Grant Failure on Newly Created App Instance
If you are setting up the Microsoft Office 365 OneDrive or SharePoint instance for the first time on a new Microsoft Office 365 account, the grant may fail. Microsoft has recently disabled apps using an Azure Access Control (ACS) app-only access token by default. If so, follow the steps below to grant access successfully.
You can change the behavior by running set-SPOTenant -DisableCustomAppAuthentication $false (needs the latest SharePoint admin PowerShell). To do so, follow the steps below:
Note
The following steps are performed on a Windows device.
Install the latest version of PowerShell on Windows. Follow the instructions here.
Start PowerShell as an administrator on the Windows device, and run the following commands:
Install-Module -Name Microsoft.Online.Sharepoint.PowerShell
Import-Module Microsoft.Online.Sharepoint.PowerShell
$adminUPN="<the full email address of the global administrator account, example: admin@sumoskope.onmicrosoft.com>"
Note
Fill in the value for the $adminUPN variable (replacing all the text between the quotes, including the < and > characters).
$orgName="<name of your Office 365 organization, example: sumoskope>"
Note
Fill in the value for the $orgName variable (replacing all the text between the quotes, including the < and > characters).
$userCredential = Get-Credential -UserName $adminUPN -Message "<type the password>"
Note
When prompted with the Windows PowerShell credential request dialog box, type the password for the global administrator account.
To check the value of DisableCustomAppAuthentication, run the following commands:
Connect-SPOService -Url https://$orgName-admin.sharepoint.com
Note
If you get an error message, run the command in step 2b followed by the -UseWindowsPowerShell parameter i.e., Import-Module Microsoft.Online.Sharepoint.PowerShell -UseWindowsPowerShell. And then run the Connect-SPOService -Url https://$orgName-admin.sharepoint.com command.
get-SPOTenant
Look for the DisableCustomAppAuthentication parameter. It should be set to True.
Note
If you do not see the DisableCustomAppAuthentication parameter, execute the Install-Module -Name Microsoft.Online.Sharepoint.PowerShell -Force command and follow the steps from 2b.
Run the following command to set the DisableCustomAppAuthentication value to false:
set-SPOTenant -DisableCustomAppAuthentication $false
Verify that the parameter is set to false. To do so, run the following command:
get-SPOTenant
Look for the DisableCustomAppAuthentication parameter. It should be set to False.
Once you have set the value of DisableCustomAppAuthentication to false, go back to the Netskope UI and grant access.