SharePoint 2013 Implement RunWithElevatedPrivileges with Apps(S2S)

sharepoint 2013 runwithelevatedprivileges with apps.png

In this article we are going to see how to elevate user permission in SharePoint Apps similar to RunWithElevatedPrivilages with Full trust Code. Elevate User Access with App Only Policy

New to Office 365 SharePoint Online? Get Office 365 Enterprise E3 Subscription & Try out all the features

The reason we use RunWithElevatedPrivilages is to execute our code with elevated permission regardless of current login user permission.

By default, SharePoint Apps run in context of user + app which means current user and the app both should have sufficient rights to access SharePoint resources. But in some cases we need our app to access SharePoint resources regardless of current user permission, this is where AppOnlyPermssion comes into picture. In this article I will let you know how to use it.

Read some SharePoint 2013 tutorials below:

To make an App performing work that the user does not have permission to means we will use the app only policy. To enable the App Only policy in your app, you have to add the “AllowAppOnlyPolicy” attribute to your “AppPermissions” element in the App Manifest:

<AppPermissionRequests AllowAppOnlyPolicy=”true” >


This capability is only available to provider-hosted apps. It is not available to SharePoint-hosted apps. In a SharePoint-hosted app, there is Full trust code is not limited by permissions – it can do anything it wants.

S2S (High Trust) – App Only Context:
An S2S access token by calling the GetS2SAccessTokenWithWindowsIdentity method of the TokenHelper class. Use the TokenHelper::GetS2SAccessTokenWithWindowsIdentity method, passing a null for the WindowsIdentity parameter.

sharepoint 2013 runwithelevatedprivileges with apps.png
sharepoint 2013 runwithelevatedprivileges with apps.png

Let’s see how we can actually utilize the App Only policy to elevate user permissions. I have written the following code in the code behind of the TestPage.aspx of S2S Provider Hosted App


Uri _hostWeb = new Uri(Request.QueryString[“SPHostUrl”]);

string appOnlyAccessToken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb, null);

using (ClientContext clientContext =TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb.ToString(),appOnlyAccessToken))


List Testlist = clientContext.Web.Lists.GetByTitle(“TestList”);

ListItemCreationInformation info = new ListItemCreationInformation();

Microsoft.SharePoint.Client.ListItem item = Testlist.AddItem(info);

item[“Title”] = “Created S2SApp”;

item[“Body”] = “Created from S2S” + DateTime.Now.ToLongTimeString();



Deploy the app and then log on as a user that only has read permission to the list. Execute the code, and a new item is created even though the user does not have permission to create items in the list. The Created By and Modified By fields in the list will reflect that it was the SHAREPOINT\App account that were used to create the item.

Note: As you can see, the ClientContext which is opened with the appOnlyAccessToken will run with the identity of the SHAREPOINT\App account. This is a very good practice to remember even when using RunWithElevatedPreviledges in the Server Object Model.

Check out Best Alternative to InfoPath -> Try Now


(Installation & Features)

About Sagar Pardeshi

I am Developer working on Microsoft Technologies for the past 6+years. I am very much passionate about programming and my core skills are SharePoint, ASP.NET & C#,Jquery,Javascript,REST. I am running this blog to share my experience & learning with the community I am an MCP, MCTS .NET & Sharepoint 2010, MCPD Sharepoint 2010, and MCSD HTML 5,Sharepoint 2013 Core Solutions. I am currently working on Sharepoint 2010, MOSS 2007, Sharepoint 2013,Sharepoint 2013 App Dev, C#, ASP.NET, and SQL Server 2008.

View all posts by Sagar Pardeshi →