使用全局管理员帐户访问被拒绝的 Office 365/SharePoint Online [英] Access denied office 365 / SharePoint online with Global Admin account

问题描述

两天解决一个问题，我快疯了.问题是;

我正在制作一个控制台应用程序，它使用全局管理员帐户(在进行新订阅时指定为管理员)与 SharePoint Online 对话.我想要实现的是，我想使用 CSOM 向 office 365 的每个网站集和子网站添加一个自定义操作.该代码工作正常，除了在注册时由 office 365 预先创建的根网站集(即:

<块引用>

对于自助创建的站点，自定义脚本被禁用默认

解决方案:启用允许用户在自助创建的站点上运行自定义脚本

从 SharePoint 管理中心启用或禁用脚本

1. 使用您的工作或学校帐户登录 Office 365.
2. 转到 SharePoint 管理中心.
3. 选择设置.

4. 在自定义脚本下选择:

   • 阻止用户在个人站点上运行自定义脚本或允许用户在个人网站上运行自定义脚本.

   • 防止用户在用户创建的站点上运行自定义脚本或允许用户在自助创建的网站上运行自定义脚本.

5. 选择确定.更改需要大约 24 小时
效果.

<小时>

由于通过 SharePoint Online 管理中心对脚本设置所做的任何更改最多可能需要 24 小时才能生效，因此您可以立即在特定网站集上启用脚本> 通过 CSOM API(SharePoint Online 客户端组件 SDK)如下所示:

public static void DisableDenyAddAndCustomizePages(ClientContext ctx, string siteUrl){var 租户 = 新租户(ctx);var siteProperties = tenant.GetSitePropertiesByUrl(siteUrl, true);ctx.Load(siteProperties);ctx.ExecuteQuery();siteProperties.DenyAddAndCustomizePages = DenyAddAndCustomizePagesStatus.Disabled;var 结果 = siteProperties.Update();ctx.Load(结果);ctx.ExecuteQuery();while (!result.IsComplete){Thread.Sleep(result.PollingInterval);ctx.Load(结果);ctx.ExecuteQuery();}}

用法

using (var ctx = GetContext(webUri, userName, password)){使用 (var tenantAdminCtx = GetContext(tenantAdminUri, userName, password)){DisableDenyAddAndCustomizePages(tenantAdminCtx,webUri.ToString());}注册JQueryLibrary(ctx);}

哪里

public static void RegisterJQueryLibrary(ClientContext context){var 动作 = context.Site.UserCustomActions;var action = actions.Add();action.Location = "ScriptLink";action.ScriptSrc = "~SiteCollection/Style Library/Scripts/jQuery/jquery.min.js";action.Sequence = 1482;动作.更新();上下文.ExecuteQuery();}

I am going crazy since two days solving an issue. The problem is;

I am making a console APP which is talking to SharePoint Online using global admin account (One which was specified as admin while making a new subscription). What I am trying to achieve is, I want to add a custom action using CSOM to each site collection and subsite of office 365. That code works fine except on the root site collection which is pre-created by office 365 while signing up (i.e. https://xyz.sharepoint.com)

For any tenant for root site collection, it gives me below error;

{ "SchemaVersion":"15.0.0.0","LibraryVersion":"16.0.3912.1201","ErrorInfo":{ "ErrorMessage":"Access denied. You do not have permission to perform this action or access this resource.","ErrorValue":null,"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a","ErrorCode":-2147024891,"ErrorTypeName":"System.UnauthorizedAccessException" },"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a" }

Now the user is global admin. I also added again that user as site collection admin.

The same piece of code works fine on other site collections (search site collection, any newly made site collection...).

here is a code;

        using (ClientContext spcollContext = new ClientContext(web.Url))
        {
            SecureString passWord = new SecureString();
            foreach (char c in strAdminPassword.ToCharArray()) passWord.AppendChar(c);
            SharePointOnlineCredentials creds = new SharePointOnlineCredentials(strAdminUser, passWord);
            spcollContext.Credentials = creds;
            Web currentweb = spcollContext.Web;
            spcollContext.Load(currentweb);
            spcollContext.ExecuteQuery();

       //     authCookie = creds.GetAuthenticationCookie(new Uri(web.Url));

            var existingActions2 = currentweb.UserCustomActions;
            spcollContext.Load(existingActions2);
            spcollContext.ExecuteQuery();
            var actions2 = existingActions2.ToArray();
            foreach (var action in actions2)
            {
                if (action.Description == "CustomScriptCodeForEachsite" &&
                    action.Location == "ScriptLink")
                {
                    action.DeleteObject();
                    spcollContext.ExecuteQuery();
                }
            }

            var newAction2 = existingActions2.Add();
            newAction2.Description = "CustomScriptCodeForEachsite";
            newAction2.Location = "ScriptLink";

            newAction2.ScriptBlock = scriptBlock;
            newAction2.Update();
            spcollContext.Load(currentweb, s => s.UserCustomActions);
            spcollContext.ExecuteQuery(); // GETTING ERROR ON THIS LINE. 
        }

Note: Above error is Fiddler traces.

解决方案

Most probably this behavior is caused by Custom Script feature, basically the issue occurs when the Custom Script feature is turned off

How to verify?

You could verify the site permissions using the following console app:

using (var ctx = GetContext(webUri, userName, password))
{
    var rootWeb = ctx.Site.RootWeb;
    ctx.Load(rootWeb, w => w.EffectiveBasePermissions);
    ctx.ExecuteQuery();
    var permissions = rootWeb.EffectiveBasePermissions;
    foreach (var permission in Enum.GetValues(typeof(PermissionKind)).Cast<PermissionKind>())
    {
        var permissionName = Enum.GetName(typeof(PermissionKind), permission);
        var hasPermission = permissions.Has(permission);
        Console.WriteLine("Permission: {0}, HasPermission: {1}", permissionName, hasPermission);
    }   
}

where

public static ClientContext GetContext(Uri webUri, string userName, string password)
{
    var securePassword = new SecureString();
    foreach (var ch in password) securePassword.AppendChar(ch);
    return new ClientContext(webUri) {Credentials = new SharePointOnlineCredentials(userName, securePassword)};
}

When SP.PermissionKind.AddAndCustomizePages is set to False, the Access denied error occurs while adding user custom action.

Solution

According to Turn scripting capabilities on or off:

For self-service created sites, custom scripting is disabled by default

Solution: enable Allow users to run custom scripts on self-service created sites

To enable or disable scripting from the SharePoint admin center

1. Sign in to Office 365 with your work or school account.
2. Go to the SharePoint admin center.
3. Select Settings.

4. Under Custom Script choose:

   • Prevent users from running custom script on personal sites or Allow users to run custom script on personal sites.

   • Prevent users from running custom script on user created sites or Allow users to run custom script on self-service created sites.

5. Select OK. It takes about 24 hours for the change to take effect.

---

Since any change to the scripting setting made through the SharePoint Online admin center may take up to 24 hours to take effect, you could enable scripting on a particular site collection immediately via CSOM API (SharePoint Online Client Components SDK) as demonstrated below:

public static void DisableDenyAddAndCustomizePages(ClientContext ctx, string siteUrl)
{
    var tenant = new Tenant(ctx);
    var siteProperties = tenant.GetSitePropertiesByUrl(siteUrl, true);
    ctx.Load(siteProperties);
    ctx.ExecuteQuery();

    siteProperties.DenyAddAndCustomizePages = DenyAddAndCustomizePagesStatus.Disabled;
    var result = siteProperties.Update();
    ctx.Load(result);
    ctx.ExecuteQuery();
    while (!result.IsComplete)
    {
        Thread.Sleep(result.PollingInterval);
        ctx.Load(result);
        ctx.ExecuteQuery();
    }
}

Usage

using (var ctx = GetContext(webUri, userName, password))
{
    using (var tenantAdminCtx = GetContext(tenantAdminUri, userName, password))
    {                  
         DisableDenyAddAndCustomizePages(tenantAdminCtx,webUri.ToString());
    }
    RegisterJQueryLibrary(ctx);
 }

where

public static void RegisterJQueryLibrary(ClientContext context)
{
    var actions = context.Site.UserCustomActions;
    var action = actions.Add();
    action.Location = "ScriptLink";
    action.ScriptSrc = "~SiteCollection/Style Library/Scripts/jQuery/jquery.min.js";
    action.Sequence = 1482;
    action.Update();
    context.ExecuteQuery();
}

这篇关于使用全局管理员帐户访问被拒绝的 Office 365/SharePoint Online的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！