Azure Application Permissions vs SharePoint Add-In permissions, the obvious that’s not so obvious


I don’t know if you’ve ever played with Azure Active Directory Application permissions to consume SharePoint Online but you should know that the major advantage they offer compared to Add-Ins is that you can grant Azure Applications access to SharePoint in a transparent way for end users since you don’t need to install anything in SharePoint.

That’s particularly useful for web jobs and background processes in general that do not need user interactions. However, from a permission perspective, it doesn’t change anything. The Azure permissions suffer from the same limitations as the ones of the Add-In Policy as they :

  • Cannot consume Search
  • Cannot write in the user profile store
  • Cannot write in the managed metadata

So, this is aligned with the Add-In Policy although it is rather confusing when looking at the Azure Management Portal:


that clearly states read/write on both User Profiles and Managed Metadata. Microsoft excluded Search from this list which is right but they should also remove the write piece on those services or implement it because it’s rather confusing and might also lead to wrong decisions when designing new applications.

Happy Coding!

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure Active Directory, Office 365 and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s