Accessing SharePoint using an application context, also known as app-only
There are two approaches for doing app-only for SharePoint:
- Using an Azure AD application: this is the preferred method when using SharePoint Online because you can also grant permissions to other Office 365 services (if needed) + you’ve a user interface (Azure portal) to maintain your app principals.
- Using a SharePoint App-Only principal: this method is older and only works for SharePoint access, but is still relevant. This method is also the recommended model when you’re still working in SharePoint on-premises since this model works in both SharePoint on-premises as SharePoint Online.
Both methods are detailed in following articles:
What are the limitations when using app-only
App-Only does not work in following cases:
- Updating taxonomy service entries (write) - read works
- Creating modern team sites does not support app-only when you use the SharePoint API for it. When modern team sites are created using Microsoft Graph to create the group then app-only is a supported scenario
- Creating communication sites is supported in app-only context, but owner property is required. using the SharePoint API
- Search when using SharePoint On-Premises. SharePoint Online support for it has been added (blog post)
- User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal
- User Profile Bulk Update API can be used with app-only permissions
- Manipulating files via WebDav protocol and CSOM (using
File.SaveBinaryDirect
orFile.OpenBinaryDirect
) does not work with app-only. UseFile.SaveBinary
andFile.OpenBinaryStream
instead. - The use of the
Microsoft.SharePoint.Client.Web.ShareObject()
API was not tested with app-only permissions, and may not work consistently. The recommendation is to use it only with an app+user context.
Important
If the above scenarios are critical for you it's recommended to define a service account, grant that one permissions and then use it in your application. See the Governance.EnsurePolicy sample to learn more on how you can grant tenant wide permissions for a service account. Also the article explaining an alternative model for web app policies in SharePoint Online does contain a lot of information on this topic.
Important
Using Azure ACS (Access Control Services) for SharePoint Online has been retired as of November 27th 2023, checkout the full retirement announcement to learn more. Using Azure ACS outside of the context of SharePoint was already retired on November 7th, 2018 and is end-of-life now.
Retirement means that the feature will not get any new investments, but it's still supported. End-of-life means that the feature will be discontinued and is no longer available for use.