For security reasons, Microsoft has disabled Azure Access Control (ACS) only for new Office 365 tenants by default. This prevents the creation of new catalogs that use an ACS app-only approach to handle permissions on the site collection only. In this case, you receive a SharePoint Online authorization issue "Token type is not allowed".
To enable this feature, you need to connect to SharePoint using Windows PowerShell and then run Set-SPOTenant -DisableCustomAppAuthentication $false.
Do the following steps on PowerShell:
1. Run your Windows PowerShell as an administrator:
2. Check the version of your PowerShell module (at least 16.0.20717.12000):
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

- If you have the module's version 16.0.20717.12000 or higher, please run the following commands:
function Enable-SPDisableCustomAppAuthentication {
Write-Host "Please specify sharepoint organisation name." -ForegroundColor Green
Write-Host "For example if your sharepoint site is https://contoso.sharepoint.com value should be contoso: " -ForegroundColor Green -NoNewline
$orgName = Read-Host
$orgName = $orgName.Trim().Trim("'")
Write-Verbose "Connecting to: https://$orgName-admin.sharepoint.com" -Verbose
Connect-SPOService -Url "https://$orgName-admin.sharepoint.com"
Set-SPOTenant -DisableCustomAppAuthentication $false
}
Enable-SPDisableCustomAppAuthentication
Specify the SharePoint organization name and sign in with your administrator's account:
- If you do not have the SharePoint Online Management Shell module, please install it:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
Then run the same commands.
- If you do not have version 16.0.20717.12000 or higher, please update the latest PowerShell module:
Update-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
Then run the same commands.
Please note:
- How to get started with SharePoint Online Management Shell.
-
Fill in the values for the $orgName variable (replacing all the text between the quotes, including the < and > characters).
-
When prompted with the Windows PowerShell credential request dialog box, type the login/password for the SharePoint admin account.
- Commands should not contain extra spaces. For example:
NOT RIGHT: Set-SPOTenant - DisableCustomAppAuthentication $ false
RIGHT: Set-SPOTenant -DisableCustomAppAuthentication $false
I continue to get these errors...
Connect-SPOService : The term 'Connect-SPOService' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:3 char:1
+ Connect-SPOService -URLhttps://$orgName-admin. sharepoint.com
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Connect-SPOService:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Set-SPOTenant : The term 'Set-SPOTenant' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:4 char:1
+ Set-SPOTenant - DisableCustomAppAuthentication $ false
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Set-SPOTenant:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Thank you for your helpful comments.
Following this, we have сhanged and supplemented our article. Please, see above.