register and debug provider hosted SharePoint Online Add Ins with tenant full controll

It is a while since Microsoft launched the Add In (or App) architecture for SharePoint, but there are still things they change or we are not familiar with. In August 2016 there was a change in giving tenant permissions to provider hosted Add Ins using app-only mode and Azure Access Control Service (ACS).


You should be familar with appregnew.aspx and appinv.aspx. They already have been used a for some time. If you want to add app-only tenant permissions to an Add In now you are not using them on the way you did before (calling both sites on the site you want to use).
  • You need to register your Add In on your site (URL: https://[tenant].sharepoint.com/_layouts/15/appregnew.aspx). 
    • Generate a ClientID and a ClientSecret
    • The App Domain is localhost and your port (e.g. localhost:12345)
    • The Redirect URL is localhost with the port and protocol (e.g. https://localhost:12345)
  • Now add the ClientID and the ClientSecret into all your configuration files (also the web.config of the WebApp if you want to keep using localhost for debugging) in Visual Studio:
    • Add In / app.config (add <appSettings> if not already there)
    • Add In / AppManifest.xml 
    • WebApp / Web.config
    • WebApp / PublishProfiles/yourProfile.pubxml
  • Move to the appinv.aspx under the admin site (URL: https://[tenant]-admin.sharepoint.com/_layouts/15/appinv.aspx) and perform a lookup with the ClientID
  • Add the permission XML (<AppPermissionRequests>) of your AppManifest.xml
  • Trust the Add In
The first configuration is done, but do NOT debug now. If you start debugging the setup is lost. And the SharePoint will ask you to trust the app without using the registered app you've set up. The problem ist that you will not be able to trust the app. The button will be disabled and it will say Sorry, only tenant administrators can add or give access to this app.
Here comes the trick to debug:

You need to publish the Add In in Visual Studio (enter your ClientID here again) and add the *.app file into your AppCatalog. Go to your site and install the app. It will say you cannot trust the app you need to request it. Do it and go to your AppCatalog again. There will be a request for this Add In. You need to approve it and go back to your Site. In the Site Contents your Add In will be listed now. Click on the icon and install the it.
No open Visual Studio and debug the Add In. Do not worry. Visual Studio will retract the Add In and deploy it again, but it is fine. This will tell the SharePoint that localhost is a legit URL to the WebApp. Once you did it you can set the WebApp as starting project. When you hit debugging it will start your WebApp on localhost and you can enter the Add In in your SharePoint.

Now there is one question left: why should I do that much just to have app-only permissions?
Well, app-only tenant permissions are like elevated privileges. This allows you to do everything you want (e.g create or delete Site Collections). At this point you can imagine how much you can destroy with this privileges. You need to make sure not everybody can get the permissions and that is why the appinv.aspx moved into the admin site and made the process much more difficult.

Comments

Post a Comment

Popular posts from this blog

How to support multiple languages in WPF

Image
If you are developing many solutions for many costomer, one day one of them will require a multilingual WPF-solution. So there is the question: how to make a WPF form multilingual? At first you need at least two languages that you want to support. You can add some other languages at the end very easy. First of all create a folder in your project and call it "Languages", to keep an overview. Once it is done you can create Resource Dictionaries in this folder. You can call them however you want, but make sure you can assign them to the language. You can use language codes (like "en-us") or you can call it like the language is called. At the end it can look like this:
More »