I had setup a cloud Hybrid Search environment for one of my customers with SharePoint 2016 and SharePoint Online. It was working fine for past few weeks, until one fine day for almost all the users started getting the error message “Microsoft.SharePoint.Client.ServerException: Query execution is only allowed with IgnoreSafeQueryPropertiesTemplateUrl=true when the user has the UseRemoteAPIs permission” when searched from on-prem environment.
Cloud Hybrid and Federated Setup
Just to share some background about the environment setup, I had followed the recommended approach for setting up the cloud hybrid environment and all the content was correctly getting indexed in Office 365. The SharePoint online search center was showing content from both SharePoint online sites and SharePoint on-premise sites.
In the on-premise environment, I had set up a federated search, similar to as explained in this article, so that combined search results appear even from on-premise search center.
It was tested, re-tested and accepted as working as expected.
One Fine Day
So as it goes, one fine day, except some admin users, the on-prem search started throwing the error “Microsoft.SharePoint.Client.ServerException: Query execution is only allowed with IgnoreSafeQueryPropertiesTemplateUrl=true when the user has the UseRemoteAPIs permission” for all other users. Regardless of the query or browser, all search always started returning the same error.
Obviously, I googled a bit and found some articles like this and this. Not exactly useful. I verified all permissions in on-premise environment, both at root site collection and search center site were fine. The logged in user had more than read permission.
Time to look into SharePoint Online
After spending sometime looking into on-premise configurations and permissions, I decided to look into SharePoint online.
I saw the logged in user didn’t have a SharePoint license assigned in Office 365, so I assigned one. Tested again, same error… time to move on…
Then, I specifically added the user as site collection admin of the SharePoint online root site collection and tried to search and BAM, it returned the result. WoW, now that was progress.
So, I went ahead and removed the user from site collection admin and added just with read permissions as a visitor. Search Results, still appearing.
Next step, remove the license that was assigned to the user, Search Results, still appearing.
Essentially, SharePoint online was expecting the users to have at least read permission on the root site collection of SharePoint to deliver the Federated result to on-premise.
Finally, I just added “Everyone except External Users” under Site Visitors in the root site collection of SharePoint online.
And all good now, it’s working for all users. I could do that because my SharePoint Online site was supposed to be open for all users.
But why did this happen in the first place. Well answer lies in my previous article, take a look 🙂