SharePoint admin control for App registration / update

This is an enhancement to the security measures for administrative governance that modifies the default procedures for application registration and permission updates. Following the implementation of this change, site owners will be unable to register applications or update permissions unless authorized explicitly by the tenant administrator.

Upon attempting to register an application, a notification will be displayed stating “Your SharePoint admin doesn’t allow site owners to create an Azure Access Control (ACS) principal. Please contact your SharePoint administrator.”

Similarly, upon attempting to update application permissions, a notification will be displayed stating “Your SharePoint admin doesn’t allow site owners to update app permissions. Please contact your SharePoint administrator.”

[When this will happen:]

The rollout process is scheduled to commence in late August and is expected to conclude in mid-September. 

[How this will affect your organization:]

With this update site owners will not be able to register/update apps unless the tenant admin explicitly allows it.

To modify the default behavior, the tenant administrator must execute the following shell command to explicitly establish the flag as TRUE, thereby superseding the default value of FALSE. The service principal can only be created or updated by the tenant administrator by default. However, when the flag is set to TRUE, both the tenant administrator and site owners will be able to create or update the service principal.

The shell command is: Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true

[What you need to do to prepare:]

No proactive measures are required to prepare for this change. Nevertheless, it is advisable to inform your users of this modification and update any relevant documentation as necessary.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *