SharePoint Online API: Access denied creating Personal Site when passing Signed In User Bearer Token

[garrytrinder]

Category

• Question
• Typo
• Bug
• Additional article idea

Expected or Desired Behavior

The below HTTP call should create a new personal site for the user

POST /_vti_bin/client.svc/ProcessQuery HTTP/1.1
Host: tenant-admin.sharepoint.com
Content-Type: application/xml
Authorization: Bearer <token>

<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="16.0.0.0" ApplicationName="SharePoint PnP PowerShell Library" xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
    <Actions>
        <ObjectPath Id="5" ObjectPathId="4" />
        <Method Name="CreatePersonalSiteEnqueueBulk" Id="6" ObjectPathId="4">
            <Parameters>
                <Parameter Type="Array">
                    <Object Type="String">user@tenant.onmicrosoft.com</Object>
                </Parameter>
            </Parameters>
        </Method>
    </Actions>
    <ObjectPaths>
        <StaticMethod Id="4" Name="GetProfileLoader"  TypeId="{9c42543a-91b3-4902-b2fe-14ccdefb6e2b}" />
    </ObjectPaths>
</Request>

Observed Behavior

Above request results in 200 OK response but returns the below error, no personal site is created for the user.

[
    {
        "SchemaVersion": "15.0.0.0",
        "LibraryVersion": "16.0.19318.12002",
        "ErrorInfo": {
            "ErrorMessage": "Access denied. You do not have permission to perform this action or access this resource.",
            "ErrorValue": null,
            "TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67",
            "ErrorCode": -2147024891,
            "ErrorTypeName": "System.UnauthorizedAccessException"
        },
        "TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67"
    }
]

Steps to Reproduce

• Create Azure AD application
• Set the following delegate SharePoint Online API permissions
  • AllSites.FullControl
  • User.ReadWrite.All
• Grant Admin consent for delegated permissions
• Generate Bearer Token using OAuth 2.0 Authorization Code Flow
  • Provide Tenant Admin credentials
• Pass Bearer Token in Authorisation header of request

Related Issues

pnp/PnP-PowerShell#2267
OneDrive/onedrive-api-docs#530
pnp/cli-microsoft365#929

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[andrewconnell]

Context please... where is the method CreatePersonalSiteEnqueueBulk coming from (ie: what API are you using), what's the environment, etc...

[msft-github-bot]

The more context details you can provide, the easier it is to help assist on issues. Any code you can provide and/or screenshots of the issue also help. The easier you can make it to reproduce the issue, the easier and quicker it is for someone to help you. Things that always help posting with every issue include (1) SharePoint environment(s) (on-prem / SP 2016 / SP 2019 / SharePoint Online), (2) if SharePoint Online, is the tenant configured for standard / targeted release, (3) if SharePoint Framework, list the versions of installed tools (Node.js, NPM, Yeoman, Gulp, SPFx generator, etc... use npm list -g --depth=0), (4) if applicable, browser(s) tested, (5) if applicable, version of Office UI Fabric React & (6) anything else you can provide.

[andrewconnell]

Furthermore, you say “create personal site” which I think implies SharePoint, but you reference OneDrive. Hence the confusion on what you are trying to do.

Regardless, of the API, you need to ensure the API supports application permissions. It may only support delegated (app+user) permissions for auditing requirements & not app-only.

[garrytrinder]

@andrewconnell appreciate your commenting on this issue and apologies for the lack of clarity...

I am working on replicating the New-PnPPersonalSite cmdlet functionality from PnP PowerShell, which creates "Creates a personal / OneDrive For Business site", into the Office 365 CLI.

POST /_vti_bin/client.svc/ProcessQuery HTTP/1.1
Host: tenant-admin.sharepoint.com
Content-Type: application/xml
Authorization: Bearer <token>

<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="16.0.0.0" ApplicationName="SharePoint PnP PowerShell Library" xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
    <Actions>
        <ObjectPath Id="5" ObjectPathId="4" />
        <Method Name="CreatePersonalSiteEnqueueBulk" Id="6" ObjectPathId="4">
            <Parameters>
                <Parameter Type="Array">
                    <Object Type="String">user@tenant.onmicrosoft.com</Object>
                </Parameter>
            </Parameters>
        </Method>
    </Actions>
    <ObjectPaths>
        <StaticMethod Id="4" Name="GetProfileLoader"  TypeId="{9c42543a-91b3-4902-b2fe-14ccdefb6e2b}" />
    </ObjectPaths>
</Request>

However this returns the below 200 OK response

[
    {
        "SchemaVersion": "15.0.0.0",
        "LibraryVersion": "16.0.19318.12002",
        "ErrorInfo": {
            "ErrorMessage": "Access denied. You do not have permission to perform this action or access this resource.",
            "ErrorValue": null,
            "TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67",
            "ErrorCode": -2147024891,
            "ErrorTypeName": "System.UnauthorizedAccessException"
        },
        "TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67"
    }
]

The app used to generate the bearer token only uses delegate permissions for SharePoint Online (the common Office 365 CLI app identity) so no app-only calls here to SharePoint.

Further investigation into the PnP-PowerShell cmdlet also showed that the cmdlet only worked when authenticating with SharePoint Online by passing username and password (Forms Based Auth) as the same error is thrown when using a Bearer Token.

[andrewconnell]

@garrytrinder said

I am working on replicating the New-PnPPersonalSite cmdlet functionality from PnP PowerShell, which creates "Creates a personal / OneDrive For Business site", into the Office 365 CLI.

That's not correct... the PnP cmdlets do not interact with the O365 CLI. The O365 CLI is an alternative to the POSH cmdlets. Both are using public REST APIs in SharePoint / Office 365 to do their work. I think what you wrote is a typo.

If you have specific questions about the PNP cmdlets, you should post those to the github project for the PnP POSH project, not here, as that's the more relevant place.

The underlying question I'm tracking down with SP engineering is "is app only supported for this task"... will follow up if I get an answer.