I have a question regarding the SP online M365 connector (version is 8.1.4).
As stated in the administration guide, the target system connection user needs explicit permissions for every individual site that should be administered by 1IM.
Our problem is however, that the SP sync is not able to complete at all, if ANY site exists without said permissions!
E. g.: The sync is working, all sites have given said permisions. Now, someone creates a new site inside M365 and 'forgets' to add permissions -> completely breaks the whole SP sync!
Specifically, the following error occurs when trying to perform the sync at this point:
[1777018] Error executing synchronization project (SharePoint Online tenant 'xxx')'s workflow (Initial Synchronization). at VI.Projector.Projection.ProjectorEngine.<ExecuteAsync>d__3.MoveNext() [1777124] Error executing projection step (Web) of projection configuration (Initial Synchronization (Initial Synchronization)). at VI.Projector.Projection.ProjectorEngine.<ExecuteAsync>d__3.MoveNext() [1777219] Error executing synchronization step (Web)! at VI.Projector.Projection.ProjectorEngine.<ExecuteAsync>d__3.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() --- End of stack trace from previous location where exception was thrown --- at VI.Projector.Projection.ProjectionStrategy.<ExecuteStepAsync>d__3.MoveNext() [1777009] Error loading system objects of class Web (all) (Web_Master). at VI.Projector.Projection.ProjectionStrategy.<ExecuteStepAsync>d__3.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() --- End of stack trace from previous location where exception was thrown --- at VI.Projector.Projection.ProjectionStrategyBase.<OnExecuteStepAsync>d__6.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() --- End of stack trace from previous location where exception was thrown --- at VI.Projector.Projection.FullProjectionStrategy.<LoadObjectCollectionsAsync>d__2.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() --- End of stack trace from previous location where exception was thrown --- at System.Threading.Tasks.Task.Execute() at System.Threading.Tasks.Task`1.InnerInvoke() at VI.Projector.Projection.ProjectorEngine.<>c__DisplayClass19_0.<LoadMappingObjectCollectionAsync>b__0() at VI.Projector.Projection.ProjectorEngine._LoadMappingObjectCollection(ISystemConnection connection, ISystemMap map, SystemMappingSide side, QueryByFilterOptions filterQuery) at VI.Projector.Connection.SystemConnection.QueryObjectInternal(ISchemaClass schemaClass, QueryByFilterOptions query, Boolean withScope) Access denied. You do not have permission to perform this action or access this resource. at System.Threading.Tasks.Task.<>c__DisplayClass176_0.<ExecuteSelfReplicating>b__0(Object ) at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask) at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.<ForWorker>b__1() at VI.Projector.SharePointOnline.Connector.SiteResolver.<>c__DisplayClass13_0.<GetSiteCollectionsWithLoadedRootWeb>b__4(IGrouping`2 grouping) at VI.Projector.SharePointOnline.Connector.SPClientExtensions.ExecuteQueryEx(ClientRuntimeContext clientContext) at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery() at Microsoft.SharePoint.Client.ClientRequest.ProcessResponse() at Microsoft.SharePoint.Client.ClientRequest.ProcessResponseStream(Stream responseStream)
Using the target system browser, we get the same error when we try to view the 'Web' objects - none are displayed. This is also true for all other object types except 'Tenant' and 'Site', as long as there is at least one site with 'missing' permissions.
Once all sites are given permission, the sync works again. If we remove the problematic sites from the (hierarchical) target system scope, the sync also works. However any newly created site is automatically included in the scope (which is a obv. a black-list), thus breaking the sync, until manually removed from the scope. The possibility of using white-listing also wouldn't help much, because then we would have to manually add all 'good' new sites
Is there an elegant way of fixing this? I don't assume we need to give explicit permissions to 1IM for absolutely every site in the tenant, event if we don't want to manage it?