Premise

In this post, I’ll demonstrate, how to register a SharePoint add-in(app) using the AppRegNew form and grant the required permissions.

Register Add-In using the AppRegNew form

• Navigate to
  [Site Collection URL]/_layouts/15/AppRegNew.aspx

  

• At this point, you’ll need to fill in the following details,
  

  Client Id	Generate a unique client id for your add-in. It’s a GUID which will be used to identify your add-in.
  Client Secret	Acts like a password for your add-in. It will include some special characters as well. So while using it, we have to encode the same first.
  Title	The name of your add-in that will be displayed to the end user.
  App Domain	For provider-hosted add-in, this will be the domain where, the add-in is hosted. For token generation add-in, fill in any value. Make sure, not to include protocols(https) or slashes(/).
  Redirect URI	For provider-hosted add-in, fill in the redirect URL. For token generation add-in, fill in any value.

• Once you have filled in all the details, hit Create to register the add-in.
  

  

• You will be navigated to a page displaying the details of your add-in. Save Client Id & Client Secret for future references.
  

  

Grant permission to an add-in

Now that the identifier is created, we need to grant the necessary permission for it to perform any action. In this example, I’ll demonstrate how to grant full control access on a Site Collection.

• Navigate to
  [Site Collection URL]/_layouts/15/AppInv.aspx

  

• Enter your Client Id value in the App Id option and hit the Lookup button. Details of your add-in will be displayed automatically.
  

  

• This is the crucial part. In the option, Permission Request XML, let’s write the below XML code to grant our add-in full control on the given site collection.
  <AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl"/>
</AppPermissionRequests>
• Just hit the Create button. You will now be prompted to trust the add-in for all the permissions that it requires.
  

  

• Hit the Trust It to grant the requested accesses. You can navigate to the following URL to also confirm that the permission has been assigned to the add-in.
  [Site Collection URL]/_layouts/15/appprincipals.aspx

  

Permission Matrix

In the above permission XML, we have used 2 permissions, full control on a site collection and full control on a web. Similarly, there are other permission options as well. A detail description of all the available options can be found here.

Key Takeaways

• As mentioned in the above example, multiple permissions can be applied to a give add-in.
• Add-in registration is not required for SharePoint-hosted add-in.
• Remember to always HTML encode the Client Secret before using it.
• The values, AppDomain and Redirect URI are required for provider-hosted add-in only. For token generation add-in, these values gets ignored. So we can put any dummy values in here.
• Token generation add-in is required to authenticate our custom SharePoint REST API calls.