How do I set a SharePoint-hosted app’s permissions via PowerShell?


I’m deploying apps using Import-SPAppPackage and Install-SPApp. I’d like to be able to use Set-AppPrincipalPermission to set permissions but I can’t get it working.

I’m uploading a SharePoint-hosted app to SharePoint using the PowerShell cmdlets Import-SPAppPackage and Install-SPApp. This is working fine for SharePoint-hosted apps that do not require additional permissions.

However, one app needs read access to the site, so this is declared in the manifest. And it works fine when run through Visual Studio – on first launch, it correctly asks to trust the app for read access to the site.

When I add this app via PowerShell, it has no opportunity to ask. The install continues without problems, but then the app doesn’t work. (It fails with a permissions problem, which is absolutely the correct behavour since the permissions haven’t yet been granted.)

I can fix the permissions by going to the Site Contents, clicking on the ‘…’ for the problem app, choosing ‘Permissions’ and then clicking the link that says ‘If there’s something wrong with the app’s permissions, click here to trust it again’.

But I really want to just be able to do the whole deployment via PowerShell.

The Set-AppPrincipalPermission cmdlet should allow me to set the permissions, but I can’t get it to work. Specifically, I can’t get a handle on the app principal that was automatically created when the app was deployed, so I can’t pass this app principal to Set-AppPrincipalPermission.

The app principal has a name of the form ‘i:0i.t||@’ and it is listed on /_layouts/15/appprincipals.aspx. When I use Get-SPAppPrincipal with it, all I get is:

I haven’t seen any examples of using Get-SPAppPrincipal for any SharePoint-hosted apps – they all seem to be for provider-hosted apps. They also all seem to just use an app principal ID built from the client ID and the realm ID, but my SharePoint-hosted app doesn’t have a client ID.

Is it possible to get the app principal of a SharePoint-hosted app and use it to set the permissions via PowerShell? Am I doing something wrong, or is there another approach?


I struggled the same problem like you and finally found an answer in these two blogs:

Blog with a nice Install, Update and Delete Script

Here is a nice post about “pressing” the “Trust It” Button via PowerShell Link

And because I know how lazy programmers like me are, feel free to use this merged script to Install Apps:


How do I set a SharePoint-hosted app’s permissions via PowerShell? by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply