This is yet another rather strange error that I ran across and couldn't find any info out on the interwebs about it so I though I would document it here. Suppose you have a SharePoint App that needs to access some User Profile information. You will probably use the PeopleManager class and ask for user profile properties using the PersonProperties class or one of the methods off of the PeopleManager class. You write your code up using the standard TokenHelper semantics to get a user + app key to retrieve this information, i.e. something like var clientContext = spContext.CreateUserClientContextForSPHost(). In your AppManifest file you ask for (at a minimum) Read rights to User Profiles (Social). Works great, okay, good start.
Now you determine that you need to retrieve that same information but use an App Only token. So you use whatever method you want to get an App Only token. You use the same code but now you get an Access Denied error message. Why is that - App Only tokens are supposed to have the same or greater rights than user + app tokens. Well...for right now...I don't know why not. NOTE: I DO understand needing to be a tenant admin to install an app that requires access to User Profiles, but this is different; it happens after the app is installed. But I do know how I fixed it. I added Tenant...Read rights to my AppManifest file. Now my App Only token is able to read properties from the User Profile in o365. Just thought I would share this "not at all obvious" tip so that if you get stuck hopefully your favorite search engine will find this post. Happy coding!
FYI, accessing the Term Store has similar installation & run-time permission requirements.
I have similar problem with Full-trust Provider hosted App, which has not any access to read Term stores on one tenant. Same provider hosted application can create site collection to the tenant without any problem and also do some modifications to the
site. Same code works properly on another tenant. Access denied error occurs when reading term set and groups via CSOM. Any ideas how to solve this problem?