Recently on a new 365 tenant I discovered that after creating an Azure App Registration or new SharePoint App-Only / Add-in that I could not access SharePoint resources without being hit with 401 unauthorized errors.
I use Client IDs and Secrets to access SharePoint via PowerShell with CSOM and PnP so often grant an App ID full tenant access via the XML permissions detailed here.
I found that Connect-PnPOnline would successfully connect to the tenant but any attempt to Get-PnPWeb or Get-PnPSite would result in the 401 unauthorized access.
After much investigation I concluded that the XML add in permissions were being ignored in SharePoint and somehow Microsoft had made a change to break this and so I logged a MS Support ticket.
As usual, MS Support weren’t helpful, and after requesting updates for three weeks a colleague of mine found a new change that Microsoft had made that caused this issue and so I cancelled the ticket.
The change is this, Microsoft added a new tenant-level property called “DisableCustomAppAuthentication” to SharePoint Online and made the decision to set this property to be true by default affecting all new tenants post August 2020.
The solution is to set this new property to false as follows:
Set-SPOTenant -DisableCustomAppAuthentication $false
This requires the latest version of SharePoint online management shell.