Understanding App Only Permission policy in SharePoint 2013 App model

In this post, we’ll understand what is an App Only Permission policy in SharePoint 2013 App model with a sample app project. The SharePoint 2013 App permissions are of three types and they are as follows :-

  • App Only
  • User Only
  • App+User

When the logged in user does not have enough privileges to perform a certain action or set of actions, the App Only permission comes into picture. The App can elevate its permission using the App Only permission or context. A SharePoint 2013 App configured with App Only permission or context can only installed by the site-collection administrator at this point of time.

I’ll be using a Provider hosted app for the purpose of this demonstration. I have a user called ‘User A’ who does not have permission to modify the Title of SharePoint lists in the site-collection. I will be using App Only context to elevate the App’s permission and change the List Title.

I have a list called ‘Announcements’ and I will be changing its Title using App Only permission or context.


Launch Visual Studio 2013.

File –> New –> Office/SharePoint –> Apps and name it as ‘AppOnlyContextApp’

Select the app hosting type as Provider hosted apps.

In order to update the Title of the SharePoint List (at the root of the site-collection), provide the Full Control to Site-Collection.


Set App Only permission in the AppManifest.XML file

<?xml version="1.0" encoding="utf-8" ?>
<App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"

    <RemoteWebApplication ClientId="*" />
  <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />

Copy and paste the following code for the default.aspx.cs file and I have added the necessary logic in the page_load method to update Title of a particular list.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace AppOnlyContextWeb
    public partial class Default : System.Web.UI.Page
        protected void Page_PreInit(object sender, EventArgs e)
            Uri redirectUrl;
            switch (SharePointContextProvider.CheckRedirectionStatus(Context, out redirectUrl))
                case RedirectionStatus.Ok:
                case RedirectionStatus.ShouldRedirect:
                    Response.Redirect(redirectUrl.AbsoluteUri, endResponse: true);
                case RedirectionStatus.CanNotRedirect:
                    Response.Write("An error occurred while processing your request.");

        protected void Page_Load(object sender, EventArgs e)
            // The following code gets the client context and Title property by using TokenHelper.
            // To access other properties, the app may need to request permissions on the host web.
            var spContext = SharePointContextProvider.Current.GetSharePointContext(Context);

            using (var clientContext = spContext.CreateUserClientContextForSPHost())
                //Load the sharepoint web
                clientContext.Load(clientContext.Web, web => web.Title);

                //Load the list-collection in the sharepoint web

                //Change the title of announcment list to some arbitrary title
                clientContext.Web.Lists[1].Title = "SundarAnnouncements";


Hit F5 and run the App in Visual Studio. Now we can verify the elevation of App permission by using App Only policy, by validating the change in List title.


 Subscribe to my blog

Leave a Reply