Apps in SharePoint

What are Apps?

Over the last few years, desktops became laptops.  Laptops gave way to Notebooks. Notebooks became Ultra Books and the trend is moving towards Tablets and Smartphones.

As a result of this, web applications are paving the way for Apps.

Reasons for “Apps” development

  • No custom code execution on server side. It avoids application / server outages.
  • Custom code will be executed in Client-Browser, or IIS or Windows Azure, which are completely out of SharePoint’s scope.
  • The Server Object Model (SOM) code is replaced by Rest Services Client Side Object Model (CSOM) using which apps can communicate with a server. Authentication is done by OAuth.
  • Installation/updation /uninstallation of apps can be done without affecting the SharePoint site.
  • Better usability in mobile and tablets devices.
  • Takes SharePoint to the next level in terms of usability, deployment, development and hosting (Cloud).
  • Finally, everything in SharePoint 2013 is an App.

Types of Apps for SharePoint


  • Complete client-side code
  • Deployed to SharePoint On-premises, SharePoint online or in Office 365


  • Deployed to a different on-premises server (not SharePoint) or the cloud


  • Automatically provisions resources to SQL Azure and Windows Azure

Diagram of a possible Hybrid approach with some components in SharePoint and others residing in the Cloud:

SharePoint-hosted Apps:

  • App components hosted in isolated app domain
  • No server-side code – can use HTML, JavaScript and CSS

Provider-hosted Apps:

  • App components can be hosted anywhere ( on-premises or Cloud )
  • Authorized using JavaScript cross-domain library or OAuth
  • IncludesWindows Azure Web Sites
  • Can use ANY implementation language (ASP.NET, PHP, etc.)

Auto-hosted Apps:

  • App components are hosted in SQL Azure and Windows Azure
  • Automatically provisioned when app is installed
  • Authorized using the JavaScript cross-domain library or OAuth
  • Only available in SharePoint Online
  • Infrastructure is in preview status
  • Production use not recommended
  • Office Store not yet accepted

Host Web and App/Remote Web:

  • Each app is deployed to a SharePoint site known as the host web
  • Each app installation has its own unique URL
  • App web provisioned with app installation
    • https://[app prefix][app hash].[app domain]/[relative site URL]/[app name]
    • Required for Share Point hosted apps, optional for cloud-hosted apps
  • Cloud-hosted apps have a remote web
    • In Office 365, the remote web for Auto hosted apps is under
    • Name reminds us that this web doesn’t live on the SharePoint server

App Development Tools:

  • Office development tools for Visual Studio 2012/2013
  • “Napa” Office 365 development tools
  • Browser-based development environment (SharePoint-hosted apps only)

Office Development Tools for Visual Studio:

  • NET web application projects include classes to handle app AuthZ and AuthN (using OAuth)
  • SharePointContext.cs
    • Functions to manage SharePoint context across page requests
    • Can create app contexts and/or user for app and/or host webs
  • TokenHelper.cs
    • Functions to create and obtain AccessToken and ContextToken objects
  • On other platforms, you have to do the OAuth implementation and manage tokens yourself
  • Convert existing web application project to an App for SharePoint project

Accessing SharePoint data remotely:

  • JavaScript client object model (JSOM)
  • .NET Managed client object model (CSOM)
  • REST endpoints with OData

App authentication/authorization:

  • We can’t interact with data stored in SharePoint unless we (our apps) are authenticated to SharePoint and authorized to access data
    • Authentication: Are you who you say you are?
    • Authorization: Do you have permission to do what you are trying to do?
  • How can cloud-hosted apps for Share Point securely access data from the remote web?
    • Firewalls could be between servers
    • Code and script could be running on different domains
    • The external web server might not even be running Windows!

App authorization policy types:

  • User-only
    • Only the user identity is considered (non-app interactions with Share Point)
  • App + User
    • “Access denied” if one and/or the other lacks permissions
    • Both the app identity and the user identity are considered
  • App-only
    • Only the app identity is considered
    • Only supported for server-side code in cloud-hosted apps
    • Can’t be used with certain APIs (e.g., Search, Project Server)
    • Allows for elevation above current user’s permissions (or when there is no current user)

App permissions:

  • Trust must be explicitly granted by the user installing the app (nothing or all)
  • User installing the app must also have all permissions the app is requesting

Deploying provider-hosted apps:

  • To use OAuth, you must register an app principal
    • Automatically handled for Auto-hosted apps and <F5> local host deployments
    • Requires a visit to /_layouts/15/AppRegNew.aspx for provider-hosted apps
  • Update <appSettings> values in web.config file
    <add key=”ClientId” value=”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” />
    <add key=”ClientSecret” value=”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=” />
  • Deploy/publish your remote web project
  • Set full URL for Start page in AppManifest.xml
  • Right-click and “Publish…” the app project
  • Click Package the app to generate .app file
  • Deploy the .app file to your app catalog
  • Click the link to launch the app
  • Grant permissions the app requests


  • Rajesh Kumar VSNK works as Module Lead with Trigent Software. With 10+ years of experience in building and designing internet/intranet based systems, Rajesh has considerable (over 7 years) experience in SharePoint Technology – SP 2013, SP 2010 and MOSS 2007. He also has experience working on migration projects from MOSS 2007 to SP 2010 and MOSS 2007 to SP2013.