Replies: 2 comments
-
The cmdlet https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html uses Microsoft Graph behind the scenes. It sounds like you've used the SharePoint permission. If so, that won't fly. You need to give it the Graph permission instead: |
Beta Was this translation helpful? Give feedback.
-
I thought best practice should be, register the app with least amount of access, and register higher level at the individual site.
The Grant-PnPAzureADAppSitePermission is indeed the easiest way to assign permissions to the app for the desired SharePoint site. This ensures the app is granted the necessary access at the site level, in some cases you will want to give it -FullControl for the site. i.e. /sites/marketing. You are also required a certificate since SharePoint CSOM or REST API with clientcredentials oauth flow only works with client id and certificate and will not work with clientid and secret, and that is something most have issue or miss on. |
Beta Was this translation helpful? Give feedback.
-
Notice
Many bugs reported are actually related to the PnP Framework which is used behind the scenes. Consider carefully where to report an issue:
Invoke-PnPSiteTemplate
orGet-PnPSiteTemplate
? The issue is most likely related to the Provisioning Engine. The Provisioning engine is not located in the PowerShell repo. Please report the issue here: https://github.com/pnp/pnpframework/issues.Reporting an Issue or Missing Feature
When attempting to assign Sites.Selected permissions to a site using PnP and the new app registration, it throws an unauthorized error. If I run the command while elevated with App Admin role, it wants to update the app registration with Sites.FullControl.All, instead of respecting/using the documented configuration of delegated AllSites.FullControl.
Expected behavior
For the Sites.Selected applying process to function with the delegated permissions assigned in the new PnP app registration.
Actual behavior
The command as documented and in behavior wants to use Sites.FullControl.All Graph permissions and will error out when using the new PnP app registration with delegation.
Steps to reproduce behavior
Use the new PnP app registration with delegated AllSites.FullControl permissions.
Grant-PnPAzureADAppSitePermission -AppID XXXXXXX -DisplayName "TestName" -Permissions Read -Site https://blah.sharepoint.com/teams/site
What is the version of the Cmdlet module you are running?
2.12.0
Which operating system/environment are you running PnP PowerShell on?
Beta Was this translation helpful? Give feedback.
All reactions