ServiceAccount need permissions to SP Admin Center for SP Site exists in RecycleBin check?

[emwes]

Description

In the documentation it's said that the SA only needs user access and the 365 subcr licensenses. But the Logic App flow "ProcessTeamRequest" for calls for AdminC Site RecycleBin API which gives 403 forbidden result?

I had to inactivate part of the codeflow to make the solution work.

Steps to reproduce

1. Follow the Deployment guide thoroughly.
2. CreateaAssign a ServiceAccount (SA) with all the 365 services subsriptions etc, but don't assign Admin roles to it.
3. When the deployment script prompts "LOGIC APP CONNECTIONS AUTHORIZATION" make sure you authenticate with the SA account.
4. Try to create a team with the solution.

Expected results

When you create a request for a Team and approve it, the complete solution flow is run through: PowerApp + Automate execution + Approval Adaptive Card + SP Site updates + Logic Flow + mail sent / Teams created etc.

Actual Results

Logic App "ProcessTeamRequest" triggers and run, but with failure. Failing step is "Check if Sharepoint site exists". Failing action is "Run CheckSiteExists Logic App". Message is "Bad Gateway".

In Logic App "CheckSiteExists" failing action is "get site collection from recycle bin": (https://-admin.sharepoint.com/_vti_bin/client.svc/ProcessQuery) Message is "Forbidden" (403) "x-ms-diagnostics": "3002002; reason=App principal does not exist".

Screen shots attached.

Solution component

Logic Apps

Operating system (environment)

Windows

Additional Info

I can't see any logics that would execute for the case that a Site with the same name exists in the Site RecycleBin? What would happen? Do have you to remove it from recyclebin to proceed or what?

[alexc-MSFT]

@emwes The Service Account does not need any kind of admin permissions. Instead the Azure AD app needs to be registered as a SharePoint add-in and granted full control to the tenant. If you miss this step, you will be met with the 403 error, please see this part of the documentation. Please re-raise if this is still an issue.

Register Azure AD app as a SharePoint add-in This step is required for the solution to check if the requested Team exists before creation.

Enabling ACS - This solution relies on ACS to work which has been retired but is still available. For tenants created after August 2020, the option to use an ACS app-only token is disabled and this MUST be enabled to work. More details can be found here - Granting access using SharePoint App-Only.

Before proceeding further, enable ACS on the tenant by carrying out the following steps below:

Using the PnP PowerShell module (the script will have installed this), connect to your SharePoint tenant admin center using the following cmdlet: Connect-PnPOnline -Url "https://yourtenantname-admin.sharepoint.com" -Interactive Run the following cmdlet: Set-PnPTenant -DisableCustomAppAuthentication $false Wait 1 hour to allow this setting to be applied. Navigate to the following page in the SharePoint Admin Center - https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx and enter the following information (replace contoso with the name of your tenant):

App Id: Application ID of the Azure AD app (Locate the Azure AD app created by the deployment script in Azure Active Directory and copy the Application ID). Click 'Lookup' In the 'App Domain' text box, enter a suitable domain. You can specify any domain you want but do not include protocols (https) or slashes(/). For example you can use your companies SharePoint URL e.g. contoso.sharepoint.com. In the App's Permissions Request XML text box, enter the following XML -

Click 'Create'