Partilhar via


Access Denied Error with App Only Access Token When Reading Profile Info

This is yet another rather strange error that I ran across and couldn't find any info out on the interwebs about it so I though I would document it here. Suppose you have a SharePoint App that needs to access some User Profile information. You will probably use the PeopleManager class and ask for user profile properties using the PersonProperties class or one of the methods off of the PeopleManager class. You write your code up using the standard TokenHelper semantics to get a user + app key to retrieve this information, i.e. something like var clientContext = spContext.CreateUserClientContextForSPHost(). In your AppManifest file you ask for (at a minimum) Read rights to User Profiles (Social). Works great, okay, good start.

Now you determine that you need to retrieve that same information but use an App Only token. So you use whatever method you want to get an App Only token. You use the same code but now you get an Access Denied error message. Why is that - App Only tokens are supposed to have the same or greater rights than user + app tokens. Well...for right now...I don't know why not. NOTE: I DO understand needing to be a tenant admin to install an app that requires access to User Profiles, but this is different; it happens after the app is installed. But I do know how I fixed it. I added Tenant...Read rights to my AppManifest file. Now my App Only token is able to read properties from the User Profile in o365. Just thought I would share this "not at all obvious" tip so that if you get stuck hopefully your favorite search engine will find this post. Happy coding!

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    July 25, 2014
    FYI, accessing the Term Store has similar installation & run-time permission requirements.
  • Anonymous
    July 28, 2014
    I have similar problem with Full-trust Provider hosted App, which has not any access to read Term stores on one tenant. Same provider hosted application can create site collection to the tenant without any problem and also do some modifications to the site. Same code works properly on another tenant. Access denied error occurs when reading term set and groups via CSOM. Any ideas how to solve this problem?
  • Anonymous
    January 08, 2015
    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.
    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.
    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.
    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com