We have an Azure App Registration (with Service Principle) and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store. The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles. PnP Management Shell has the same approved consent.
We connect to PnP-Online with ClientId and certificate
Question:
We have an Azure App Registration (with Service Principle) and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store. The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles. PnP Management Shell has the same approved consent.
We connect to PnP-Online with ClientId and certificate
Connect-PnPOnline -Url "https://ourtenant-admin.sharepoint.com" -Tenant $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -Thumbprint $servicePrincipalConnection.CertificateThumbprintIf we call the CmdLet Get-PnPUserProfileProperty, we always get "Current user is not a tenant administrator:
We are not allowed to give the Service Principle the global admin role. Does that mean, that we can not use this approach?
Thanks for clarification...