Microsoft 365 – MAJOR UPDATE – SharePoint site collection admin – control for App registration / update permissions – Security measures for administrative governance – Important one
Greetings for the day!!!
Today discussing new feature.
New Feature – SharePoint admin control for App registration
- This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page
- Till the time SharePoint site administrator can register new SharePoint app through “AppRegNew” page – _layouts/AppRegnew.aspx page as
- Microsoft has changed bit the functionality of app registration, enhanced security measures
- The enhancements changed the default procedures for app registration through AppRegNew.aspx and permission updates through AppInv.aspx
- Now, site collection admin will be unable to register app or update app permissions through “AppRegNew” page unless authorized explicitly by the SharePoint tenant admin.
- Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating “Your SharePoint tenant admin doesn’t allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator.“
- Similarly, site collection administrators are not able to update the permissions through “AppInv.aspx“
NOTE – app registration and permission update via Microsoft Azure portal are not impacted by this change
Workaround / Solution
- To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE.
- The service principal can only be created or updated by the tenant administrator by default
- When the flag is set to TRUE, both the SharePoint tenant admin and site collection admin will be able to create or update the service principal through SharePoint.
PowerShell CMDLET is
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
NOTE – The property ‘SiteOwnerManageLegacyServicePrincipalEnabled’ becomes visible in tenant settings after SharePoint Online Management shell is updated to 16.0.23710.12000 or a later version