Connect-PnPOnline -ClientID -ClientSecret -AADDomain gone ?

[kasperbolarsen]

Hi folks,

I have just update an Azure Function from v0.3 to 1.1 and it fails with "a parameter cannot be found that matches parameter name "AADDomain" when trying to connect using ClientID, ClientSecret and AADDomain.

I guess that option has been removed from this GA version and I wonder if it will return again, otherwise I have to rewrite the hole lot

[YuriySamorodov]

AADDomain would be nice altgough less secure

[erwinvanhunen]

That is correct. It's a bit of a longer story.

1. Client ID / Client Secret is available, but you will get a 'legacy' token, using SharePoint ACS. E.g. you're only able to connect to SharePoint and the registration of that id and secret has to be done using appregnew.aspx and appinv.aspx
2. -UseWebLogin is available but users the very limited in functionality based upon cookie auth.
3. All other auth uses MSAL to authenticate, either using clientid/certificate/thumbprint/base64encoding, clientid/usercredentials, or by using the recently introduce '-Interactive' flag on connect-pnponline (the latter is alike useweblogin but uses OAuth2 for authentication).

While technically you can acquire an accesstoken through Azure AD OAuth2 based upon clientid/clientsecret, you cannot acquire a valid access token targeting the SharePoint audience. E.g. while azure AD will return a token, SharePoint will actively refuse to validate that token, unless it has been acquired using clientid/certificate or the username/password flow.

Before we went GA we did a heavy refactoring of Connect-PnPOnline and the many many different ways of connecting and simplified (and indeed limited) the authentication methods. It became impossible for us (and the people using it) to keep track of all the various flags/options/exceptions to the standard etc. when trying to help people as they always had to include the -exact- way of connecting -and- describe their intended goals of connecting.

so right now we basically have

Azure AD OAuth with everything but clientid/secret
WebLogin/Cookie based

If it is important to include the credentials in your script (which I strongly advice against though), one can use clientid/client certificate based auth by using the base64 option:

$bytes = Get-Content .\yourcertfile.fpx -AsByteStream
$base64string = [Convert]::ToBase64String($bytes)
# store the base64string for later usage.
Connect-PnPOnline -Url [url] -ClientId [yourclientid] -CertifcateBase64Encoded $base64string

All connection methods, with the exception of -UseWebLogin require you to either use the built-in Multi-Tenant clientid of the PnP Management Shell (e.g. when you use -Credentials we use that one by default) or you have to register your own azure AD app.

[kasperbolarsen]

Thanks Erwin.
It all makes sense however I was just not expecting that the option would be removed in the GA version. Then again that is the nature of the beta version and the GA.
I guess that I should look into how to use Certificate and Thumbprint in Azure Functions along with the KeyVault. Time to learn something new :-)

Thank for the effort. I use PnP Powershell all the time each day, and dare not imagine a world without :-)