Access denied office 365 / SharePoint online with Global Admin account
Solution 1
Most probably this behavior is caused by Custom Script feature, basically the issue occurs when the Custom Script feature is turned off
How to verify?
You could verify the site permissions using the following console app:
using (var ctx = GetContext(webUri, userName, password))
{
var rootWeb = ctx.Site.RootWeb;
ctx.Load(rootWeb, w => w.EffectiveBasePermissions);
ctx.ExecuteQuery();
var permissions = rootWeb.EffectiveBasePermissions;
foreach (var permission in Enum.GetValues(typeof(PermissionKind)).Cast<PermissionKind>())
{
var permissionName = Enum.GetName(typeof(PermissionKind), permission);
var hasPermission = permissions.Has(permission);
Console.WriteLine("Permission: {0}, HasPermission: {1}", permissionName, hasPermission);
}
}
where
public static ClientContext GetContext(Uri webUri, string userName, string password)
{
var securePassword = new SecureString();
foreach (var ch in password) securePassword.AppendChar(ch);
return new ClientContext(webUri) {Credentials = new SharePointOnlineCredentials(userName, securePassword)};
}
When SP.PermissionKind.AddAndCustomizePages is set to False, the Access denied error occurs while adding user custom action.
Solution
According to Turn scripting capabilities on or off:
For self-service created sites, custom scripting is disabled by default
Solution: enable Allow users to run custom scripts on self-service created sites
To enable or disable scripting from the SharePoint admin center
- Sign in to Office 365 with your work or school account.
- Go to the SharePoint admin center.
- Select Settings.
-
Under Custom Script choose:
Prevent users from running custom script on personal sites or Allow users to run custom script on personal sites.
Prevent users from running custom script on user created sites or Allow users to run custom script on self-service created sites.
- Select OK. It takes about 24 hours for the change to take effect.
Since any change to the scripting setting made through the SharePoint Online admin center may take up to 24 hours to take effect, you could enable scripting on a particular site collection immediately via CSOM API (SharePoint Online Client Components SDK) as demonstrated below:
public static void DisableDenyAddAndCustomizePages(ClientContext ctx, string siteUrl)
{
var tenant = new Tenant(ctx);
var siteProperties = tenant.GetSitePropertiesByUrl(siteUrl, true);
ctx.Load(siteProperties);
ctx.ExecuteQuery();
siteProperties.DenyAddAndCustomizePages = DenyAddAndCustomizePagesStatus.Disabled;
var result = siteProperties.Update();
ctx.Load(result);
ctx.ExecuteQuery();
while (!result.IsComplete)
{
Thread.Sleep(result.PollingInterval);
ctx.Load(result);
ctx.ExecuteQuery();
}
}
Usage
using (var ctx = GetContext(webUri, userName, password))
{
using (var tenantAdminCtx = GetContext(tenantAdminUri, userName, password))
{
DisableDenyAddAndCustomizePages(tenantAdminCtx,webUri.ToString());
}
RegisterJQueryLibrary(ctx);
}
where
public static void RegisterJQueryLibrary(ClientContext context)
{
var actions = context.Site.UserCustomActions;
var action = actions.Add();
action.Location = "ScriptLink";
action.ScriptSrc = "~SiteCollection/Style Library/Scripts/jQuery/jquery.min.js";
action.Sequence = 1482;
action.Update();
context.ExecuteQuery();
}
Solution 2
If you don't have time for CSOM as described by Vadim, the page also links to a powershell script you can use:
Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0
But note that SiteUrl needs to be the admin url. If your tenant is https://mysite.sharepoint.com, the url you use is https://mysite-admin.sharepoint.com"
In our case, we were in the midst of a deployment when this hit and could not wait 24 hours (or even one hour!) to continue. Everything had been fine in our testing site collections, but when we deployed to the tenant root, we hit the error described above and this script fixed it. Apparently the feature is turned off by default on the tenant root.
Current site is not a tenant administration site
Turn scripting capabilities on or off
Nitin Khubani
Nitin Khubani is a technical consultant with experience in Banking, Finance, Management Consultancies, public sectors, Construction, Communication and SMEs. In Nitin’s career, he has worked with many green field projects and tried to deliver best out of his practice. He believes and hence proudly says that technology should not be the first point to start with. The first point is the analyzing the problem and client prospect. During his carrier he has worked with many SharePoint consultants and endeavored to assemble best of out of them and give best out of himself. He has trained SharePoint to many corporate and individuals at some stage in his vocation. His mission is to deliver best solution by utilizing the diversity of features of SharePoint most and if required (at last stage) do the least customization. He believes that SharePoint is stuffed with most basic functionalities which an organization wants to do “collaboration”. A passionate to find out how best we can deliver the best solution by knowing “what client wants” and not trying to push “what technology has”, because its very well known saying that “One size cannot fit all”. And he felt the same during the different projects of his profession. Being a technical adviser, it is compulsory to know what the technology can do. He is striving to provide best BUSINESS solution by the vast knowledge he has in SharePoint and will try to give best out of his techno-functional experience.
Updated on June 18, 2022Comments
-
Nitin Khubani almost 2 years
I am going crazy since two days solving an issue. The problem is;
I am making a console APP which is talking to SharePoint Online using global admin account (One which was specified as admin while making a new subscription). What I am trying to achieve is, I want to add a custom action using CSOM to each site collection and subsite of office 365. That code works fine except on the root site collection which is pre-created by office 365 while signing up (i.e. https://xyz.sharepoint.com)
For any tenant for root site collection, it gives me below error;
{ "SchemaVersion":"15.0.0.0","LibraryVersion":"16.0.3912.1201","ErrorInfo":{ "ErrorMessage":"Access denied. You do not have permission to perform this action or access this resource.","ErrorValue":null,"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a","ErrorCode":-2147024891,"ErrorTypeName":"System.UnauthorizedAccessException" },"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a" }
Now the user is global admin. I also added again that user as site collection admin.
The same piece of code works fine on other site collections (search site collection, any newly made site collection...).
here is a code;
using (ClientContext spcollContext = new ClientContext(web.Url)) { SecureString passWord = new SecureString(); foreach (char c in strAdminPassword.ToCharArray()) passWord.AppendChar(c); SharePointOnlineCredentials creds = new SharePointOnlineCredentials(strAdminUser, passWord); spcollContext.Credentials = creds; Web currentweb = spcollContext.Web; spcollContext.Load(currentweb); spcollContext.ExecuteQuery(); // authCookie = creds.GetAuthenticationCookie(new Uri(web.Url)); var existingActions2 = currentweb.UserCustomActions; spcollContext.Load(existingActions2); spcollContext.ExecuteQuery(); var actions2 = existingActions2.ToArray(); foreach (var action in actions2) { if (action.Description == "CustomScriptCodeForEachsite" && action.Location == "ScriptLink") { action.DeleteObject(); spcollContext.ExecuteQuery(); } } var newAction2 = existingActions2.Add(); newAction2.Description = "CustomScriptCodeForEachsite"; newAction2.Location = "ScriptLink"; newAction2.ScriptBlock = scriptBlock; newAction2.Update(); spcollContext.Load(currentweb, s => s.UserCustomActions); spcollContext.ExecuteQuery(); // GETTING ERROR ON THIS LINE. }Note: Above error is Fiddler traces.
-
Nitin Khubani about 9 yearsThanks for the update GlennFerrie, however AllowUpsafeUpdates is a full trust code and not part of CSOM. I am asking a question for sharepoint ONLINE and CSOM.
-
Nitin Khubani about 9 yearsAlso the main thing is the SAME code works for other site collections. If it would have been problem like this, then error would have been consistent for all sites.
-
Nitin Khubani about 9 yearsExcellent answer! Yes thats the issue mate. Any way I can enable it using c#? I saw msdn.microsoft.com/en-us/library/… it says that there is a property. How can I enable it using code?