PnP Management Shell EntraID app is deleted : what should I do ?

[gautamdsheth]

As part of a focus on improving the security posture, the multi-tenant PnP Management Shell EntraID app has been deleted.

You can read more about this announcement here:

https://pnp.github.io/blog/post/changes-pnp-management-shell-registration/

I am getting this error

Message: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not 
found in the directory 'The [companyname]'. 
This can happen if the application has not been installed by the administrator 
of the tenant or consented to by any user in the tenant. 
You may have sent your authentication request to the wrong tenant.

Who does it impact ?

This impacts every code/script which depends on this EntraID app. It had Client/Application ID:

31359c7f-bd7e-475c-86db-fdb8c937548e

This impacts the credentials flow (user name + password, get-credentials ), interactive flow (-Interactive) as well as device login flow (-DeviceLogin), if it depended on the PnP app.

I am using Client ID + Certificate, Managed Identity , my own Entra ID App, legacy ACS (ClientID + Secret) or some other way to authenticate using PnP

Then, you are not impacted by this change. No need to change anything. Your scripts should continue to work as is. If you run into any issue, please create one in the issue list and we will look into it.

What is the easiest/fastest way to get my scripts back up & running with minimal changes?

Create your own Entra ID app and assign it the minimal permissions that you would require.

Add an environment variable ENTRAID_APP_ID or ENTRAID_CLIENT_ID like this at the top or before the beginning of your PnP PowerShell scripts (i.e before Connect-PnPOnline)

$env:ENTRAID_APP_ID = '<Client/Application ID of EntraID app>' 
Connect-PnPOnline "https://tenant.sharepoint.com" -Interactive 

or

$env:ENTRAID_APP_ID = '<Client/Application ID of EntraID app>' 
Connect-PnPOnline "https://tenant.sharepoint.com" -Credentials (Get-Credentials)

Ensure that you are using the latest version of PnP PowerShell.
The latest update will pick up the value from the environment variable and use it.

More information & guidance: https://pnp.github.io/powershell/articles/defaultclientid.html

How do I create an Entra ID app ?

Manual steps: https://pnp.github.io/powershell/articles/registerapplication.html#manually-create-an-app-registration-for-interactive-login

Interactive steps:

https://pnp.github.io/powershell/articles/registerapplication.html#automatically-create-an-app-registration-for-interactive-login

How do I determine which permissions I should assign for my scripts ?

You can read about it here:

https://pnp.github.io/powershell/articles/determinepermissions.html

I have an existing Entra ID app. Can I use it ?

Yes absolutely, just set the value of its ClientID in an environment variable and ensure that you are using the latest version of PnP PowerShell.

My org only allows FIDO keys, Conditional access policy , Windows Hello or other secure auth mode

PnP PowerShell 2.12 and later versions now support authentication using these native secure mode of authentication.

More info about it here:

https://pnp.github.io/powershell/cmdlets/Connect-PnPOnline.html#example-18

https://pnp.github.io/powershell/cmdlets/Connect-PnPOnline.html#-oslogin

https://pnp.github.io/powershell/articles/authentication.html#authenticating-using-web-account-manager

Feel free to ask any question that you may have about this change.
Apologies for such a short notice on this abrupt change, unfortunately we can't extend or undo this.

[bballpaul4work]

We already have an application registered in Entra ID. How does this apply for Azure Automation implementation? There's no way to set a environmental variable.

[gautamdsheth]

Maybe this can help :

https://learn.microsoft.com/en-us/azure/automation/shared-resources/variables?tabs=azure-powershell

[KoenMathijs]

we are using pnp.powershell version 1.12.0 for various reasons... Will an own Entra App ID also work with this version?

[gautamdsheth]

I suppose it should . It supports ClientID parameter, I think, add that in the connect-Pnponline cmdlet and it should start working. Env variables will not work , they only work with latest builds .

Having said that, please update to latest version asap which is much more secure . The older version contains some security vulnerabilities and is almost 2 years old .

[mikenikitin]

We use 1.12 as well - using PowerShell 7.x is not an option for us at this time. Until yesterday we were using app only credentials flow (service account with password) with Connect-PnPOnline. Changing it to -ClientId / -CertificatePath / -CertificatePassword worked for us. This change still caused a massive amount of stress for us, and we were lucky to learn about it before it actually happened.

[bballpaul4work]

Same situation. We're using Azure Automation and PS 7 functionality is still lacking. Registering another EntraID app and specifying that ClientID worked for us.

[Alex-Scott-NZ]

I have to say that this was a quite a big change and quite unexpected - even though it has been stated for a while - it wasn't really emphasised.

You can get around this change (with limited functionality) by using the old method: Connect-PnPOnline -Url https://tenant.sharepoint.com -UseWebLogin || You will get a warning but you can still log in - only thing is that you won't be able to use the Microsoft Graph related commandlets, which may be good enough for those working in organisations where they have to wait for a global admin to setup the new App ID.

[gautamdsheth]

The recommendation is to use -Interactive mode of auth with your own EntraID app. The -WebLogin is not really a secure way to authenticate and we will be removing support for it in the future in a major release.

As part of the security push, we have also added -OSLogin to Connect-PnPOnline which is secure way to auth using windows broker. It works only for windows OS though. It uses the same auth mechanism that you use to login to the OS and supports FIDO, Conditional Access, Windows Hello and other secure auth mechanisms

[svermaak]

Such a ridiculously impulsive change... There are plenty of things App Registration can't do, especially in multi-geo. We had virtually all, say for a few things, running as app registration pre this change.

I am not impressed

[svermaak]

We have no way to associate sites with a hub use app id, for example

[VesaJuvonen]

If there are multi-geo scenarios to address, you can absolutely do the multi-tenant app registration(s) also personally in your tenant. Unfortunately the option for hosting this by the community in the existing tenant was removed. This was not a change driven by the PnP PowerShell team.

[maruthigadde]

We have multiple customers where the scripts are broken. This is a ridiculously managed change

[GTEM19889]

Like crowdstrike all over again... Not impressed, we have many scripts that are now failing and having to be run manually. Hope this qualifies for the Pwnie awards

[Jammon9525]

Yup. This just made my job impossible, as it means there are thing I CANNOT do now.

[BlaaaBlaaaBlaaa]

Hello,

Unfortunatelly we did not know of this change until now and several scripts are affected right now.
We created the app restrications without issues and we are using it as application permissions over certificate authentication.

However we are facing issues with the permissions right now as the documentation of the permissions is very lackluster.

We are able to connect with pnp but we have issues with the following commands:

Get-PnPFolder
Get-PnPTenantSite

We are getting the following error:
Get-PnPFolder: The remote server returned an error: (401) Unauthorized.

Right now we have the following permissions in place for the application:
Directory.Read.All
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All

Also we need to find the right permissions for the following command:
Copy-PnPTeamsTeam

Can you please help us sort this out as we are currently running out of ideas.
Thanks

[gautamdsheth]

@BlaaaBlaaaBlaaa - are those Microsoft Graph permissions ? You should also add them via SharePoint:

and then:

[BlaaaBlaaaBlaaa]

Hi,

Thanks for your fast response! Worked fine for SharePoint as far as we can see.
What about permissions for Copy-PnPTeamsTeam or other commands that are not SharePoint specific?

[gautamdsheth]

Should be minimum , Microsoft Graph > Group.Read.All and Team.Create

[essenbee2]

This all talks about Powershell and M365 CLI, but I am impacted using the PnP Framework in C# code, and there is no guidance whatsoever on how I address this issue in my code!

            var spConfig = SharepointHelper.GetSharepointConfig(_config);
            var securePassword = Documents.GetSecurePassword(spConfig.pwd);

            using (var authMgr = new PnP.Framework.AuthenticationManager(spConfig.user, securePassword))
            using (var clientContext = authMgr.GetContext(siteCollectionUrl))

Throws the exception on the GetContext() call.

[cafedo]

We have yet resolved 2 production issues related to the usage of c# pnp framework libraries and the "good" news about PnP Management Shell EntraID deletion: thanks to the team for giving us a temporal windows of 2 weeks...
By the way, I confirm that you can fix the c# pnp library, that uses username and password credential, following those points:

1. Manually create a new app registration (https://pnp.github.io/powershell/articles/registerapplication.html#manually-create-an-app-registration-for-interactive-login) associated the proper permission
2. Use the override of the method CreateWithCredentials that uses also the appid to use, passing of course the appid created before

   var authMgr = PnP.Framework.AuthenticationManager.CreateWithCredentials(clientId, spConfig.user, securePassword);

[essenbee2]

@gautamdsheth Thanks, that worked!

[Dipali-arup]

We are using PnP.Framwork in C#. We are able to get through authentication by passing ClientID along with username and password in AuthenticationManager method, however, we are facing issue at time of applying custom templates using web.ApplyProvisioningTemplate method.

It throws access denied issue: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Has anyone able to resolve this with regards to the update? Thank you.

[Dipali-arup]

Can someone please help?. This is affecting our production environment. Thanks

[VesaJuvonen]

@Dipali-arup - this would imply that you are missing some specific permissions in your new app registration vs the previously used app registration. So would double check the granted permissions in the new app registration.

[ShaniaXXX]

Hi, i cant create noninteractive app registration.

$result = Register-PnPEntraIDApp -ApplicationName "PnP Rocks" -Tenant [yourtenant].onmicrosoft.com -OutPath c:\mycertificates -DeviceLogin
$result

After default permissions will be use nothing is happening.

Its possible set up app in entra manually like for interactive login?

[gautamdsheth]

In this link, you can follow instructions to create app manually.

https://pnp.github.io/powershell/articles/registerapplication.html#manually-create-an-app-registration-for-interactive-login,

you will reach this step in pic below . Here, instead of the delegated tab, select application tab and then assign permissions.

[mjsmith1568]

I've done that and assigned permission: Sites.ReadWrite.All. However, I think one important step is missing. The App Only method uses the Register-PnPEntraIDApp cmdlet to automatically create a Base64 encoded private key certificate. There aren't instructions for that step in the manual version. I tried creating a client secret, but that returns an error (403) Forbidden if I try to use a client secret to connect. How do I create either a PFX file or a Base64 encoded private key certificate string I can reference in the Connect-PnPOnline cmdlet? Thanks again for your help.

[gautamdsheth]

You can use new-pnpazurecertificate cmdlet which generates the certs . You can then upload that to your Entra ID app and use it in your scripts .

Is there any reason you can’t use the nightly builds ?

[mjsmith1568]

No, no particular reason why I couldn't use the nightly build. I'm simply unfamiliar with the process. Here's is what I use to update to the latest version of the module.
Find-Module -Name PnP.PowerShell | Update-Module -Scope AllUsers | Import-Module

Is it as simple as adding a required version tag to use the nightly build, like this?
Find-Module -Name PnP.PowerShell | Update-Module -Scope AllUsers -RequiredVersion 2.12.12 | Import-Module

I gave it a try and got an error:
Install-Package: No match was found for the specified search criteria and module name 'PnP.PowerShell'.

Thanks.

[gautamdsheth]

Ahh ok , you can do this for nightly builds , also maybe uninstall the current one just in case there’s some conflict:

Install-Module PnP.PowerShell -Scope AllUsers -AllowPrerelease -SkipPublisherCheck

[agrecaBAS]

We used the PnP Management Shell application to grab template data and site scripts from the environment in order to create standardized sites programmatically. I'm now getting this error when trying to run Get-pnpSiteScriptFromWeb:

Get-pnpSiteScriptFromWeb : Unable to connect to the SharePoint Online Admin Center at 'https://xx-admin.sharepoint.com' to run this cmdlet. Please ensure you pass in the
correct Admin Center URL using Connect-PnPOnline -TenantAdminUrl and you have access to it. Error message: Cannot contact site at the specified URL
https://xx-admin.sharepoint.com/. The app principal does not exist..

I've followed the instructions for creating the new App Registration and added the AllSites.FullControl permissions. Are further permissions/steps required?

Edit: I was able to get past the SharePoint Online Admin Center error by supplying the admin center URL to the "TenantAdminUrl" parameter. Now I just get the "app principal does not exist" message for the site I'm trying to pull the script from.

[agrecaBAS]

I'm also getting a similar error when attempting to retrieve SiteListItems

Get-PnPListItem : Cannot contact site at the specified URL https://xx.sharepoint.com/sites/redactedSiteName. The app principal does not exist.

[stan-spotts]

I get the same error with Resolve-PnPFolder.

[ahamedfazil]

We are using PnP Core SDK (1.14 latest) in our .NET solution and we started facing the same issue

Message: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e'....

Then we created a new EntraID application and it started working with PnP PowerShell but we still get an error in our .NET solution (but different error AADSTS7000218), here is the code snippet that is used in .NET solution.

Code referred: https://pnp.github.io/pnpcore/api/PnP.Core.Auth.UsernamePasswordAuthenticationProvider.html

var authenticationProvider = new UsernamePasswordAuthenticationProvider(pnpClientId, tenantId, userName, securePwd);

services.AddPnPCore(options => { options.DefaultAuthenticationProvider = authenticationProvider; options.Sites.Add(siteUrl, new PnP.Core.Services.Builder.Configuration.PnPCoreSiteOptions { SiteUrl = siteUrl, AuthenticationProvider = authenticationProvider }); });

below is the error that we get,

Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

Does anyone have a solution for this? Thanks in advance!

[gautamdsheth]

Most likely, this should fix it for you:

https://learn.microsoft.com/en-us/answers/questions/1377450/how-to-fix-the-issue-im-getting-this-error-a-confi

[ahamedfazil]

yes it works now, thanks..

[nelson5817]

I’m getting the same issue, when connect using -Credentials with user having SharePoint Administrator role, for running New-PnPSite, please advice what is the equivalent permissions on Entra ID app?

[nelson5817]

In the event of creating both communication and team site, before the 9/9 deprecation, it's work on credentials flow using New-PnPSite, by specify either "-Type CommunicationSite" or "-Type TeamSite"

After the deprecation, credentials flow break, tried adding -ClientId in credentials flow, it is not working.

This left me no option but to switch over to app-only flow (client id + certificate).

In app-only flow, I can create communication site with permission Sites.FullControl.All (SharePoint) using New-PnPSite, this solved half of the issue.

However, it seem to create team site with New-PnPSite is not support in app-only flow.

"Creating modern team sites does not support app-only when you use the SharePoint API"

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only

If create team site is no longer support with New-PnPSite, what are the alternatives?

[gautamdsheth]

For Team site creation, I think you would need Group.ReadWrite.All or Group.Create permissions as well because it creates a Team site which has a M365 Group associated with it.

[LutzD-pkb]

I understand why this change happened, but in the future, if making such a breaking change, I would suggest providing much more advanced notice and louder communication. I was not aware that we needed to be monitoring the PnP blog for breaking changes that could happen even if we do not upgrade the module version.

One example of a better way to handle:

1. Pushed an update that provided a warning whenever someone used the -Interactive flag that they needed to create an app registration
2. After some time, in a later release, make the Client ID required
3. Finally, after some further time, retire the cross-tenant application

To just shut it down so suddenly and quietly is horrible for the community. We now have hundreds of scripts that broke and need to be updated and tested.

[VesaJuvonen]

Unfortunately the timeline was forced for the PnP PowerShell crew and they could not control or change that. Super unfortunate situation which is not for sure optimal for anyone.

[LutzD-pkb]

Since this is an open-source project, can you share the background/driver and rationale with the community? E.g., was this Microsoft driven?

[VesaJuvonen]

PnP initiative has always been community driven initiative to help worldwide ecosystem to achieve their operational objectives. Community has have an incredible impact on helping the others within the community succeed as it should be with the open-source community powered initiatives.

[LutzD-pkb]

Right - so can you share the background/driver and rationale for the change and the timeline?

[VesaJuvonen]

@LutzD-pkb - as an afterthought the timeline was clearly too ambitious for the anyone to notice the communications. Using Message Center was not an option for this announcement, but we are now learning from this and are looking to adjust the processes for any future change.

[TitaAE]

Can someone help... so how do you determine which api permissions you need to setup now? For e.g. Grant-PnPAzureADAppSitePermission is now access denied when I authenticate with single tenant app reg, I placed sites full control app and delegated and graph api, what else must be placed, how to determine that in future?

[DaHooka]

We tried the same as we have the need to restrict automated access to only some site collections and not all every time.
@ms can you please help how we can limit the App Only access only to sites we define via Grant-PnPAzureADAppSitePermission?

Thanks

[ToddKlindt]

Did you use the Register-PnPEntraIDAppForInteractiveLogin cmdlet to create your app registration? It should give all the permissions necessary.

[DaHooka]

The above question i guess was about the App Only registration that gain access to all the sites for non-interactive login.
As there is no user used for it the below limit might not be applicable.

About limiting the use of an app i got sent the following guide: https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

[DaHooka]

Could use -credentials and -clientid in combination to load the credentials from a crednetial store and use the one app registration

[MathiasTudela]

I got the issue yesterday, now i'm able to connect throught the new AzureApp that i have created.
but now i have an issue with the following command :

Get-PnpList -identity $ListName | Get-PnpListItem -pagesize 5000

when i use the Get-Pnplist command it return me the sharepoint site with no probelm, but when i add the Get-PnpListItem nothing work and i dont have any return ...

is someone experiencing something similar ?

(with the previous version i didnt had any problem)

[mikenikitin]

We are now randomly getting error AADSTS700024 during non-interactive app-only certificate authentication in Connect-PnPOnline. Any idea why this may be happening and how to address this? Here's a sample error dump:

MSAL.Desktop.4.36.1.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-09-11T12:40:11.6784690Z, assertion valid from 1970-01-01T00:00:00.0000000Z, expiry time of assertion 2024-09-11T11:54:29.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 439ea2a9-4230-41e5-bc9f-95d1f6df1400 Correlation ID: e73de68d-352b-4dcc-94e3-97b4e72d6d9f Timestamp: 2024-09-11 12:40:11Z
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at PnP.Framework.AuthenticationManager.d__59.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at PnP.Framework.AuthenticationManager.GetContext(String siteUrl)
at PnP.PowerShell.Commands.Base.PnPConnection.CreateWithCert(Uri url, String clientId, String tenant, String tenantAdminUrl, AzureEnvironment azureEnvironment, X509Certificate2 certificate, Boolean certificateFromFile)
at PnP.PowerShell.Commands.Base.ConnectOnline.ConnectAppOnlyWithCertificate()
at PnP.PowerShell.Commands.Base.ConnectOnline.Connect(CancellationToken& cancellationToken)
at PnP.PowerShell.Commands.Base.ConnectOnline.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
StatusCode: 401
ResponseBody: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-09-11T12:40:11.6784690Z, assertion valid from 1970-01-01T00:00:00.0000000Z, expiry time of assertion 2024-09-11T11:54:29.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 439ea2a9-4230-41e5-bc9f-95d1f6df1400 Correlation ID: e73de68d-352b-4dcc-94e3-97b4e72d6d9f Timestamp: 2024-09-11 12:40:11Z","error_codes":[700024],"timestamp":"2024-09-11 12:40:11Z","trace_id":"439ea2a9-4230-41e5-bc9f-95d1f6df1400","correlation_id":"e73de68d-352b-4dcc-94e3-97b4e72d6d9f","error_uri":"https://login.microsoftonline.com/error?code=700024"}
Headers: Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
client-request-id: e73de68d-352b-4dcc-94e3-97b4e72d6d9f
x-ms-request-id: 439ea2a9-4230-41e5-bc9f-95d1f6df1400
x-ms-ests-server: 2.1.18874.5 - SEASLR1 ProdSlices
x-ms-clitelem: 1,700024,0,,
x-ms-srs: 1.P
X-XSS-Protection: 0
Cache-Control: no-store, no-cache
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AoKGP6iR0OpKiJgf9PeZOzzjvpGkAQAAAKuGc94OAAAA; expires=Fri, 11-Oct-2024 12:40:11 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Wed, 11 Sep 2024 12:40:11 GMT

[gautamdsheth]

MSAL.Desktop.4.36.1.0.MsalServiceException

This suggests to me that you are using an older version of PnP PowerShell, maybe 1.12 or the SharePointPnPPowerShell. Would suggest that you please update to the latest version which is more secure and has lots of bug fixes dealing with Auth issue. The latest is 2.12.0 , should help.

[jfmathieu]

Hi,

We have a project that uses a username/password to connect in a C# Azure Function with PnP.Framework 1.11.

As expected, it stopped working when the App Entra ID of PnP Management Shell was deleted.

We reused an Entra ID app of the Azure Function used in the project and configured it to work with the correct API authorization.

I have tested it with PnP.PowerShell. Via PnP.PowerShell, we are able to connect, create a SharePoint site, and delete it when we specify the Client ID, username and password in the PnPConnect in Interactive mode.

Moving back to the main projet, in pnpFramework 1.11. The authentification code that we are using is:

private async Task Get(string sourceTemplateSiteUrl)
{
[...removed..]

var authManager = new PnP.Framework.AuthenticationManager(_connectionString.SharePointTeamsSiteUserName, pwd);
_siteContext = await authManager.GetContextAsync(sourceTemplateSiteUrl);

[...removed...]
}

We try the alterne authentication methode AuthenticationManager(ClientAppID, _connectionString.SharePointTeamsSiteUserName, pwd)

And we also tested the alternate methode: PnP.Framework.AuthenticationManager.CreateWithCredentials(ClientAppID, _connectionString.SharePointTeamsSiteUserName, pwd)

We also update the pnpFramework to the latest version 1.17.

All our tests are giving us this erreur message when we try to connect.

A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

We look at the configuration on the EntraID App without success.

This is a bug for us that is blocking our work in production.

Thanks for the help

[jfmathieu]

FYI... We found this that solved our problem: https://learn.microsoft.com/en-us/answers/questions/1377450/how-to-fix-the-issue-im-getting-this-error-a-confi

[fodelement]

@gautamdsheth I have been loading creds for a service account from a password management DB and then passing them with "-Credentials". Which approach do you suggest I should I now use if this is no longer going to be supported?

These are being ran using an automated server, so browser authentication is not possible.

[gautamdsheth]

Credentials (Get-Credentials) or -Credentials are totally supported. The change here is that you need to provide own Entra ID app, everything else is the same.

[saurabh-dtu]

I have a node version 16.14.2 and package pnp/cli-microsoft365:6.8.0 that is using m365 in a script to download a file. Do I need to upgrade to v9 or simply re-registering will work?

[saurabh-dtu]

we have an ongoing production issue because of this script failing.
@gautamdsheth Any suggestion?

[gautamdsheth]

@saurabh-dtu : about cli for m365, I have no idea as such about the upgrade.

In any case, you will need to create an Entra ID app. Maybe asking in their discussion forum would help.

[Brian85300]

Does PNP still support connecting to an On Prem instance of SharePoint for the conversion of Classic Pages to Modern Pages in a migration to a SharePoint Online Tennant?

Our connections to the On Prem environment failed on 9/9 and documentation I have seen have only given examples of connecting to a SharePoint tennant URL but not a URL that is On Prem.

[Brian85300]

This is some partial code of what we are using to connect and the PNP Command we are getting to for the conversion of pages.....

Import-Module PnP.PowerShell

# .........


$spoConn = Connect-PnPOnline -Url $currentSPOSiteURL -Credentials $cred -ReturnConnection

# .........

$onPremConn = Connect-PnPOnline -Url $currentOnPremSiteURL -TransformationOnPrem -CurrentCredentials  -ReturnConnection 


# .........

foreach($page in $pages) {
    
   
# .........


    $result = ConvertTo-PnPPage -Identity $page.ItemName -Library Pages -PublishingPage -PageLayoutMapping "Y:\MappingFileForPageLayout.xml" -PublishingTargetPageName $page.ItemName -TargetConnection $spoConn -Connection $onPremConn -LogVerbose -LogType File -LogFolder Y:\pageLogs -LogSkipFlush:$flushLog -KeepPageCreationModificationInformation -UserMappingFile 'Y:\Accounts.csv' -SkipTermStoreMapping:$false -CopyPageMetadata -SkipUserMapping:$false -ClearCache -Overwrite 

# .........
   

}

[gautamdsheth]

@Brian85300 - there's no change for OnPrem side of things for page conversions. On the SPO side though, you will need to create EntraID app and use that app to connect to SPO.

[gopaltiwari]

@gautamdsheth @pkbullock I am trying to connect to SharePoint on-premise (2013) to generate Page layout mapping to migrate classic publishing pages to SPO modern pages. I am trying to use below command to connect to on-premise SharePoint does not seem to work.

I have been trying use this command with various versions of "PnP.PowerShell". I also tried older version PnP.PowerShell 1.9.0, Also tried with 'SharePointPnPPowerShell2013' but still no luck.

$onPremConn = Connect-PnPOnline -Url $currentOnPremSiteURL -TransformationOnPrem -CurrentCredentials -ReturnConnection

I am following the code sample provided in the below artile
Modernizing classic pages from publishing sites

Would like to know if 'Connect-PnPOnline' stil works to connect to On-Premise SharePoint to generate Page Layout mapping? If yes, do I need to use any specific version of "PnP.PowerShell" ?

Appreciate a response.

[manlamcheng]

We changed to use an app registration to log in with a certificate. It works on other commands (such as new-pnpsite), but when running the command Add-PnPMicrosoft365GroupToSite, it returns "An error occurred while processing this request." PLEASE HELP !!! this is urgent

[manlamcheng]

this is the permission set on the app

[manlamcheng]

We also upgraded to use PnP.PowerShell 2.12, no luck

[kama0806]

Hello.
Regarding this change, we have added the application to EntraID and granted the necessary permissions.
However, both Get-PnPTeamsTeam and Get-PnPTeamsUser did not work properly.
When executing the commands, a message dialog appeared stating that “Administrator approval is required.”
According to the documentation, the following permissions are required:
—
Required Permissions
Microsoft Graph API: One of Group.Read.All, Group.ReadWrite.All
Microsoft Graph API: Directory.Read.All
—

We have granted Group.ReadWrite.All and Directory.Read.All.
In addition, we have granted the following permissions:

•	User.Read.All
•	TeamMember.Read.All
•	TeamSettings.Read.All

Despite this, it seems we are still missing some necessary permissions.

Could you please let us know the permissions required for Get-PnPTeamsTeam and Get-PnPTeamsUser to function properly?
We are in serious trouble.
Please help us.

Thank you.

[kama0806]

I started a new PowerShell session, connected using ”Connect-PnPOnline”, and tried again.
However, it still did not work properly.
I have granted all the necessary permissions.
Please take a look at the screenshot.
What permissions might be missing?

[gautamdsheth]

How are using connect-PnPonline ? Using interactive ? What is the error message?

[kama0806]

Yes, I am using the Interactive option.
The message displays “Administrator approval is required.”

Could it be that ”GroupMember.ReadWrite.All" is necessary?
I won’t be able to get administrator approval today or tomorrow.
I plan to add this permission and try again on Tuesday.
If you have any other advice, please let me know.

[gautamdsheth]

Permission wise looks ok , don’t need more permissions on the app.

For the error message, it seems like your Entra ID policy is not allowing you to execute the code.

Whenever your admin is back , ask them to exclude the EntraID app that you have created and grant admin consent , maybe the link mentioned below helps .

https://stackoverflow.com/a/78025010

[kama0806]

Thank you for the advice.
I will try it once the administrator is back.

[konrman]

Hi!

We have various Sharepoint scripts running for reporting. Since the change, for example, the following part no longer works:

ForEach($Library in $DocumentLibraries)
{ $PermissionCollection = @()
#Get all users and groups who has access
$RoleAssignments = $Library.RoleAssignments
Foreach ($RoleAssignment in $RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $roleAssignment -Property RoleDefinitionBindings, Member
.....

The last command (with ", Member") simply returns nothing, no error, no result. Without the ", Member" (what i need of course) i get the output below. The AppReg rights are already set to Directory.Read.All.

The output for one roleAssignment ist just the following:

Member : Microsoft.SharePoint.Client.User
PrincipalId : 53
RoleDefinitionBindings : {Read}
Context : PnP.Framework.PnPClientContext
Tag :
Path : Microsoft.SharePoint.Client.ObjectPathIdentity
ObjectVersion :
ServerObjectIsNull : False
TypedObject : Microsoft.SharePoint.Client.RoleAssignment

Does anyone have any ideas please?

Manuel

[zaphod4254]

Well, took me 4 weeks to get this fixed, but finally did. I had 2 problems that complicated things.

In a large enterprise organization, getting someone to do the Admin Consent took 3 weeks. First finding out who was even the correct people to ask, then going through the rigamarole to get them to actually do it after they asked a ton of questions, and they aren't the most responsive so it several days between their responses.

It was also confusing because we're only using Delegate permissions (no "Application" permissions) and everywhere I read said that admin consent wasn't needed for Delegate permissions, but apparently in our tenant, admin consent is still needed even for Delegate permissions.

Lastly, we authenticate with a user account and kept getting error messages about a missing "client_assertion" or something like that. Finally discovered that in the App Registration config, under Authentication, Advanced Settings, we needed to set "Allow public client flows" to Yes.

[kama0806]

Hello,
We experienced the same situation in our organization.
Fortunately, we were able to contact the administrator early and received urgent approval.
However, we are still unable to execute the following two commands:
・Get-PnPTeamsTeam
・Get-PnPTeamsMember

The permissions granted are correct.
However, the message dialog indicating that administrator approval is required continues to appear.

We have inquired through this link, but it has not led to a solution:
#4249 (reply in thread)

Do you have any helpful tips or advice?

[Jammon9525]

What is the alternative if registering an app is not an option due to security restrictions?

[gautamdsheth]

@Jammon9525 - You will we able to use the same non-service account with -Interactive. This time instead of the PnP multi-tenant app , you will have to use your own Entra ID app with minimal permissions which are needed for your scripts. The app will be in your tenant and controlled by your IT/security team.

[Jammon9525]

gautamdsheth

You answered the question, there isn't a way around it and -interactive is broken, so it is what it is. It just means PnP has limited use, if any, now, unfortunately.

[Barbarur]

PnP is as useful as before. Previously Global Admin had to grant permissions to the PnP multi-tenant Client ID. It was a one time action which people usually forgets.

This change is forcing people to actually learn what App registration, Client ID and API permissions actually means and what's their value in MS365.

You can ask the security team for Delegated permissions. This is a useful kb that drives you through this: https://learn.microsoft.com/en-us/entra/identity-platform/delegated-access-primer

[LutzD-pkb]

gautamdsheth

You answered the question, there isn't a way around it and -interactive is broken, so it is what it is. It just means PnP has limited use, if any, now, unfortunately.

This is not accurate. -Interactive is not broken, it simply requires an additional setup step that's of similar nature to the initial setup that was performed when your organization first started using PnP. I am not happy about this change either, but let's not mischaracterize the scope of the change.

[zaphod4254]

@Jammon9525 - how did you add PnP Management Shell app initially? It is the same process.

I can answer this for my situation. It "just worked". I never did anything with regard to registering an app. I didn't even know it used an Entra registered app until this issue came up.

I can only guess that somebody somewhere in our organization approved the original cross-tenant app sometime in the past, but it must have been before I ever became aware of and started using the PnP shell, which was 3 years ago.

[shun0210]

Two week ago, I registered New App in Entra ID to access SPO by using PnP Powershell.
So, PnP comandlet in batch file I made become able to access SPO.
In Entra ID have New App and PnP Management shell now.
Can I detele PnP Management shell from Entra ID?

And, from now on, When I want to check the imformation about the Update of PnP Powershell,
Should I open "Microsoft 365 and Power Platform Community Blog" and check the category "PnP Powershell"?

[patchie]

1 month ago approx. i could make a new app registration and connect via the following command to set the "Read" permissions to a specific site. Now i am not able anymore.

Connect-PnPOnline -Url https://xxxx.sharepoint.com/sites/xxxx -Interactive -ClientId xxxx-xxxx-xxxx-xxxx

Error i now get: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.

Can anyone help?

[Barbarur]

You get the error while using Connect-PnPOnline or while running another command?

[patchie]

When running the connect command above.

[Barbarur]

Which API permissions did you grant to the app in Entra ID?

[patchie]

Sites.selected(sharepoint), but that dont really matter, as its not possible to even connect.

(Btw, i can via rest get the access token successfully)