We have an Azure App Registration (with Service Principle) and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store. The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles. PnP Management Shell has the same approved consent.
We connect to PnP-Online with ClientId and certificate
Question:
We have an Azure App Registration (with Service Principle) and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store. The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles. PnP Management Shell has the same approved consent.
We connect to PnP-Online with ClientId and certificate
Connect-PnPOnline -Url "https://ourtenant-admin.sharepoint.com" -Tenant $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -Thumbprint $servicePrincipalConnection.CertificateThumbprint
If we call the CmdLet Get-PnPUserProfileProperty, we always get "Current user is not a tenant administrator:![image](https://user-images.githubusercontent.com/22025808/148393323-f6e2de46-2cd4-4c45-bdd6-45f133d4af4b.png)
We are not allowed to give the Service Principle the global admin role. Does that mean, that we can not use this approach?
Thanks for clarification...