Forum Discussion
Get-PnPSiteTemplate : Attempted to perform an unauthorized operation and ACS token missing
I am trying to export a design template for a site that I am in the Owners group for, and I have Share Point Administrator role activated. I am running the Powershell ISE as ADMIN
When I run the following 2 powershell commands
- Connect-PnPOnline -Url https://MyDomain.sharepoint.com/sites/MySite/ -Interactive -ForceAuthentication
- Get-PnPSiteTemplate -Out C:\Folder\Design.xml
It starts running and the thermometer bar, reads 'Site Security' and then fails immediately with the following error
Get-PnPSiteTemplate : Attempted to perform an unauthorized operation.
At line:1 char:1
+ Get-PnPSiteTemplate -Out C:\Folder\Design.xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPSiteTemplate], ServerUnauthorizedAccessException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate
When I run the following 2 powershell commands
- Connect-PnPOnline -Url https://MyDomain.sharepoint.com/sites/MySite/ -useWebLogin
- Get-PnPSiteTemplate -Out C:\Folder\Design.xml
The connect-pnponline command suggests I use the -Interactive flag, but it starts running, and gets further and the thermometer bar goes through 'Site Security', 'Audit', 'Fields', 'Content Types' and starts on 'List Instances' and starts to list the lists, and fails on the first one, which is called 'Confidential files' with the following error :
Get-PnPSiteTemplate : GetAccessTokenAsync() called without an ACS token generator. Specify in AuthenticationManager
No Output is saved
Powershell is version 5.1.18362.1593
Any ideas on how to fix this, or even to get more information on what unauthorised operation is running, or how to force the ACS Token wen I am querying lists
Thanks - Richard
3 Replies
- I would suggest that you try using the new version of PnP PowerShell within PowerShell core: https://pnp.github.io/powershell/articles/installation.html
When you connect using -UseWebLogin, you get an ACS generated token, which will not work for things like exporting the site headed and footer as it won't be able to acquire an access token for Graph, which is why it's recommended to use -Interactive.
I have done this multiple times recently and can confirm that it works fine with PnP.PowerShell in PowerShell core.
When you use -Interactive, you will be using the PnP Management Shell Azure app registration to connect as delegated permissions, so ensure that the app is granted permissions (should have requested you to approve the first time using an admin account) and also ensure that the user account has the required permissions on the site.- Our Admins found that the current PnP Management Shell screen in Portal.Azure.Com appeared to have changed from when they had originally granted permissions to the app. They noted that the list of potential permissions applicable to PnP Management Shell had increased. We can only surmise that this change had left a number of these ‘new’ permissions in an ‘ungranted’ state, and this is what caused the unauthorisation error.
The problem was fixed by regranting the permissions through the new interface.It's 2025 and this worked for me, thanks
