SharePoint Authentication: Permission missing error shown despite good-looking configuration

[dada-harangus]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature Proposal

I am using an azure app registration which I gave the delegated rights for Microsoft Graph Sites.Manage.All and delegated rights for SharePoint AllSites.Manage and I have a site collection that I have created and I am the admin but when I test the connection I get the error : Permissions missing (allowed to approve items: NO , manage lists: NO, add and customize pages: NO , manage the site: NO) Please give permissions, site admin works well (I am the site admin) Cannot continue for now.

Confluence Version

Confluence 6

Confluence Data Center?

• [ ] This is about Confluence Data Center

[heinrich-ulbricht]

@dada-harangus What you describe you configured sounds like it should work.

But let's see if we can find out why it's not working.

I'll ask the obvious things first.

Did you copy the Application (client) ID of the Azure AD application?

Did you enter the Application (client) ID into the Azure AD Application Client ID input field of WikiTraccs?

Does your account have access to both site collections, the WikiTraccs site in step 2 and the Default target site in step 4?

Did you log in to both sites manually in the browser, in a new private tab and created a page by hand? Just to double check access.

Did you select the Test SharePoint connection button?

Selecting the Test SharePoint connection shows the Microsoft login experience. It does show it either

1. in a new browser window (if no other browser window is open), OR
2. in a new TAB in any browser it can find

Are you sure the right account was used to log into SharePoint? Especially with case 2 (opening a new tab in an existing window) has room for account mixups, if another account is already logged into SharePoint. An already logged in account does not necessarily have access to the SharePoint sites configured in WikiTraccs.

And if all this looks good: could you please send me the common log files to contact @ wikitransformationproject.com, so I can have a look?

[dada-harangus]

Hello @heinrich-ulbricht thank you for the quick response, I was getting desperate, I need to give an answer by Monday if we can use your tool and I really like it (Congratulations, its a great product) I managed to test it with success on my personal tenant. I am also a SharePoint and .NET developer and its the same thing I was thinking of building when I got the task for the migration but of course something like this would take months to build. So, to answer your questions: 1) Yes, I created an app registration give it delegated permissions that I wrote about (on the company tenant I cannot give admin consent for full control), copied the tenant and client id 2)For testing purposes I am using the site collection in both fields, and I created the site collection, so I am site admin 3) In the browser that opens automatically when I press the test the SharePoint connection its true I am logged in with 2 accounts and I am sure I am choosing the right one to log (the browser its telling me the authentication was successful) and the accounts are from different tenants also the error message that I get says the connection is successful to the site collection but I am missing permissions.

[dada-harangus]

I signed out with all the accounts beside the one I need to use and tried again but the same.

[heinrich-ulbricht]

@dada-harangus Maybe user consent to applications has been restricted in your environment? Or something along those lines, that would require an admin to consent to the application being used.

Were there any messages like those when logging in?

Then users cannot consent on their own, user consent is disabled.

If user consent is enabled, there should once be such a window, where you have to consent.

If a user has consented can be checked here:

If self-service user consent is not possible you might have to get an admin to pre-consent:

Lots of settings that might be at play here.

And as a side note: without FullControl on the app WikiTraccs will always show an error complaining about missing permissions. But at least approve items and manage lists should get a YES in your case.

[dada-harangus]

Hello Heinrich, I need to know if there is a way your tool can work without admin consent from the app registration. Unfortunately we only have one tenant company wide and I'm pretty sure I won't get an admin account. Thank you!

[heinrich-ulbricht]

@dada-harangus You don't need an admin account, but you might have to talk to the folks that have one.

For client applications to use any Microsoft 365 API an application needs to be registered in Azure AD (now Entra ID). And ultimately the admins are in control and should know what is going on in the company tenant.

The Azure AD admins decide if they want to allow users to consent to apps on their own, or if they want to allow-list apps themselves.

It is often possible to configure an application so that it fits into whatever IT strategy a company has. Access to the application can be restricted to specific users only - in your case this could be a migration account. They might decide to only allow delegated permissions - this is the case here; so access ultimately is bound to e.g. the access level that the migration account has.

The requirements of WikiTraccs to create migrated pages in SharePoint Online are:

• an application registration needs to exist in Azure AD/Entra ID (either a newly created one, or an existing one that meets the requirements) (users with the App Developer role can create such app registrations)
• the application needs certain permissions assigned, as described in this blog post: Registering WikiTraccs as app in Azure AD
• a migration account needs to exist and this account needs to be at least Owner of the target site collections, and needs to be allowed to use the Azure AD application

Unfortunately there is no way around that.

[dada-harangus]

@heinrich-ulbricht the way I solved this was by creating a new app registration. In the beginning, I used one that I used before and already gave user consent in the browser. Apparently, that was the issue.