SOLVED

PnP-PowerShell Connect-PnPOnline using AppId gives Access denied

%3CLINGO-SUB%20id%3D%22lingo-sub-140958%22%20slang%3D%22en-US%22%3EPnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140958%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20creating%20a%20PowerShell%20script%20to%20connect%20to%20SharePoint%20Online%20and%20authenticate%20as%20a%20registered%20Azure%20AD%20application%20(not%20a%20user).%26nbsp%3B%20In%20Azure%20AD%20I%20have%20registered%20the%20application%20and%20I%20have%20the%20AppId%20and%20AppSecret.%26nbsp%3B%20Through%20Azure%20AD%20I%20have%20granted%20the%20application%20API%20access%20to%20the%20SharePoint%20Online%20API%20with%20the%20application%20permissions%20'Have%20full%20control%20of%20all%20site%20collections'%20and%20'Read%20and%20write%20managed%20metadata'.%26nbsp%3B%20I%20have%20also%20performed%20admin%20consent%20for%20the%20app%20by%20going%20to%20the%20URL%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%26lt%3Btenant%26gt%3B.onmicrosoft.com%2Foauth2%2Fauthorize%3Fclient_id%3D%26lt%3Bclient%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3CTENANT%3E.onmicrosoft.com%2Foauth2%2Fauthorize%3Fclient_id%3D%3CCLIENT%3E%3C%2FCLIENT%3E%3C%2FTENANT%3E%3C%2FA%3E%20id%26gt%3B%26amp%3Bresponse_type%3Dcode%26amp%3Bprompt%3Dadmin_consent.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20use%20the%20cmdlet%3A%26nbsp%3BConnect-PnPOnline%20-Url%20%24siteUrl%20-AppId%20%24appId%20-AppSecret%20%24appSecret%20no%20message%20is%20displayed%20as%20if%20the%20connection%20occurs%20properly.%26nbsp%3B%20However%2C%20when%20I%20use%26nbsp%3BANY%20cmdlet%20(i.e.%20Get-PnPWeb)%20I%20receive%20'Access%20denied.%20You%20do%20not%20have%20permission%20to%20perform%20this%20action%20or%20access%20this%20resource.'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20help%20is%20appreciated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-140958%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237146%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237146%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%20But%20when%20I%20use%20Scopes%20parameter%20it%20is%20asking%20to%20provide%20the%20credentials%20(pop%20up%20dialog)%20even%20though%20I%20am%20passing%20AppID%20and%20AppSecret.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234330%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234330%22%20slang%3D%22en-US%22%3E%3CP%3EI%20finally%20figured%20this%20out.%20The%20Connect-PnPOnline%20cmdlet%20is%20flexible%20and%20has%20multiple%20ways%20to%20connect%20to%20SharePoint.%20They%20key%20is%20using%20the%20right%20set%20of%20parameters.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EUsing%20the%20syntax%20%22Connect-PnPOnline%20-Url%20%24siteUrl%20-AppId%20%24appId%20-AppSecret%20%24appSecret%22%20connects%20using%20SharePoint%20App-only%20permissions%20as%20described%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azureacs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Using%20this%20method%20you%20need%20to%20register%20the%20app%20using%20SharePoint%20(not%20the%20graph).%26nbsp%3B%20If%20you%20want%20to%20connect%20using%20the%20Microsoft%20Graph%20and%20Azure%20AD%20the%20connection%20string%20would%20be%20something%20like%20%22%3CSTRONG%3EConnect-PnPOnline%20-AppId%20%24appid%20-AppSecret%20%24appsecret%20-Url%20%24siteUrl%20-Scopes%20Sites.FullControl.All%3C%2FSTRONG%3E%22.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234053%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234053%22%20slang%3D%22en-US%22%3E%3CP%3EFacing%20the%20same%20issue.%20I%20have%20registered%20an%20app%20in%20AAD%20with%20access%20given%20to%20Graph%20API%20(to%20perform%20B2B%20external%20invitation%20operation)%20and%20SPO%20API%20(full%20control%20to%20all%20site%20collections)%20but%20when%20I%20use%20Connect-PnPOnline%20then%20it%20always%20gives%20me%20access%20denied.%3C%2FP%3E%3CP%3EAny%20solution%3F%20Or%20do%20I%20need%20to%20register%20an%20app%20separately%20for%20SPO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170367%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170367%22%20slang%3D%22en-US%22%3EI%20believe%20that%20%22app%20only%22%20access%20is%20not%20possible%20for%20SharePoint%20Online%20unless%20your%20app%20secret%20uses%20a%20certificate%20or%20the%20app%20registered%20in%20Azure%20AD%20is%20for%20a%20SharePoint%20Add-In%20(and%20the%20add-in's%20app%20principal%20has%20been%20granted%20app-only%20access%20when%20the%20add-in%20was%20registered%20in%20SharePoint%20Online).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994966%22%20slang%3D%22en-US%22%3ERe%3A%20PnP-PowerShell%20Connect-PnPOnline%20using%20AppId%20gives%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54676%22%20target%3D%22_blank%22%3E%40Travis%20Lingenfelder%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20you%20need%20is%3A%3C%2FP%3E%3CUL%3E%3CLI%3Econnect%20using%20an%20registered%20app%20azure%20ID%3C%2FLI%3E%3CLI%3Egrant%20that%20registered%20app%20the%20required%20access%20based%20on%20your%20goal%3C%2FLI%3E%3CLI%3Eadd%20that%20app%20Id%20to%20the%20sharepoint%20tenant%20wide%2C%20or%20to%20single%20page%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAfter%20that%2C%20you%20will%20be%20able%20to%20connect%20withou%20prompt%20and%20leverage%20all%20pnp-powershell%20cmdlets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsharepoint.stackexchange.com%2Fa%2F258458%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHere%26nbsp%3B%20is%20a%20detailed%20explanation%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I'm creating a PowerShell script to connect to SharePoint Online and authenticate as a registered Azure AD application (not a user).  In Azure AD I have registered the application and I have the AppId and AppSecret.  Through Azure AD I have granted the application API access to the SharePoint Online API with the application permissions 'Have full control of all site collections' and 'Read and write managed metadata'.  I have also performed admin consent for the app by going to the URL: https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/authorize?client_id=<client id>&response_type=code&prompt=admin_consent.

 

When I use the cmdlet: Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret no message is displayed as if the connection occurs properly.  However, when I use ANY cmdlet (i.e. Get-PnPWeb) I receive 'Access denied. You do not have permission to perform this action or access this resource.'

 

Any help is appreciated.

 

 

5 Replies
Highlighted
I believe that "app only" access is not possible for SharePoint Online unless your app secret uses a certificate or the app registered in Azure AD is for a SharePoint Add-In (and the add-in's app principal has been granted app-only access when the add-in was registered in SharePoint Online).

Facing the same issue. I have registered an app in AAD with access given to Graph API (to perform B2B external invitation operation) and SPO API (full control to all site collections) but when I use Connect-PnPOnline then it always gives me access denied.

Any solution? Or do I need to register an app separately for SPO?

Highlighted
Best Response confirmed by Travis Lingenfelder (New Contributor)
Solution

I finally figured this out. The Connect-PnPOnline cmdlet is flexible and has multiple ways to connect to SharePoint. They key is using the right set of parameters.  

 

Using the syntax "Connect-PnPOnline -Url $siteUrl -AppId $appId -AppSecret $appSecret" connects using SharePoint App-only permissions as described here. Using this method you need to register the app using SharePoint (not the graph).  If you want to connect using the Microsoft Graph and Azure AD the connection string would be something like "Connect-PnPOnline -AppId $appid -AppSecret $appsecret -Url $siteUrl -Scopes Sites.FullControl.All".

Highlighted

Thanks. But when I use Scopes parameter it is asking to provide the credentials (pop up dialog) even though I am passing AppID and AppSecret.

Highlighted

@Travis Lingenfelder 

All you need is:

  • connect using an registered app azure ID
  • grant that registered app the required access based on your goal
  • add that app Id to the sharepoint tenant wide, or to single page

After that, you will be able to connect withou prompt and leverage all pnp-powershell cmdlets.

 

Here  is a detailed explanation