Unable to retrieve list items with app-only access token via PnP PowerShell

New Contributor

I created an access token and registered it granting fullcontrol to a site collection. In powershell, I connect via the connect-pnponline cmdlet and everything is fine. I can list items in the site collection using, for example:


That appears to successfully return a list of all of the content in the site collection, including lists, libraries, etc. What I cannot do is retrieve any items from within any of the libraries, lists, or even site pages. The output is just blank, with no error returned. If I try query a specific item ID, I get the message that the item does not exist, although it definitely exists, the site is correct and the list name is correct (copy-pasted from the listed items)


Here's the permission XML I used to set up access (obviously, with the proper site information) at

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="" Right="FullControl" />


It looks like it might be an access denied issue, but I am not sure what else I am missing, since full control was granted to the site collection. Any suggestions would be appreciated. Thanks. 

4 Replies



Make sure that DisableCustomAppAuthentication is set to False. By default in new tenant this setting is set to True,



You can change this setting via SharePoint Online Management Shell


Make sure that once you change this setting at tenant level, it can take up to 24 hours to apply this settings.


Hope it will helpful to you and if so then Please mark my response as Best Response & Like to help others in this community

Hi, thanks for that suggestion, but that's not my issue. I actually have another token I had created a while back for the same site collection and it works just fine. I don't recall what I had to do to get it to work but I vaguely remember there being one more step I had to do to get it to work after setting the token permissions via appinv.aspx.
To verify that the permissions are set correctly, you can follow these steps:

- Go to the SharePoint site collection where you want to check the permissions.
- Click on the gear icon in the top right corner and select "Site settings".
- Under the "Users and Permissions" section, click on "Site app permissions".
- Check if the app principal for your access token is listed. If it is not listed, you may need to re-register the access token.
- If the app principal is listed, click on it to view the permissions.
- Check that the "Scope" and "Right" parameters in the permission XML match the permissions listed for the app principal.
best response confirmed by Number_Five (New Contributor)

The step I was missing appears to have been the following:

I did not need the authorization code (for the token refresh) but merely triggering that oauthorize.aspx did the trick. I did this twice, with two different app-only access tokens and I could finally use both to access data within the site collections via PS.