We have identified one issue when creating the SharePoint
list item using Azure AD token. It does not trigger the out of box approval
workflow!
You could reproduce this easily by creating an console
application using Azure AD token. The console client example I’m using the code copied from Richard diZerega.
Here are the steps to reproduce.
- Create a custom list
- Add approval workflow to the list
- Add item manually and verify it will trigger approval workflow
- Create an item to the same list using Azure AD app token does no trigger approval workflow
The following error in the logs when debugging with Microsoft.
Declarative workflows cannot
automatically start if the triggering action was performed by an App-Only
request. Canceling workflow auto-start. List Id:
adaa6f76-bcd4-4fb7-8047-79345de1a362, Item Id: 12, Workflow Association Id:
03c8887c-d816-4a31-9181-71de9ed10523
This seems to be happening as SharePoint is
considering the workflow as running under System Account. You might recall we need to run powershell to enable declarative workflow.
One interesting finding is the item created by same REST by
using end user name and password described in different blog will trigger
approval workflow. If you are using Azure AD token to authenticate to O365, the
item created will be created by Azure app instead of the real user as in the
following screenshot.
Another interesting finding is item created using Azure AD token will trigger other workflows like Three State workflow and Disposition workflow.
The third interesting finding is the workflow starts fine for a provider hosted app for approval workflow. You will see some workflows failed in the below screenshot.
After working with Microsoft O365 team on this strange behavior and it turns out this is as designed. This is to prevent ADA attack. The error from the log is listed below.
SPWorkflowAutoStartEventReceiver: ItemAdded event received for list adaa6f76-bcd4-4fb7-8047-79345de1a362, item id 12
Declarative workflows cannot automatically start if the triggering action was performed by an App-Only request. Canceling workflow auto-start. List Id: adaa6f76-bcd4-4fb7-8047-79345de1a362, Item Id: 12, Workflow Association Id: 03c8887c-d816-4a31-9181-71de9ed10523
Correlation ID = f192309d-d049-2000-0a07-38a8143f17b7
If you really need to trigger workflow by using Azure AD token to create items, the workaround is to create a designer 2013 workflow. I've created a designer 2013 workflow and it was successfully triggered as in the below screenshot. The designer workflow named "Approval2013WF" has only one send email action.
SPWorkflowAutoStartEventReceiver: ItemAdded event received for list adaa6f76-bcd4-4fb7-8047-79345de1a362, item id 12
Declarative workflows cannot automatically start if the triggering action was performed by an App-Only request. Canceling workflow auto-start. List Id: adaa6f76-bcd4-4fb7-8047-79345de1a362, Item Id: 12, Workflow Association Id: 03c8887c-d816-4a31-9181-71de9ed10523
Correlation ID = f192309d-d049-2000-0a07-38a8143f17b7
If you really need to trigger workflow by using Azure AD token to create items, the workaround is to create a designer 2013 workflow. I've created a designer 2013 workflow and it was successfully triggered as in the below screenshot. The designer workflow named "Approval2013WF" has only one send email action.
Please note the item added event will be triggered and you could add business logic in the remote event receiver to perform some actions. You might not be able to sue the same token to modify the SharePoint objects.
No comments:
Post a Comment