Troubleshooting Project Web App (PWA) Access and “Access Denied” Errors
🚀 Overview
For IT Administrators managing Project Online or Project Server 2013, one of the most frequent support tickets involves users being unable to reach the Project Web App (PWA) interface. Even after a successful tenant login, users may encounter “Access Denied,” “Sorry, this site has not been shared with you,” or a prompt to “Request Access.” These hurdles typically stem from one of two scenarios: either the specific user hasn’t been granted the necessary permissions at the root site level, or Project Online was provisioned in a tenant where SharePoint Online was already active, resulting in a PWA instance without an assigned administrator.
⚙️ Key Technical Details
🛡️ Understanding Permission Modes: Project Web App operates under two distinct security models. Knowing which one your instance uses is critical for resolution.
- SharePoint Permission Mode: The modern default. It uses standard SharePoint groups (e.g., “Team Members for Project Web App”) to control access. It does not perform deep synchronization between Project and SharePoint.
- Project Server Permission Mode: A legacy-style, granular security model. It allows for synchronization with Active Directory groups and offers a “Security” section within PWA Settings for fine-tuned control.
🔍 How to Verify Your Permission Mode:
As an admin, click the Gear Icon on the PWA home page and select PWA Settings. If a “Security” section is visible, you are in Project Server Mode. Alternatively, navigate to the SharePoint Admin Center, select the PWA site collection, and view the “Project Web App Settings” in the ribbon to see the active mode.
🛠️ Resolution Path 1: User Permission Assignment
If the site is active but users cannot enter, follow the steps corresponding to your mode:
- In SharePoint Mode: Navigate to the PWA root site. Click Share in the top right. Enter the user’s email and click Share. By default, this assigns “Contribute” rights and adds them to the “Team Members” group.
- In Project Server Mode: Go to PWA Settings > Manage Groups. Select the target group and add the user manually or via AD Synchronization. Note: The user must still have the root site shared with them via SharePoint (as described above) to appear in the “Available Users” list.
🏗️ Resolution Path 2: Addressing Provisioning Gaps
If Project Online was added to an existing SharePoint tenant, you may need to manually define the Site Collection Administrator:
- Access the SharePoint Admin Center via the Microsoft 365 Admin portal.
- Locate and select the checkbox for the specific PWA site URL.
- In the Owners section of the ribbon, select Manage Administrators.
- Add the designated IT Admin or Project Manager to the Site Collection Administrators box and save.
⚠️ Impact
📅 Operational Bottlenecks: Without proper root-level sharing, even users listed in the “Enterprise Resource Pool” will be blocked from the PWA home page. In Project Server 2013 and Project Online, resource pool membership no longer grants automatic login rights.
⚠️ Critical Warning on Mode Switching: Admins should exercise extreme caution when toggling between SharePoint Permission Mode and Project Server Permission Mode. Switching modes will permanently delete all existing security configurations, including groups, permissions, and custom access levels. Always back up security documentation before making this change.
👤 User Experience: Access changes typically propagate within two minutes. After granting permissions, advise users to clear their browser cache or use an Incognito/InPrivate session to verify that the “Access Denied” loop has been resolved.
Read the full article on Microsoft.com