Restrict User Access to Azure AD Administration Portal

This post is part of the Secure External Sharing Series.

In earlier posts, we have seen how you can block Azure Portal access for Guest Users aka External Users and also use Azure Portal roles to allow users, including guest users to invite guest users from partner organisation.

If your organisation did not want to do any of this and further restrict user access to Azure Active Directory Administration Portal this blog post is for you. Continue reading “Restrict User Access to Azure AD Administration Portal”

Who will approve my Provider-Hosted SharePoint Add-in request?

We had an interesting situation at one of our projects. The build team had created their first Provider-Hosted SharePoint Add-in and were ready to upload in the pre-production environment’s add-in catalog. As the build team did not have access to manage the add-in catalog, the operations team deployed the add-in.

Uploading a SharePoint Add-in to a corporate add-in catalog is as easy as uploading any file to a SharePoint document library. You fill out a pop-up form in which you supply the local URL of the add-in package and other information, such as the name of the add-in. (Reference Link)

However, SharePoint Add-in was not available for the users in the Your Add-ins page. This is a page from where users, can install an add-in and this recently uploaded add-in was not listed!

What’s going on? The SharePoint Add-in deployed without errors. And the Operations team that deployed the SharePoint Add-in are the SharePoint Administrators of the SharePoint Online admin centre.

Right, so what happened? This is what happened! There was no issue with the add-in or the deployment.

Operations team were assigned SharePoint Administrator permissions by the Global Administrators/Tenant Administrators. Prior to the operations team being assigned permissions, tenant administrators had provisioned App Catalog Site.

As we can see, administrator of the app catalog site collection was set at the time of creation of site collection, being the primary site collection administrator.

This is the user (site collection administrator) who was getting email notifications for any add-in that was deployed and for the add-in to be approved for publishing. And then the add-in would be available in the Your Add-ins page.

So the fix to this, was to change the primary site collection administrators to be someone from the operate team and also add secondary site collection administrator for the app catalog site collection!

Once this was set, the site collection admins from the operate team got email notifications for the add-ins to be approved to be published!