Forum Discussion

jcanquelain's avatar
jcanquelain
Copper Contributor
Jun 18, 2021

Get-PnPSiteTemplate : minimum rights needed and where to set them

Hi,

 

I'm trying to export a site collection template using powershell's Get-PnPSiteTemplate cmdlet, but I get stuck with the following error.

 

Get-PnPSiteTemplate: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

The message makes me thinks it is an authorization problem, but I cannot find which rights I should give to the account I am using.

 

My command uses following parameters :

Get-PnPSiteTemplate -Out template-out.xml -ListsToExtract "myList1","myList2" -ContentTypeGroups "myGroup" -ExcludeHandlers "SiteSecurity","SitePolicy","RegionalSettings","SearchSettings","AuditSettings","WebSettings","WebApiPermissions","SiteSettings","Navigation"

 

I tried the following for connecting :

Connect with an App Account using the following approaches :

Connect-PnPOnline -Url <mySitesCollectionUrl> -ClientId <myAppClientId> -ClientSecret <myAppClientSecret>
or 
Connect-PnPOnline -Url <mySitesCollectionUrl> -AccessToken <an oAuth2 token I generated manually with MS auth endpoint, the token is working to call SP API>
  • Neither worked, it ends up with the "Access Denied" error above
  • The App Account I am using is registered on the sites collection level, with "Full Control" rights

Connect using a user account, using the following command :

Connect-PnPOnline -Url <mySitesCollectionUrl> -Interactive
  • With my own account, which has "Full control" rights on sites collection, I get prompted to connect with a tenant administrator account, to give consent to PnP Management Shell (see attachment "pnpAdminConsent.png", sorry it's french, but it is basically "just" asking Admin consent at tenant level for PnP)
  • With a SharePoint Administrator account, which is also Tenant Administrator : it asks a lot of permissions at tenant level (see attachment pnpAskedConsent.png).
  • My customer does not want to give all these rights to PnP at tenant level, and asks me to limit as much as possible...

 

My questions are :

  • which are the minimum rights required to use Get-PnPSiteTemplate ?
  • is it possible to use Delegated rights instead of Application rights at tenant level ? If yes, which are the scopes to ask for, and how can I specify the scopes with Connect-PnPOnline ?
  • Is there another way to export then export / import site templates, without using PnP ?


Thanks for the help 🙂

No RepliesBe the first to reply

Resources