Unable to remove Remote Event Receivers

[daniel-kukucska-arm]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [ ] 💥 Microsoft Edge
• [ ] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [ ] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [X] not applicable
• [ ] other (enter in the "Additional environment details" area below)

Additional environment details

• .net core 2.2
• PnP.Framework 1.6 -https://contoso.sharepoint.com/sites/pwa/projectcode/_api/web/lists/getByTitle('List Name')/eventreceivers('receiver-id')/deleteobject

Issue description

We have multiple sites, where we created Remote Event Receivers using CSOM. Something basic like this:

_receivers.ApplyEventReceivers(context.Web); await context.ExecuteQueryAsync();

All the receivers are in place. Some of the event receivers stopped working and no longer calling the url we provided (same url for all receivers). We found on other blogs that we have to recreate the list (not applicable) or remove and re add the receivers. Unfortunately, we are getting System.UnauthorizedAccessException when we try to remove the event receivers. We tried using CSOM, PnP PowerShell, calling the built in rest endpoint from browser, from JS and also from Power Automate. We tried with different users with full control and site collection admin roles. We also tried with CilentId - ClientSecret that has full control, but no luck.

Can anyone please provide a solution to remove these Event Receivers?

Many thanks!

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[patrikhellgren]

@daniel-kukucska-arm I have seen this happen when a Remote Event Receiver has been added by using ClientId/ClientSecret and then trying to remove it using ordinary user credentials or a different ClientId. It doesn't matter what permissions the user or app has. If it has been added by using ClientId it must be removed using the same ClientId or else you will get an Unauthorized exception. Not sure if this is what you are seeing but make sure to use the same ClientId.

[daniel-kukucska-arm]

@patrikhellgren We used the same ClientId and ClientSecret that we used for creation. (Azure AD app reg delegated permission)

[patrikhellgren]

@daniel-kukucska-arm Sorry, I don't think I have ever tried this with delegated permissions, I have only used App-only permissions when adding and removing Remote Event Receivers. Since you are using delegated permissions, have you used the same user account also as well as the same ClientId? If you have, I am unfortunately out of ideas at the moment and something else might be the issue.

[daniel-kukucska-arm]

Yes, we used the same credentials. Is there any forced way to remove them? (Like with a tenant admin or something)

[patrikhellgren]

@daniel-kukucska-arm I haven't found any way of forcibly removing them.