[BUG] New-PnPSite is not working after PNP Management shell tenant app was discontinued.

[prachigoyal90]

After PNP Management shell tenant app was discontinued on 9/9, the script that we had for site provisioning stopped working. We have created Entra App registration and added below permissions to the app:

ChannelMember.ReadWrite.All | Delegated
Directory.AccessAsUser.All | Delegated
Directory.ReadWrite.All | Delegated
Group.ReadWrite.All | Delegated
Team.Create | Delegated
TeamMember.ReadWrite.All | Delegated
TeamsAppInstallation.ReadWriteForUser | Delegated
TeamSettings.ReadWrite.All | Delegated  
TeamsTab.ReadWrite.All | Delegated
User.Read | Delegated
AllSites.FullControl | Delegated
Sites.FullControl.All | Application
Sites.Search.All | Delegated
TermStore.ReadWrite.All | Delegated
User.ReadWrite.All | Delegated

We were able to use the commands:
Connect-PnPOnline -url $TenantUrl -ClientId "" -ClientSecret ""
Connect-PnPOnline -Url "" -ClientId "" -ClientSecret ""

but for New-PnPSite -Title $Title -Type TeamSite -Alias $Alias, we are receiving the error:
New-PnPSite : Creating a new teamsite requires an underlying Microsoft 365 group. In order to create this we need to acquire an access token for the Microsoft Graph. This is not possible using ACS App Only connections.

What is the version of the Cmdlet module you are running?

New-PnPSite -Title $Title -Type TeamSite -Alias $Alias

Which operating system/environment are you running PnP PowerShell on?

• Windows

[jackpoz]

As you are connecting with ClientSecret , your connection is of type "ACS App Only". As the error message says, this doesn't support all cmdlets, with New-PnPSite -Type TeamSite apparently being one of them due to the interaction with Microsoft Graph.

The solution would be to use a certificate instead of a secret.

Please note that ACS will be retired on April 2026, announcement at https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/azure-acs-retirement-in-microsoft-365/ba-p/3982039 , documentation at https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs . This means that you should replace the usage of client secret with PnP PowerShell with a certificate by that date.

Your app registration has many Delegated permissions, which are unused when using a client secret. Are you using the same app registration with -Interactive authentication with an account or could that be an oversight ?

[gautamdsheth]

You can create an EntraID app with certificates as mentioned here:

https://pnp.github.io/powershell/articles/registerapplication.html#setting-up-access-to-your-own-entra-id-app-for-app-only-access

[gautamdsheth]

Moving this to a discussion as it is a configuration issue and not an issue with the cmdlet itself. As suggested above, please create a certificate and upload it to your EntraID app and use that to authenticate.