scope | string | The scope of the permission. | | right | string | The right of the permission. | | id | Guid | The id of the resource that the Add-in have permission to. For example, it may be the id of one specific project when the feature is ProjectServer and the scope is projectserver/projects/project. | From 499e4e27d7bd073480c1709e8535cba674f81f1b Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 21 Jun 2023 11:14:12 +0800 Subject: [PATCH 06/32] Add notes for block site owners create ACS --- docs/sp-add-ins/register-sharepoint-add-ins.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index c442ac5b0..2df0d1379 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -44,6 +44,9 @@ You can register your add-in in one of three ways, depending on where you are in |Use the AppRegNew.aspx page. |Use the AppRegNew form to register your SharePoint Add-in if you are using the add-in only in one tenant or farm.

      For example, if you're creating add-ins for a single organization and you're going to distribute them via the organization add-in catalog, you can use the AppRegNew.aspx page of any website in a tenancy or farm to register the add-in.

      You cannot publish an add-in that is registered with AppRegNew.aspx to the Office Store. For add-ins that are published to the Office Store, you must get an identity from the Seller Dashboard.| ### To register by using AppRegNew.aspx +> [!NOTE] +> Site owners are blocked to register ACS in AppRegNew.aspx by default. To enable it, use the command [Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). + 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From f18166d34afed12bb41affac739706fc911a1c8b Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 21 Jun 2023 11:23:38 +0800 Subject: [PATCH 07/32] Add notes for block site owners update ACS --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 9f052cc1a..d44317a3b 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -296,6 +296,8 @@ SharePoint Add-ins that are installed to SharePoint are granted permissions when When you are developing an add-in or troubleshooting an add-in, there may be occasions when you want to change, or regrant, the permissions of an add-in that has already been installed. You can do so with these steps: 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. +> [!NOTE] +> Site owners are blocked to update add-in permissions in AppInv.aspx page by default. To enable it, use the command [Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. From 4860007de0ac2f2c3c5f3f19290443c0bf3c693d Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 00:21:43 +0800 Subject: [PATCH 08/32] revert unuse change --- docs/toc.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/toc.yml b/docs/toc.yml index fd235c3f0..37a400abe 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2088,9 +2088,7 @@ - name: Application Lifecycle Management (ALM) APIs href: apis/alm-api-for-spfx-add-ins.md - name: CSOM methods for applying retention labels - href: apis/csom-methods-for-applying-retention-labels.md - - name: SharePoint Add-in Management APIs - href: apis/addin-management-apis.md + href: apis/csom-methods-for-applying-retention-labels.md - name: Microsoft 365 Copy and Move API href: apis/spod-copy-move-api.md - name: SharePoint Migration Guidance From 175edfd2547979cb22f6976df9c65c665a3577fd Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:04:39 +0800 Subject: [PATCH 09/32] revert unuse change --- docs/toc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/toc.yml b/docs/toc.yml index 37a400abe..061420ad5 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2089,6 +2089,8 @@ href: apis/alm-api-for-spfx-add-ins.md - name: CSOM methods for applying retention labels href: apis/csom-methods-for-applying-retention-labels.md + - name: SharePoint Add-in Management APIs + href: apis/addin-management-apis.md - name: Microsoft 365 Copy and Move API href: apis/spod-copy-move-api.md - name: SharePoint Migration Guidance @@ -2146,8 +2148,6 @@ href: /dotnet/api/?term=Officedevpnp - name: PnP Sites Core API reference - Extension methods href: /dotnet/api/?term=microsoft.sharepoint - - name: SharePoint Add-in Management APIs - href: apis/addin-management-apis.md - name: SharePoint schema reference href: schema/schema-reference-for-sharepoint.md items: From eacc9872e92a5abd5d607b8c350eb88eebc7cdf0 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:09:02 +0800 Subject: [PATCH 10/32] update strings --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index d44317a3b..db88cee9d 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are blocked to update add-in permissions in AppInv.aspx page by default. To enable it, use the command [Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 2df0d1379..217b140d0 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are blocked to register ACS in AppRegNew.aspx by default. To enable it, use the command [Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 76f51cbb2fa3ceb89d717c3d3f62817762256a9a Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:19:25 +0800 Subject: [PATCH 11/32] test if the link works --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index db88cee9d..475ede4bd 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-SocialBarOnSitePagesDisabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. From 96b72471347ac92cb491688dd8e7e77ef7a9a374 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:22:30 +0800 Subject: [PATCH 12/32] test if the link works --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 475ede4bd..b6ce7e3fa 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-SocialBarOnSitePagesDisabled). +> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-socialbaronsitepagesdisabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. From c21881e979e333dc941b9d67ec8987943996385e Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:27:15 +0800 Subject: [PATCH 13/32] test if the link works --- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 217b140d0..c1f0ab67b 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](https://review.learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps&branch=pr-en-us-432#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-socialbaronsitepagesdisabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 102d4cec37e80507703df80fa89d27119947b2bb Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:30:05 +0800 Subject: [PATCH 14/32] test if the link works --- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index c1f0ab67b..e13a122f9 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-socialbaronsitepagesdisabled). +> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-allowguestusersharetousersnotinsitecollection). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 00ee8f3c259588ab6618a05d68e9eef44cd8fa38 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 28 Jun 2023 17:34:38 +0800 Subject: [PATCH 15/32] update to relative doc link --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index b6ce7e3fa..0a673f80c 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-socialbaronsitepagesdisabled). +> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index e13a122f9..8e301c053 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-allowguestusersharetousersnotinsitecollection). +> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 936d1ea711142ce06aef580fb1074b206bde8143 Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Tue, 4 Jul 2023 13:17:17 +0800 Subject: [PATCH 16/32] Update add-in-permissions-in-sharepoint.md --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 0a673f80c..0708ffd89 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. From c5aaa7206cef1cd4e7a78cf765f32122f30252c6 Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Tue, 4 Jul 2023 13:17:58 +0800 Subject: [PATCH 17/32] Update register-sharepoint-add-ins.md --- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 8e301c053..d7dcf5363 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site owners are not allowed to register ACS in AppRegNew.aspx by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 1c7a7119734afc246759a6c5162e4a01894ba39b Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Tue, 4 Jul 2023 14:13:09 +0800 Subject: [PATCH 18/32] Update toc.yml --- docs/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toc.yml b/docs/toc.yml index 061420ad5..76d71b0fd 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2088,7 +2088,7 @@ - name: Application Lifecycle Management (ALM) APIs href: apis/alm-api-for-spfx-add-ins.md - name: CSOM methods for applying retention labels - href: apis/csom-methods-for-applying-retention-labels.md + href: apis/csom-methods-for-applying-retention-labels.md - name: SharePoint Add-in Management APIs href: apis/addin-management-apis.md - name: Microsoft 365 Copy and Move API From 2a65723963b4e5c74dc38000d551a7e3d61c3163 Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Tue, 4 Jul 2023 14:13:34 +0800 Subject: [PATCH 19/32] Update toc.yml --- docs/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toc.yml b/docs/toc.yml index 76d71b0fd..c2529a1b4 100644 --- a/docs/toc.yml +++ b/docs/toc.yml @@ -2088,7 +2088,7 @@ - name: Application Lifecycle Management (ALM) APIs href: apis/alm-api-for-spfx-add-ins.md - name: CSOM methods for applying retention labels - href: apis/csom-methods-for-applying-retention-labels.md + href: apis/csom-methods-for-applying-retention-labels.md - name: SharePoint Add-in Management APIs href: apis/addin-management-apis.md - name: Microsoft 365 Copy and Move API From 15822d1e6fb05ce134796257c7d6d8249a99852b Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Wed, 16 Aug 2023 14:58:10 +0800 Subject: [PATCH 20/32] update the note description --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 0a673f80c..5bd45964a 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site owners are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admins are not allowed to update add-in permissions in AppInv.aspx page by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 8e301c053..561efa6b3 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site owners are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admins are not allowed to register ACS in AppRegNew.aspx by default. More information can be found [here](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From ec390d185376d8cb3badab199994ac1da118fb36 Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Thu, 17 Aug 2023 10:07:58 +0800 Subject: [PATCH 21/32] update wording --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index ea581c764..4eee77459 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site collection admins are not allowed to update add-in permissions in AppInv.aspx page by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not allowed to update add-in permissions in AppInv.aspx page by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 2dbaf5a44..4f7534f44 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site collection admins are not allowed to register ACS in AppRegNew.aspx by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not allowed to register ACS in AppRegNew.aspx by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 9b0f26bb0e1afda831917e180ace831e0f81dc8f Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Tue, 22 Aug 2023 13:58:27 +0800 Subject: [PATCH 22/32] update doc --- docs/solution-guidance/security-apponly-azureacs.md | 2 ++ docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/solution-guidance/security-apponly-azureacs.md b/docs/solution-guidance/security-apponly-azureacs.md index d3cafde44..4d1a9416e 100644 --- a/docs/solution-guidance/security-apponly-azureacs.md +++ b/docs/solution-guidance/security-apponly-azureacs.md @@ -17,6 +17,8 @@ SharePoint App-Only is the older, but still very relevant, model of setting up a > Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), has been retired on November 7, 2018. This retirement does not impact the SharePoint Add-in model, which uses the `https://accounts.accesscontrol.windows.net` hostname (which is not impacted by this retirement). For more information, see [Impact of Azure Access Control retirement for SharePoint Add-ins](https://devblogs.microsoft.com/microsoft365dev/impact-of-azure-access-control-deprecation-for-sharepoint-add-ins/). For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure. But you can change the behavior by running 'set-spotenant -DisableCustomAppAuthentication $false' (needs the latest SharePoint admin PowerShell). ## Setting up an app-only principal with tenant permissions +> [!NOTE] +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx). In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below. diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 4eee77459..2e93fad35 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -297,7 +297,7 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] -> Site collection admin is not allowed to update add-in permissions in AppInv.aspx page by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to update add-in permissions in AppInv.aspx page by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 4f7534f44..a104be2f6 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site collection admin is not allowed to register ACS in AppRegNew.aspx by default. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From b1cbc90afe88336ebb8a1270b6955aee5224012a Mon Sep 17 00:00:00 2001 From: Rongqi Zhou Date: Tue, 22 Aug 2023 14:08:57 +0800 Subject: [PATCH 23/32] update wording --- docs/solution-guidance/security-apponly-azureacs.md | 2 +- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/solution-guidance/security-apponly-azureacs.md b/docs/solution-guidance/security-apponly-azureacs.md index 4d1a9416e..9dfc5894b 100644 --- a/docs/solution-guidance/security-apponly-azureacs.md +++ b/docs/solution-guidance/security-apponly-azureacs.md @@ -18,7 +18,7 @@ SharePoint App-Only is the older, but still very relevant, model of setting up a ## Setting up an app-only principal with tenant permissions > [!NOTE] -> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly authorized by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx). In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below. diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index a104be2f6..216e901d9 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly authorized by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 59a17180faf3f1a85d696f9b38ff541dbe5c9dd8 Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Wed, 30 Aug 2023 17:11:20 +0800 Subject: [PATCH 24/32] Update security-apponly-azureacs.md --- docs/solution-guidance/security-apponly-azureacs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/solution-guidance/security-apponly-azureacs.md b/docs/solution-guidance/security-apponly-azureacs.md index 9dfc5894b..4d1a9416e 100644 --- a/docs/solution-guidance/security-apponly-azureacs.md +++ b/docs/solution-guidance/security-apponly-azureacs.md @@ -18,7 +18,7 @@ SharePoint App-Only is the older, but still very relevant, model of setting up a ## Setting up an app-only principal with tenant permissions > [!NOTE] -> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly authorized by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). Navigate to a site in your tenant (e.g. https://contoso.sharepoint.com) and then call the appregnew.aspx page (e.g. https://contoso.sharepoint.com/_layouts/15/appregnew.aspx). In this page click on the Generate button to generate a client id and client secret and fill the remaining information like shown in the screen-shot below. From 718f3130b5d536680ec22ef04c7249db15bd1bb7 Mon Sep 17 00:00:00 2001 From: RongqiZ <81340450+RongqiZ@users.noreply.github.com> Date: Wed, 30 Aug 2023 17:12:41 +0800 Subject: [PATCH 25/32] Update register-sharepoint-add-ins.md --- docs/sp-add-ins/register-sharepoint-add-ins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 216e901d9..a104be2f6 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -45,7 +45,7 @@ You can register your add-in in one of three ways, depending on where you are in ### To register by using AppRegNew.aspx > [!NOTE] -> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly authorized by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +> Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. From 8c902bf4cb49b0e0e775359aec81cd169760fdb1 Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 12:50:12 +0300 Subject: [PATCH 26/32] Update security-apponly-azureacs.md Updating date and formatting changes --- docs/solution-guidance/security-apponly-azureacs.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/solution-guidance/security-apponly-azureacs.md b/docs/solution-guidance/security-apponly-azureacs.md index 4d1a9416e..1603a2934 100644 --- a/docs/solution-guidance/security-apponly-azureacs.md +++ b/docs/solution-guidance/security-apponly-azureacs.md @@ -1,7 +1,7 @@ --- title: Granting access using SharePoint App-Only description: Granting access using SharePoint App-Only -ms.date: 02/26/2022 +ms.date: 08/31/2023 ms.prod: sharepoint author: vesajuvonen ms.author: vesaj @@ -11,12 +11,13 @@ ms.localizationpriority: medium # Granting access using SharePoint App-Only -SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016/2019 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online. Below steps show how to setup an app principal with tenant full control permissions, but obviously you could also grant just read permissions using this approach. +SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint on-premises (2013/2016/2019/subscription edition) and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online. Below steps show how to setup an app principal with tenant full control permissions, but you could also grant just read permissions using this approach. > [!IMPORTANT] > Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), has been retired on November 7, 2018. This retirement does not impact the SharePoint Add-in model, which uses the `https://accounts.accesscontrol.windows.net` hostname (which is not impacted by this retirement). For more information, see [Impact of Azure Access Control retirement for SharePoint Add-ins](https://devblogs.microsoft.com/microsoft365dev/impact-of-azure-access-control-deprecation-for-sharepoint-add-ins/). For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure. But you can change the behavior by running 'set-spotenant -DisableCustomAppAuthentication $false' (needs the latest SharePoint admin PowerShell). ## Setting up an app-only principal with tenant permissions + > [!NOTE] > Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). @@ -74,7 +75,7 @@ using (var cc = new AuthenticationManager().GetACSAppOnlyContext(siteUrl, "[Your ## Using this principal in your application without using the PnP Framework library -Once the principal is created and consented you can use the principal's id and secret to request an access. The TokenHelper.cs class will grab the id and secret from the application's configuration file. +Once the principal is created and consented you can use the principal's id and secret to request an access. The TokenHelper.cs class will use the id and secret from the application's configuration file. ```csharp using Microsoft.SharePoint.Client; From a65456fc9f2da9b697341274ebd67c38e86326ea Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 12:53:40 +0300 Subject: [PATCH 27/32] Update add-in-permissions-in-sharepoint.md --- .../add-in-permissions-in-sharepoint.md | 37 ++----------------- 1 file changed, 4 insertions(+), 33 deletions(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 2e93fad35..43c153851 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -1,7 +1,7 @@ --- title: Add-in permissions in SharePoint description: Types of add-in permissions, permission request scopes, and managing permissions, and the differences in add-in permission rights, user rights, and Office Store app rights. -ms.date: 05/01/2020 +ms.date: 08/31/2023 ms.prod: sharepoint ms.localizationpriority: high --- @@ -23,8 +23,6 @@ If an object to which an add-in was granted permission is deleted, the correspon When an add-in is removed, all the permissions granted to that add-in at the scope from which it was removed are revoked. This is to ensure that the add-in can't use its credentials to continue accessing protected SharePoint resources remotely after a user removes the add-in from SharePoint. - - ## Types of add-in permissions and permission scopes A SharePoint Add-in uses permission requests to specify the permissions that it needs to function correctly. The permission requests specify both the rights that an add-in needs and the scope at which it needs the rights. These permissions are requested as part of the add-in manifest. @@ -49,8 +47,6 @@ If an add-in is granted permission to one of the scopes, the permission applies Because permission requests are made without information about the topology of the site collection where the add-in is installed, the scope is expressed as a type instead of as the URL of a specific instance. These scope types are expressed as URIs. Permissions to resources that are stored in the SharePoint content database are organized under the following URI: `http://sharepoint/content`. - - ## Differences between add-in permission rights and user rights Permissions indicate the activities that an add-in is permitted to do within the requested scope. SharePoint supports four rights levels in the content database. For each scope, an add-in can have the following rights: @@ -84,8 +80,6 @@ A user cannot grant an add-in permissions that the user himself or herself does Permissions that are not known to SharePoint are ignored. This means that, if an add-in requests a permission that SharePoint does not recognize, the add-in can still be installed, but the user is not prompted to grant the permission, and the permission is not granted to the add-in. - - ## Available scopes and permissions, and restrictions on Office Store apps permissions Different scopes have different sets of rights that are available for an add-in to request. This section describes the sets of rights that are available for each scope. Also, it highlights the restrictions for SharePoint Add-ins that are sold through the Office Store. @@ -94,8 +88,6 @@ Different scopes have different sets of rights that are available for an add-in Only Read, Write, and Manage rights are allowed for Office Store apps. If you try to submit an app to the Office Store that requires FullControl rights, your app is blocked from submission. Because the block is in the Office Store submission pipeline, apps that request more than Manage permissions can still be deployed through the add-in catalog. - - ### Permission request scopes for list content and library content Table 2 shows the permission request scope for list and library content, and lists the rights that can be specified for each scope URI. @@ -166,10 +158,6 @@ The following code shows an add-in that is asking for Read access to the web sco ``` -
      - - - ### Permission request scopes for other SharePoint features The permission request scope for other SharePoint features are listed in the following tables. @@ -188,8 +176,6 @@ Table 3 shows the permission request scope for Business Connectivity Services (B > [!NOTE] > For more information about the BCS add-in permission request scope, see [Business Connectivity Services in SharePoint](../general-development/business-connectivity-services-in-sharepoint.md). -
      - Table 4 shows the permission request scope for Search. It also lists the rights that can be specified for that scope URI. **Table 4. Search add-in permission request scope URIs and available rights** @@ -200,9 +186,7 @@ Table 4 shows the permission request scope for Search. It also lists the rights > [!NOTE] > For more information about the Search add-in permission request scope, see [Search in SharePoint](../general-development/search-in-sharepoint.md). - -
      - + Table 5 shows the permission request scope for Project Server 2013. It also lists the rights that can be specified for each scope URI. > [!NOTE] @@ -219,9 +203,6 @@ Table 5 shows the permission request scope for Project Server 2013. It also list |http://sharepoint/projectserver/statusing |SubmitStatus| |http://sharepoint/projectserver/reporting |Read| |http://sharepoint/projectserver/workflow |Elevate| - - -
      Table 6 shows the permission request scope for social features. It also lists the rights that can be specified for each scope URI. @@ -237,8 +218,6 @@ Table 6 shows the permission request scope for social features. It also lists th > [!NOTE] > For more information about social features add-in permission request scope, see [Add-in permission requests for accessing social features](../general-development/get-started-developing-with-social-features-in-sharepoint.md#app-permission-requests-for-accessing-social-features-in-sharepoint-add-ins). -
      - Table 7 shows the permission request scope for taxonomy. It also lists the rights that can be specified for that scope URI. **Table 7. Taxonomy add-in permission request scope URIs and available rights** @@ -264,8 +243,6 @@ The **BaseTemplateId** property is a child element, not an attribute of the **Ap ``` -
      - **Table 8. Permission request scope with associated properties** |**Scope URI**|**Property**|**Type**| @@ -290,15 +267,14 @@ SharePoint Add-ins that are installed to SharePoint are granted permissions when 4. On the page that opens, select **here** in the last sentence. This regrants the add-in its permissions and redirects the browser back to the **Site Contents** page. ![Regranting permissions to an app](../images/RegrantPermissionsToAnApp.png) - -
      When you are developing an add-in or troubleshooting an add-in, there may be occasions when you want to change, or regrant, the permissions of an add-in that has already been installed. You can do so with these steps: -1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. > [!NOTE] > Site collection admin is not able to update add-in permissions in AppInv.aspx page by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). +1. Go to `http://{SharePointWebSite}_layouts/15/AppInv.aspx`, where _\_ is the URL of the website where the add-in is installed. Be careful not to add any query parameters on the URL. The form you need only appears on this page if the URL is exactly as shown. + 2. Enter the add-in's ID, also called the client ID, in the **Add-in Id** box, and then select **Lookup**. The other boxes on the form are then populated with information about the add-in. 3. Fill in the **Permission Request XML** box with permission requests exactly as you would enter them in an add-in manifest. For examples, see [Permission request scopes for list content and library content](#PermissionsForLists). For complete syntax information, see [AppPermissionRequest Element](https://msdn.microsoft.com/library/4ad90fb0-33b2-aee5-69c2-5b97ca5334f8(Office.15).aspx). @@ -307,18 +283,13 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ An add-in's permissions for a specific scope are revoked when it is removed from that scope. - - ## Why add-ins cannot be hidden from users Any user with browse rights to a SharePoint website can launch any SharePoint Add-in installed on the site. Whether the user can do anything with the add-in depends on the user's other permissions and what [authorization policy type](add-in-authorization-policy-types-in-sharepoint.md) is being used by the add-in. If the user tries to do something with the add-in that the user does not have permission to do, and the call to SharePoint is using the user+add-in policy, the call fails. ## See also - - [Set up an on-premises development environment for SharePoint Add-ins](set-up-an-on-premises-development-environment-for-sharepoint-add-ins.md) - [Get started creating provider-hosted SharePoint Add-ins](get-started-creating-provider-hosted-sharepoint-add-ins.md) - [Get started creating SharePoint-hosted SharePoint Add-ins](get-started-creating-sharepoint-hosted-sharepoint-add-ins.md) - [Authorization and authentication of SharePoint Add-ins](authorization-and-authentication-of-sharepoint-add-ins.md) - - From 79dafbf721e4f15cb086992cb9d2c650f5942677 Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 12:55:35 +0300 Subject: [PATCH 28/32] Update register-sharepoint-add-ins.md --- docs/sp-add-ins/register-sharepoint-add-ins.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index a104be2f6..13d27e82e 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -1,11 +1,10 @@ --- title: Register SharePoint Add-ins description: Register your SharePoint Add-ins in Azure ACS by using Visual Studio, the Seller Dashboard, or an AppRegNew.aspx page, and retrieve registration information. -ms.date: 06/13/2022 +ms.date: 08/31/2023 ms.prod: sharepoint ms.localizationpriority: high --- - # Register SharePoint Add-ins Register your SharePoint Add-ins in Azure ACS by using Visual Studio, the Seller Dashboard, or an AppRegNew.aspx page, and retrieve registration information. @@ -44,10 +43,10 @@ You can register your add-in in one of three ways, depending on where you are in |Use the AppRegNew.aspx page. |Use the AppRegNew form to register your SharePoint Add-in if you are using the add-in only in one tenant or farm.

      For example, if you're creating add-ins for a single organization and you're going to distribute them via the organization add-in catalog, you can use the AppRegNew.aspx page of any website in a tenancy or farm to register the add-in.

      You cannot publish an add-in that is registered with AppRegNew.aspx to the Office Store. For add-ins that are published to the Office Store, you must get an identity from the Seller Dashboard.| ### To register by using AppRegNew.aspx + > [!NOTE] > Site collection admin is not able to register add-in with Azure ACS in AppRegNew.aspx by default unless explicitly allowed by the SharePoint tenant admin. For more information, see [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant#-siteownermanagelegacyserviceprincipalenabled). - 1. Go to `/_layouts/15/AppRegNew.aspx` by using a web browser. **AppRegNew page form** @@ -85,8 +84,6 @@ You can register your add-in in one of three ways, depending on where you are in Regardless of how you register your SharePoint Add-in, when you are ready to deploy the add-in to staging or production, you need to [Enter the registration values into the web.config and AppManifest.xml files](#EditConfigFiles). If you are using Visual Studio, the Microsoft Office Developer Tools for Visual Studio do this configuration for you. - - ## Enter the registration values into the web.config and AppManifest.xml files Before you package the SharePoint Add-in and before you deploy its remote components, enter some of the registration values in the AppManifest.xml and the web.config file. @@ -149,14 +146,10 @@ Before you package the SharePoint Add-in and before you deploy its remote compon ``` - - ## Use the redirect URL in an add-in that asks for permissions on the fly If your web application is launched from outside SharePoint (and is, thus, not a true SharePoint Add-in), it has to be designed to ask for permissions from SharePoint at runtime. It has to have code that uses the redirect URI, along with other information, to obtain an access token from ACS. Find the place where this URI is set and use the *exact* value that you used for the **Redirect URI** field on AppRegNew.aspx or in the Seller Dashboard. This might be in a code file or a configuration file. - - ## Retrieve add-in registration and add-in principal information You can retrieve add-in registration information and add-in principal information for the add-ins you've installed or registered on SharePoint. @@ -174,7 +167,6 @@ The lookup does not return the add-in secret value. To see a list of registered add-in principals, go to: `http:///_layouts/15/AppPrincipals.aspx`. ## See also - - [Three authorization systems for SharePoint Add-ins](three-authorization-systems-for-sharepoint-add-ins.md) - [Get started creating provider-hosted SharePoint Add-ins](get-started-creating-provider-hosted-sharepoint-add-ins.md) From 83e284278cdbc8093532f050f59d8deb04701c17 Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 12:58:36 +0300 Subject: [PATCH 29/32] Update add-in-permissions-in-sharepoint.md --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 43c153851..269763c35 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -22,7 +22,9 @@ The permissions that the add-in has been granted are also stored in the content If an object to which an add-in was granted permission is deleted, the corresponding grants are also deleted. When an object to which an add-in was granted permission is recycled, SharePoint does not modify the corresponding grant. This is so that if the object is restored from the Recycle Bin, the grant is still intact. When an add-in is removed, all the permissions granted to that add-in at the scope from which it was removed are revoked. This is to ensure that the add-in can't use its credentials to continue accessing protected SharePoint resources remotely after a user removes the add-in from SharePoint. - + + + ## Types of add-in permissions and permission scopes A SharePoint Add-in uses permission requests to specify the permissions that it needs to function correctly. The permission requests specify both the rights that an add-in needs and the scope at which it needs the rights. These permissions are requested as part of the add-in manifest. From 3fd54b31e5795ea6a14623fbb98f6bbbe61c11cd Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 13:02:56 +0300 Subject: [PATCH 30/32] Update add-in-permissions-in-sharepoint.md --- docs/sp-add-ins/add-in-permissions-in-sharepoint.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md index 269763c35..ce6467655 100644 --- a/docs/sp-add-ins/add-in-permissions-in-sharepoint.md +++ b/docs/sp-add-ins/add-in-permissions-in-sharepoint.md @@ -49,6 +49,8 @@ If an add-in is granted permission to one of the scopes, the permission applies Because permission requests are made without information about the topology of the site collection where the add-in is installed, the scope is expressed as a type instead of as the URL of a specific instance. These scope types are expressed as URIs. Permissions to resources that are stored in the SharePoint content database are organized under the following URI: `http://sharepoint/content`. + + ## Differences between add-in permission rights and user rights Permissions indicate the activities that an add-in is permitted to do within the requested scope. SharePoint supports four rights levels in the content database. For each scope, an add-in can have the following rights: @@ -82,6 +84,8 @@ A user cannot grant an add-in permissions that the user himself or herself does Permissions that are not known to SharePoint are ignored. This means that, if an add-in requests a permission that SharePoint does not recognize, the add-in can still be installed, but the user is not prompted to grant the permission, and the permission is not granted to the add-in. + + ## Available scopes and permissions, and restrictions on Office Store apps permissions Different scopes have different sets of rights that are available for an add-in to request. This section describes the sets of rights that are available for each scope. Also, it highlights the restrictions for SharePoint Add-ins that are sold through the Office Store. @@ -90,6 +94,8 @@ Different scopes have different sets of rights that are available for an add-in Only Read, Write, and Manage rights are allowed for Office Store apps. If you try to submit an app to the Office Store that requires FullControl rights, your app is blocked from submission. Because the block is in the Office Store submission pipeline, apps that request more than Manage permissions can still be deployed through the add-in catalog. + + ### Permission request scopes for list content and library content Table 2 shows the permission request scope for list and library content, and lists the rights that can be specified for each scope URI. @@ -159,6 +165,7 @@ The following code shows an add-in that is asking for Read access to the web sco ``` + ### Permission request scopes for other SharePoint features @@ -284,11 +291,15 @@ When you are developing an add-in or troubleshooting an add-in, there may be occ 4. Select **Create**. An add-in's permissions for a specific scope are revoked when it is removed from that scope. - + + + ## Why add-ins cannot be hidden from users Any user with browse rights to a SharePoint website can launch any SharePoint Add-in installed on the site. Whether the user can do anything with the add-in depends on the user's other permissions and what [authorization policy type](add-in-authorization-policy-types-in-sharepoint.md) is being used by the add-in. If the user tries to do something with the add-in that the user does not have permission to do, and the call to SharePoint is using the user+add-in policy, the call fails. + + ## See also - [Set up an on-premises development environment for SharePoint Add-ins](set-up-an-on-premises-development-environment-for-sharepoint-add-ins.md) From 4894006c802b4377499416581e8e66f4b4ecbc26 Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 13:04:10 +0300 Subject: [PATCH 31/32] Update register-sharepoint-add-ins.md --- docs/sp-add-ins/register-sharepoint-add-ins.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/sp-add-ins/register-sharepoint-add-ins.md b/docs/sp-add-ins/register-sharepoint-add-ins.md index 13d27e82e..d5558c686 100644 --- a/docs/sp-add-ins/register-sharepoint-add-ins.md +++ b/docs/sp-add-ins/register-sharepoint-add-ins.md @@ -84,6 +84,8 @@ You can register your add-in in one of three ways, depending on where you are in Regardless of how you register your SharePoint Add-in, when you are ready to deploy the add-in to staging or production, you need to [Enter the registration values into the web.config and AppManifest.xml files](#EditConfigFiles). If you are using Visual Studio, the Microsoft Office Developer Tools for Visual Studio do this configuration for you. + + ## Enter the registration values into the web.config and AppManifest.xml files Before you package the SharePoint Add-in and before you deploy its remote components, enter some of the registration values in the AppManifest.xml and the web.config file. @@ -146,10 +148,14 @@ Before you package the SharePoint Add-in and before you deploy its remote compon ``` + + ## Use the redirect URL in an add-in that asks for permissions on the fly If your web application is launched from outside SharePoint (and is, thus, not a true SharePoint Add-in), it has to be designed to ask for permissions from SharePoint at runtime. It has to have code that uses the redirect URI, along with other information, to obtain an access token from ACS. Find the place where this URI is set and use the *exact* value that you used for the **Redirect URI** field on AppRegNew.aspx or in the Seller Dashboard. This might be in a code file or a configuration file. + + ## Retrieve add-in registration and add-in principal information You can retrieve add-in registration information and add-in principal information for the add-ins you've installed or registered on SharePoint. @@ -166,6 +172,8 @@ The lookup does not return the add-in secret value. To see a list of registered add-in principals, go to: `http:///_layouts/15/AppPrincipals.aspx`. + + ## See also - [Three authorization systems for SharePoint Add-ins](three-authorization-systems-for-sharepoint-add-ins.md) From ac7158ac0b3f926de066d9d3383c0b0d4fb1ac7a Mon Sep 17 00:00:00 2001 From: Vesa Juvonen Date: Thu, 31 Aug 2023 13:06:07 +0300 Subject: [PATCH 32/32] Update register-sharepoint-add-ins.md