Admin Console no longer works. New apps give access denied. Get-PnPAzureADAppSitePermission not working.

[ComputerHabit2]

I'm lost and now I have no idea how to get out of this mess.

First Admin Console stopped working.

Now I build an app and has all rights. I used Register-PnPEntraIDApp
I am enterprise admins.

I get app registered so I can 'admin' again.

I connect with certificate and clientid. I can list sites.

I run Get-PnPAzureADAppSitePermission

I get access denied.

[ComputerHabit2]

I keep getting stuck in a loop and trying to work through the hobbling of the admin console setup. I've spent about 10 hours now working through this mess and I'm just stuck.

Why don't permissions work? Do I have to connect a special way? Is there a switch I'm missing?

What is going on? This used to work and now I can't get anything to really work properly.

[sympmarc]

I'm not exactly sure what your issue is, but if you look at the documentation for Get-PnPAzureADAppSitePermission, you'll see you need:

Microsoft Graph API: Sites.FullControl.All

Check your app permissions and make sure you've consented to that under API permssions.

[ComputerHabit2]

Thanks for responding.

I had setup the app with default permissions using the command Register-PnPEntraIDApp

I'm sure it's something I'm doing wrong or backwards but I haven't figured it out yet.

[ComputerHabit2]

I was thinking this would give me control to login and perfom actions like create a new site. I can use Get-PnPSite and list things.
I'm trying to work my way through build an app when now I have to build an app to build the app.

So I'm a little lost.

Like I built the above 'app' so I could have admin console back. I can connect to my tenant admin using Connect-PnPOnline
Connect-PnPOnline -Url "https://tenant-admin.sharepoint.com" -Tenant 'tenant.onmicrosoft.com' -ClientId "" -Thumbprint ""

I can list sites.
$spSites = Get-PnPTenantSite
$spSites

My intention was to create an app for someone so they can write files to a sharepoint site with powershell.

I made an app using Register-PnPEntraIDApp but I want to limit it to specific site.

Register-PnPEntraIDApp -ApplicationName "$($nameOfApplication)" -Tenant "tenant.onmicrosoft.com" -Interactive -SharePointApplicationPermissions "Sites.Selected"

I'm trying to use:
Grant-PnPEntraIDAppSitePermission -AppId "$($appid)" -Site $siteUrl -DisplayName "test" -Permissions Write

But I get access denied.

I am tenant admin. I have admin rights on the site. I have all the rights.

[sympmarc]

The old shared app registration granted a LOT of consent - more than many of us needed. This article from fellow MVP Paul Bullock shows all the permissions the old app had: What permissions the PnP Management Shell app had in the past? | pkbullock.com

Now, when you want to use specific cmdlets, you need to just make sure you've consented to those permissions for the app registration you've set up. for Grant-PnPAzureADAppSitePermission you need: Microsoft Graph API: Sites.FullControl.All, just as you needed for Get-PnPAzureADAppSitePermission above.

Once you've granted consent for a specific API permission, it's available to anyone using that app registration. (In theory, you could have different app registrations for different needs, but that's a next level topic.) Because the permissions are delegated, the person running the script also has to have permissions on the objects which the cmdlet interacts with.

Right now, you can read information about sites with Get-PnPSite because you've consented to SharePoint: Sites.FullControl.All.

[ComputerHabit2]

Maybe I'm going crazy, but I swear that Sites.FullControll.All is in that permission set in my screenshot above. That's part of the issue I'm having is I think it looks right but things aren't working.

[ComputerHabit2]

Maybe I'm going crazy, but I swear that Sites.FullControll.All is in that permission set in my screenshot above. That's part of the issue I'm having is I think it looks right but things aren't working.

Oh GRAAAAAPH API.....

[ComputerHabit2]

I added the permissions. Maybe to the wrong app. I added it to my "Admin" app. But maybe that's wrong now. I'm lost between if I should be connecting to an admin console for 'anything' like making the applications. Or instead, should I be connecting to the the website I'm trying to apply changes too.

I'm confused how I'm supposed to admin now and create app registrations and use powershell. geeze.....

I had this well understood and now it seems each step is a master lesson in what not to do.

[sympmarc]

You should be consenting to the API permissions for the app registration you created for PnP.PowerShell. I'm not sure what you mean by the "admin console". You grant the permissions in Entra ID.

[ComputerHabit2]

Yes, I've definitely granted access.

There used to be -Interactive and -SPOManagementShell for Connect-PNPOnline. Those switches are now dead.

I've been stuck with Connect-PnPOnline $AdminCenterURL -UseWebLogin which works.

I was trying to: Grant-PnPEntraIDAppSitePermission -AppId "$($appid)" -Site $siteUrl -DisplayName "test" -Permissions Write

But I got an error saying I had to use the -SPOManagementShell switch. But like I mentioned it's dead.

So now I'm making the new "SPOManagementShell" using the Register-PnPEntraIDApp command. I didn't use permission switches because it seemed the defaults gave me 'all' the rights I needed but maybe that's not correct.

I'm making the new "SPOManagementShell" so then I can make a new App that is limited to it's specific URL.

aka... Back to the command Grant-PnPEntraIDAppSitePermission -AppId "$($appid)" -Site $siteUrl -DisplayName "test" -Permissions Write

[ComputerHabit2]

I have no clue how to get Grant-PnPEntraIDAppSitePermission to work.

[ComputerHabit2]

Something about Access tokens now....

[ComputerHabit2]

okay finally... jeeze I got it to add permissions now

[ComputerHabit2]

Synopsis of what to do:

Make a new azure app. Make sure it has all the correct permissions. These are the permissions I have set for my "SPOManagementShell" to replace the deprecated switch.

Connect to the app. In my case I created a PFX.

Connect-PnPOnline -Url "https://-admin.sharepoint.com" -Tenant '.onmicrosoft.com' -ClientId "" -Thumbprint ""

Then I could create a new app.

Then I could add permissions
Grant-PnPEntraIDAppSitePermission -AppId "" -Site "https://.sharepoint.com/teams/xxx" -DisplayName "test" -Permissions Write