Monday, August 27, 2018

Modifying terms using app-only tokens in SharePoint – undocumented work-around


Photo by Alekzan Powell at Unsplash

In a rage of fits yesterday where I was running a PowerShell script against SharePoint Online with an account using multi factor authentication – which just don’t work reliably due to the use of login via web browser I decided to use app-only authentication instead.

I used the following permission manifest which should ensure god rights, right?

<AppPermissionRequests AllowAppOnlyPolicy="true" >
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
  <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Write" />
</AppPermissionRequests>

But since I’m dealing with modifications to terms in this script, that quickly broke down. More rage, more fits!

Reading https://msdn.microsoft.com/en-us/library/office/mt210897.aspx?f=255&MSPPError=-2147217396#sectionSection0 states:

You can't use the app-only policy with the following APIs:

  • User Profile

  • Search

  • Taxonomy (this only applies to scenarios that write to the managed metadata service)

But turns out this is not entirely true – there is an undocumented work-around which seems to work just fine. The underlying principal for the app-only addin is i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint.

If you go to the term store admin center, and add app@sharepoint as a term store admin, it all works! Very handy, very undocumented, probably not supported – but hey – I’m running a script here.

image

A big thanks to the person who provided the work-around at the end of this 2 year old thread https://social.msdn.microsoft.com/Forums/sqlserver/en-US/c89cdd37-4527-4855-ab98-1033ce130f6f/taxonomy-operations-using-app-context?forum=appsforsharepoint