Microsoft 365 – MAJOR UPDATE – SharePoint site collection admin – control for App registration / update permissions – Security measures for administrative governance – Important one

by · Published · Updated

SharePoint admin control for App registration
SharePoint admin control for App registration

Hi All,

Greetings for the day!!!

Today discussing new feature.

New Feature – SharePoint admin control for App registration

Details

  • This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page
  • Till the time SharePoint site administrator can register new SharePoint app through “AppRegNew” page – _layouts/AppRegnew.aspx page as
fig : Microsoft 365 – SharePoint app registration
  • Microsoft has changed bit the functionality of app registration, enhanced security measures
  • The enhancements changed the default procedures for app registration through AppRegNew.aspx and permission updates through AppInv.aspx
  • Now, site collection admin will be unable to register app or update app permissions through “AppRegNew” page unless authorized explicitly by the SharePoint tenant admin.
  • Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating “Your SharePoint tenant admin doesn’t allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator.
Microsoft 365 - SharePoint app registration - Error - Now, site collection admin will be unable to register app or update app permissions through "AppRegNew" page unless authorized explicitly by the SharePoint tenant admin
fig : Microsoft 365 – SharePoint app registration – Error – Now, site collection admin will be unable to register app or update app permissions through “AppRegNew” page unless authorized explicitly by the SharePoint tenant admin
  • Similarly, site collection administrators are not able to update the permissions through “AppInv.aspx

NOTE – app registration and permission update via Microsoft Azure portal are not impacted by this change

Workaround / Solution

  • To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE.
  • The service principal can only be created or updated by the tenant administrator by default
  • When the flag is set to TRUE, both the SharePoint tenant admin and site collection admin will be able to create or update the service principal through SharePoint.

PowerShell CMDLET is

Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

NOTE – The property ‘SiteOwnerManageLegacyServicePrincipalEnabled’ becomes visible in tenant settings after SharePoint Online Management shell is updated to 16.0.23710.12000 or a later version

REFERENCES

Tags:

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: