Development environment for low-trust: Configuring Low Trust Apps

205This post is in the article series “Development environment for low-trust” where we aim to set up an environment that replicates a live production environment as closely as possible. Here, we also switch from High Trust apps to Low Trust apps to support ADFS, Azure AD and future-proof app/add-in models.


App Catalog Configuration

You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain of the domain that hosts the SharePoint sites. When an app is provisioned, it provisions a unique DNS domain name (for example,, where 12345678ABCDEF is a unique identifier for the app). You need a wildcard Canonical Name (CNAME) entry for your DNS domain to support these unique names

You must also ensure that at least one profile is created in the User Profile Service Application. The steps are as follows:

  1. In Central Administration, under Application Management, select Manage service applications.
  2. Next, select User Profile Service Application.
  3. On the Manage Profile Service: User Profile Service Application page, under People, select Manage User Profiles.
  4. On the Manage User Profiles page, select New Profiles.
  5. On the Add User Profile page, type your account name and email address.
  6. Select Save and Close.

Note: If you get a message saying that the profile you are trying to create already exists, select Cancel and Go Back.
Back on the Manage User Profiles page, you should see Total number of profiles: 1.

Configuration of ACS

The following configuration steps are required for low trust apps using ACS:

  1. Set up the Office 365 subscription and obtain global tenant administrator account details
  2. Replace the signing certificate in SharePoint using the Set-SPSecurityTokenServiceConfig command. This will change the certificate used in the SharePoint trusted token issuer to support the signing requirements of ACS. This needs to be done on all SharePoint servers.
  3. Configure SharePoint for ACS using the Connect-SPFarmToAAD script. This creates two new shared services and is done once per farm.
  4. Register each individual app using the Add-ServicePrincipalToAAD and Register-SPAppPrincipalEx commands. The second command can optionally receive existing client ID and client secret for migration purposes.

Scripts needed for the configuration can be found at Details on app registration can be found at