Hi @fungergis the SharepointOnlineConnector automatically adds the necessary read/write scopes which may be causing this confusion. The SharePoint List Reader on the other hand requires that you set the permissions explicitly on the registered app (e.g. AllSites.Read).
For your app, do you have the appropriate permissions set? If not I would try adjusting these and see if it fixes your problem.
Let me know how that goes!
Hi @fungergis the SharepointOnlineConnector automatically adds the necessary read/write scopes which may be causing this confusion. The SharePoint List Reader on the other hand requires that you set the permissions explicitly on the registered app (e.g. AllSites.Read).
For your app, do you have the appropriate permissions set? If not I would try adjusting these and see if it fixes your problem.
Let me know how that goes!
Hi Dan,
thanks for your post - after almost 2 months, I can tell that we also tried to create a new azure multitenant app and followed the instruction here and the video here to the detail.
The only thing that is really working - and that requires a super user with all possible admin rights - is the first option to replace the eTENANT] in the web service definition:
The multitenant app our admins created for me comes along with all the rights as per tutorial - but no matter if I try the multitenant or the singletenant way of connecting, I always get this prompt which is basically telling that admin approval is necessary in order to access the resources of my organization:
When we magically made it happen that the url got successfully tested (by simplifying the request URL) I am ending up with something like this when adding the SP List reader:
To be honest, I am out of ideas - and our local support at axmann.at cannot assist as well since this lies somewhere in the domain of admin and user rights.
Do you know what could help here? Or is "replacing the TENANT url" the only viable option in this? Because whatever I tried, I failed.
The TENANT url replacement option works well if the permissions/scope (delegatred AllSites.Read MyFiles.Write) is set for certain members AND the client and secret passed into the FME web service definition
If you're Admin/IT don't want to assign AD members to the registered app, they can create a (super)user AD and grant this user exclusively to the registered app. They also need to add this user to specific O365 groups where the sharepoint libraries/lists exist.
Then you can open FME with Run as different user. Authenticate the sharepoint web connection with this account (perhaps with MFA off?).
This method gives Admin/IT more confidence that this FME superuser can be restricted to only access the libraries/lists that are not sensitive
Most microsoft subscriptions are single tenant, unless they invite other O365 organisations ?