cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

Travis Lingenfelder
New Contributor

‎Jan 02 2018 09:56 AM

‎Jan 02 2018 09:56 AM

PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

I'm creating a PowerShell script to connect to SharePoint Online and authenticate as a registered Azure AD application (not a user).  In Azure AD I have registered the application and I have the AppId and AppSecret.  Through Azure AD I have granted the application API access to the SharePoint Online API with the application permissions 'Have full control of all site collections' and 'Read and write managed metadata'.  I have also performed admin consent for the app by going to the URL: https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/authorize?client_id=<client id>&response_type=code&prompt=admin_consent.

 

When I use the cmdlet: Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret no message is displayed as if the connection occurs properly.  However, when I use ANY cmdlet (i.e. Get-PnPWeb) I receive 'Access denied. You do not have permission to perform this action or access this resource.'

 

Any help is appreciated.

 

 

Labels:
19.6K Views
0 Likes
5 Replies
Reply
5 Replies
Marco van Wieren

‎Mar 12 2018 12:44 AM

‎Mar 12 2018 12:44 AM

Re: PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

I believe that "app only" access is not possible for SharePoint Online unless your app secret uses a certificate or the app registered in Azure AD is for a SharePoint Add-In (and the add-in's app principal has been granted app-only access when the add-in was registered in SharePoint Online).
0 Likes
Reply
Prashant Gupta

‎Aug 19 2018 10:37 AM

‎Aug 19 2018 10:37 AM

Re: PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

Facing the same issue. I have registered an app in AAD with access given to Graph API (to perform B2B external invitation operation) and SPO API (full control to all site collections) but when I use Connect-PnPOnline then it always gives me access denied.

Any solution? Or do I need to register an app separately for SPO?

0 Likes
Reply
best response confirmed by Travis Lingenfelder (New Contributor)
Travis Lingenfelder

‎Aug 20 2018 08:07 AM

‎Aug 20 2018 08:07 AM

Solution

Re: PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

I finally figured this out. The Connect-PnPOnline cmdlet is flexible and has multiple ways to connect to SharePoint. They key is using the right set of parameters.  

 

Using the syntax "Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret" connects using SharePoint App-only permissions as described here. Using this method you need to register the app using SharePoint (not the graph).  If you want to connect using the Microsoft Graph and Azure AD the connection string would be something like "Connect-PnPOnline -AppId $appid -AppSecret $appsecret -Url $siteUrl -Scopes Sites.FullControl.All".

0 Likes
Reply
Prashant Gupta

‎Aug 25 2018 11:09 AM

‎Aug 25 2018 11:09 AM

Re: PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

Thanks. But when I use Scopes parameter it is asking to provide the credentials (pop up dialog) even though I am passing AppID and AppSecret.

0 Likes
Reply
holylander

‎Nov 08 2019 05:28 AM

‎Nov 08 2019 05:28 AM

Re: PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

@Travis Lingenfelder 

All you need is:

  • connect using an registered app azure ID
  • grant that registered app the required access based on your goal
  • add that app Id to the sharepoint tenant wide, or to single page

After that, you will be able to connect withou prompt and leverage all pnp-powershell cmdlets.

 

Here  is a detailed explanation

1 Like
Reply