WikiTransformationProject / wikitraccs-releases

Releases, issues and discussions for WikiTraccs from the Wiki Transformation Project
https://www.wikitransformationproject.com
10 stars 1 forks source link

SharePoint Authentication: Permission missing error shown despite good-looking configuration #86

Closed dada-harangus closed 1 year ago

dada-harangus commented 1 year ago

Is there an existing issue for this?

Feature Proposal

I am using an azure app registration which I gave the delegated rights for Microsoft Graph Sites.Manage.All and delegated rights for SharePoint AllSites.Manage and I have a site collection that I have created and I am the admin but when I test the connection I get the error : Permissions missing (allowed to approve items: NO , manage lists: NO, add and customize pages: NO , manage the site: NO) Please give permissions, site admin works well (I am the site admin) Cannot continue for now.

Confluence Version

Confluence 6

Confluence Data Center?

heinrich-ulbricht commented 1 year ago

@dada-harangus What you describe you configured sounds like it should work.

But let's see if we can find out why it's not working.

I'll ask the obvious things first.

Did you copy the Application (client) ID of the Azure AD application? image

Did you enter the Application (client) ID into the Azure AD Application Client ID input field of WikiTraccs? image

Does your account have access to both site collections, the WikiTraccs site in step 2 and the Default target site in step 4?

image

image

Did you log in to both sites manually in the browser, in a new private tab and created a page by hand? Just to double check access.

Did you select the Test SharePoint connection button? image

Selecting the Test SharePoint connection shows the Microsoft login experience. It does show it either

  1. in a new browser window (if no other browser window is open), OR
  2. in a new TAB in any browser it can find

image

Are you sure the right account was used to log into SharePoint? Especially with case 2 (opening a new tab in an existing window) has room for account mixups, if another account is already logged into SharePoint. An already logged in account does not necessarily have access to the SharePoint sites configured in WikiTraccs.

And if all this looks good: could you please send me the common log files to contact @ wikitransformationproject.com, so I can have a look?

dada-harangus commented 1 year ago

Hello @heinrich-ulbricht thank you for the quick response, I was getting desperate, I need to give an answer by Monday if we can use your tool and I really like it (Congratulations, its a great product) I managed to test it with success on my personal tenant. I am also a SharePoint and .NET developer and its the same thing I was thinking of building when I got the task for the migration but of course something like this would take months to build. So, to answer your questions: 1) Yes, I created an app registration give it delegated permissions that I wrote about (on the company tenant I cannot give admin consent for full control), copied the tenant and client id 2)For testing purposes I am using the site collection in both fields, and I created the site collection, so I am site admin adminSite 3) In the browser that opens automatically when I press the test the SharePoint connection its true I am logged in with 2 accounts and I am sure I am choosing the right one to log (the browser its telling me the authentication was successful) and the accounts are from different tenants also the error message that I get says the connection is successful to the site collection but I am missing permissions.

dada-harangus commented 1 year ago

wiki I signed out with all the accounts beside the one I need to use and tried again but the same.

heinrich-ulbricht commented 1 year ago

@dada-harangus Maybe user consent to applications has been restricted in your environment? Or something along those lines, that would require an admin to consent to the application being used.

Were there any messages like those when logging in? image

Then users cannot consent on their own, user consent is disabled.

If user consent is enabled, there should once be such a window, where you have to consent.

image

If a user has consented can be checked here:

image

If self-service user consent is not possible you might have to get an admin to pre-consent:

image

Lots of settings that might be at play here.

And as a side note: without FullControl on the app WikiTraccs will always show an error complaining about missing permissions. But at least approve items and manage lists should get a YES in your case. image

dada-harangus commented 1 year ago

Hello Heinrich, I need to know if there is a way your tool can work without admin consent from the app registration. Unfortunately we only have one tenant company wide and I'm pretty sure I won't get an admin account. Thank you!

heinrich-ulbricht commented 1 year ago

@dada-harangus You don't need an admin account, but you might have to talk to the folks that have one.

For client applications to use any Microsoft 365 API an application needs to be registered in Azure AD (now Entra ID). And ultimately the admins are in control and should know what is going on in the company tenant.

The Azure AD admins decide if they want to allow users to consent to apps on their own, or if they want to allow-list apps themselves.

It is often possible to configure an application so that it fits into whatever IT strategy a company has. Access to the application can be restricted to specific users only - in your case this could be a migration account. They might decide to only allow delegated permissions - this is the case here; so access ultimately is bound to e.g. the access level that the migration account has.

The requirements of WikiTraccs to create migrated pages in SharePoint Online are:

Unfortunately there is no way around that.

dada-harangus commented 1 year ago

@heinrich-ulbricht the way I solved this was by creating a new app registration. In the beginning, I used one that I used before and already gave user consent in the browser. Apparently, that was the issue.