MC660075 – (Updated) SharePoint admin control for App registration / update (archived)

SharePoint Logo

check before: 2023-08-08

Product:

Microsoft 365 Apps, SharePoint

Platform:

Online, World tenant

Status:

Change type:

Admin impact, Feature update, Updated message

Links:

Details:

Updated August 30, 2023: We have updated the content below for clarity. Thank you for your patience.
This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page. Following the implementation of this change, site collection admin will be unable to register app or update app permissions through above pages unless authorized explicitly by the SharePoint tenant admin.
Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator."

Similarly, upon attempting to update app permissions on AppInv.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to update app permissions. Please contact your SharePoint tenant administrator."

Kindly note that app registration and permission update via Microsoft Azure portal are not impacted by this change.

[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2023-07-25

updated:
2023-08-31

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

** AI generated content. This information is not reliable.

the free basic plan is required to see all details. Sign up here


change history

DatePropertyoldnew
2023-08-31MC MessagesUpdated August 12, 2023: We have updated the content below for clarity. Thank you for your patience.
This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page. Following the implementation of this change, site collection admin will be unable to register app or update app permissions through above pages unless authorized explicitly by the SharePoint tenant admin.
Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator."

Similarly, upon attempting to update app permissions on AppInv.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to update app permissions. Please contact your SharePoint tenant administrator."

Kindly note that app registration and permission update via Microsoft Azure portal are not impacted by this change.

[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September.
Updated August 30, 2023: We have updated the content below for clarity. Thank you for your patience.
This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page. Following the implementation of this change, site collection admin will be unable to register app or update app permissions through above pages unless authorized explicitly by the SharePoint tenant admin.
Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator."

Similarly, upon attempting to update app permissions on AppInv.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to update app permissions. Please contact your SharePoint tenant administrator."

Kindly note that app registration and permission update via Microsoft Azure portal are not impacted by this change.

[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September.
2023-08-31MC How AffectWith this update site owners will not be able to register/update apps unless the tenant admin explicitly allows it.
To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE. The service principal can only be created or updated by the tenant administrator by default. However, when the flag is set to TRUE, both the SharePoint tenant admin and site collection admin will be able to create or update the service principal through SharePoint.
The shell command is: Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
With this update site owners will not be able to register/update apps unless the tenant admin explicitly allows it.
To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE. The service principal can only be created or updated by the tenant administrator by default. However, when the flag is set to TRUE, both the SharePoint tenant admin and site collection admin will be able to create or update the service principal through SharePoint.
The shell command is: Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
Note: The property ‘SiteOwnerManageLegacyServicePrincipalEnabled’ becomes visible in tenant settings after SharePoint Online Management shell is updated to 16.0.23710.12000 or a later version. But before this rollout, the value will always be TRUE even explicitly set to FALSE. It will only automatically be switched to FALSE as the default value after the rollout is launched.
2023-08-31MC Last Updated08/13/2023 00:10:232023-08-30T22:22:55Z
2023-08-13MC MessagesThis is an enhancement to the security measures for administrative governance that modifies the default procedures for application registration and permission updates. Following the implementation of this change, site owners will be unable to register applications or update permissions unless authorized explicitly by the tenant administrator.
Upon attempting to register an application, a notification will be displayed stating "Your SharePoint admin doesn't allow site owners to create an Azure Access Control (ACS) principal. Please contact your SharePoint administrator."
Similarly, upon attempting to update application permissions, a notification will be displayed stating "Your SharePoint admin doesn't allow site owners to update app permissions. Please contact your SharePoint administrator."
[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September.
Updated August 12, 2023: We have updated the content below for clarity. Thank you for your patience.
This is an enhancement to the security measures for administrative governance that modifies the default procedures for SharePoint app registration via AppRegNew.aspx page and permission updates via AppInv.aspx page. Following the implementation of this change, site collection admin will be unable to register app or update app permissions through above pages unless authorized explicitly by the SharePoint tenant admin.
Upon attempting to register an application on AppRegnew.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to create an Azure Access Control (ACS) principal. Please contact your SharePoint tenant administrator."

Similarly, upon attempting to update app permissions on AppInv.aspx page, a notification will be displayed stating "Your SharePoint tenant admin doesn't allow site collection admins to update app permissions. Please contact your SharePoint tenant administrator."

Kindly note that app registration and permission update via Microsoft Azure portal are not impacted by this change.

[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September.
2023-08-13MC TitleSharePoint admin control for App registration / update(Updated) SharePoint admin control for App registration / update
2023-08-13MC How AffectWith this update site owners will not be able to register/update apps unless the tenant admin explicitly allows it.
To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE. The service principal can only be created or updated by the tenant administrator by default. However, when the flag is set to TRUE, both the tenant administrator and site owners will be able to create or update the service principal.
The shell command is: Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
With this update site owners will not be able to register/update apps unless the tenant admin explicitly allows it.
To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE. The service principal can only be created or updated by the tenant administrator by default. However, when the flag is set to TRUE, both the SharePoint tenant admin and site collection admin will be able to create or update the service principal through SharePoint.
The shell command is: Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
2023-08-13MC Last Updated07/25/2023 00:33:282023-08-13T00:10:23Z
2023-08-13MC MessageTagNamesFeature update, Admin impactUpdated message, Feature update, Admin impact

Last updated 5 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!