SOLVED
Home

PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

%3CLINGO-SUB%20id%3D%22lingo-sub-140958%22%20slang%3D%22en-US%22%3EPnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140958%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20creating%20a%20PowerShell%20script%20to%20connect%20to%20SharePoint%20Online%20and%20authenticate%20as%20a%20registered%20Azure%20AD%20application%20(not%20a%20user).%26nbsp%3B%20In%20Azure%20AD%20I%20have%20registered%20the%20application%20and%20I%20have%20the%20AppId%20and%20AppSecret.%26nbsp%3B%20Through%20Azure%20AD%20I%20have%20granted%20the%20application%20API%20access%20to%20the%20SharePoint%20Online%20API%20with%20the%20application%20permissions%20'Have%20full%20control%20of%20all%20site%20collections'%20and%20'Read%20and%20write%20managed%20metadata'.%26nbsp%3B%20I%20have%20also%20performed%20admin%20consent%20for%20the%20app%20by%20going%20to%20the%20URL%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%26lt%3Btenant%26gt%3B.onmicrosoft.com%2Foauth2%2Fauthorize%3Fclient_id%3D%26lt%3Bclient%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3CTENANT%3E.onmicrosoft.com%2Foauth2%2Fauthorize%3Fclient_id%3D%3CCLIENT%3E%3C%2FCLIENT%3E%3C%2FTENANT%3E%3C%2FA%3E%20id%26gt%3B%26amp%3Bresponse_type%3Dcode%26amp%3Bprompt%3Dadmin_consent.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20use%20the%20cmdlet%3A%26nbsp%3BConnect-PnPOnline%20-Url%20%24siteUrl%20-AppId%20%24appId%20-AppSecret%20%24appSecret%20no%20message%20is%20displayed%20as%20if%20the%20connection%20occurs%20properly.%26nbsp%3B%20However%2C%20when%20I%20use%26nbsp%3BANY%20cmdlet%20(i.e.%20Get-PnPWeb)%20I%20receive%20'Access%20denied.%20You%20do%20not%20have%20permission%20to%20perform%20this%20action%20or%20access%20this%20resource.'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20help%20is%20appreciated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-140958%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237146%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237146%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%20But%20when%20I%20use%20Scopes%20parameter%20it%20is%20asking%20to%20provide%20the%20credentials%20(pop%20up%20dialog)%20even%20though%20I%20am%20passing%20AppID%20and%20AppSecret.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234330%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234330%22%20slang%3D%22en-US%22%3E%3CP%3EI%20finally%20figured%20this%20out.%20The%20Connect-PnPOnline%20cmdlet%20is%20flexible%20and%20has%20multiple%20ways%20to%20connect%20to%20SharePoint.%20They%20key%20is%20using%20the%20right%20set%20of%20parameters.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EUsing%20the%20syntax%20%22Connect-PnPOnline%20-Url%20%24siteUrl%20-AppId%20%24appId%20-AppSecret%20%24appSecret%22%20connects%20using%20SharePoint%20App-only%20permissions%20as%20described%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azureacs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Using%20this%20method%20you%20need%20to%20register%20the%20app%20using%20SharePoint%20(not%20the%20graph).%26nbsp%3B%20If%20you%20want%20to%20connect%20using%20the%20Microsoft%20Graph%20and%20Azure%20AD%20the%20connection%20string%20would%20be%20something%20like%20%22%3CSTRONG%3EConnect-PnPOnline%20-AppId%20%24appid%20-AppSecret%20%24appsecret%20-Url%20%24siteUrl%20-Scopes%20Sites.FullControl.All%3C%2FSTRONG%3E%22.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234053%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234053%22%20slang%3D%22en-US%22%3E%3CP%3EFacing%20the%20same%20issue.%20I%20have%20registered%20an%20app%20in%20AAD%20with%20access%20given%20to%20Graph%20API%20(to%20perform%20B2B%20external%20invitation%20operation)%20and%20SPO%20API%20(full%20control%20to%20all%20site%20collections)%20but%20when%20I%20use%20Connect-PnPOnline%20then%20it%20always%20gives%20me%20access%20denied.%3C%2FP%3E%3CP%3EAny%20solution%3F%20Or%20do%20I%20need%20to%20register%20an%20app%20separately%20for%20SPO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170367%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170367%22%20slang%3D%22en-US%22%3EI%20believe%20that%20%22app%20only%22%20access%20is%20not%20possible%20for%20SharePoint%20Online%20unless%20your%20app%20secret%20uses%20a%20certificate%20or%20the%20app%20registered%20in%20Azure%20AD%20is%20for%20a%20SharePoint%20Add-In%20(and%20the%20add-in's%20app%20principal%20has%20been%20granted%20app-only%20access%20when%20the%20add-in%20was%20registered%20in%20SharePoint%20Online).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994966%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54676%22%20target%3D%22_blank%22%3E%40Travis%20Lingenfelder%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20you%20need%20is%3A%3C%2FP%3E%3CUL%3E%3CLI%3Econnect%20using%20an%20registered%20app%20azure%20ID%3C%2FLI%3E%3CLI%3Egrant%20that%20registered%20app%20the%20required%20access%20based%20on%20your%20goal%3C%2FLI%3E%3CLI%3Eadd%20that%20app%20Id%20to%20the%20sharepoint%20tenant%20wide%2C%20or%20to%20single%20page%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAfter%20that%2C%20you%20will%20be%20able%20to%20connect%20withou%20prompt%20and%20leverage%20all%20pnp-powershell%20cmdlets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsharepoint.stackexchange.com%2Fa%2F258458%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHere%26nbsp%3B%20is%20a%20detailed%20explanation%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Travis Lingenfelder
New Contributor

I'm creating a PowerShell script to connect to SharePoint Online and authenticate as a registered Azure AD application (not a user).  In Azure AD I have registered the application and I have the AppId and AppSecret.  Through Azure AD I have granted the application API access to the SharePoint Online API with the application permissions 'Have full control of all site collections' and 'Read and write managed metadata'.  I have also performed admin consent for the app by going to the URL: https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/authorize?client_id=<client id>&response_type=code&prompt=admin_consent.

 

When I use the cmdlet: Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret no message is displayed as if the connection occurs properly.  However, when I use ANY cmdlet (i.e. Get-PnPWeb) I receive 'Access denied. You do not have permission to perform this action or access this resource.'

 

Any help is appreciated.

 

 

5 Replies
I believe that "app only" access is not possible for SharePoint Online unless your app secret uses a certificate or the app registered in Azure AD is for a SharePoint Add-In (and the add-in's app principal has been granted app-only access when the add-in was registered in SharePoint Online).

Facing the same issue. I have registered an app in AAD with access given to Graph API (to perform B2B external invitation operation) and SPO API (full control to all site collections) but when I use Connect-PnPOnline then it always gives me access denied.

Any solution? Or do I need to register an app separately for SPO?

Solution

I finally figured this out. The Connect-PnPOnline cmdlet is flexible and has multiple ways to connect to SharePoint. They key is using the right set of parameters.  

 

Using the syntax "Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret" connects using SharePoint App-only permissions as described here. Using this method you need to register the app using SharePoint (not the graph).  If you want to connect using the Microsoft Graph and Azure AD the connection string would be something like "Connect-PnPOnline -AppId $appid -AppSecret $appsecret -Url $siteUrl -Scopes Sites.FullControl.All".

Thanks. But when I use Scopes parameter it is asking to provide the credentials (pop up dialog) even though I am passing AppID and AppSecret.

@Travis Lingenfelder 

All you need is:

  • connect using an registered app azure ID
  • grant that registered app the required access based on your goal
  • add that app Id to the sharepoint tenant wide, or to single page

After that, you will be able to connect withou prompt and leverage all pnp-powershell cmdlets.

 

Here  is a detailed explanation

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies