msft-github-bot
commented
5 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Open garrytrinder opened 5 years ago
msft-github-bot
commented
5 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
andrewconnell
commented
5 years ago Context please... where is the method CreatePersonalSiteEnqueueBulk coming from (ie: what API are you using), what's the environment, etc...
msft-github-bot
commented
5 years ago The more context details you can provide, the easier it is to help assist on issues. Any code you can provide and/or screenshots of the issue also help. The easier you can make it to reproduce the issue, the easier and quicker it is for someone to help you. Things that always help posting with every issue include (1) SharePoint environment(s) (on-prem / SP 2016 / SP 2019 / SharePoint Online), (2) if SharePoint Online, is the tenant configured for standard / targeted release, (3) if SharePoint Framework, list the versions of installed tools (Node.js, NPM, Yeoman, Gulp, SPFx generator, etc... use npm list -g --depth=0), (4) if applicable, browser(s) tested, (5) if applicable, version of Office UI Fabric React & (6) anything else you can provide.
andrewconnell
commented
5 years ago Furthermore, you say “create personal site” which I think implies SharePoint, but you reference OneDrive. Hence the confusion on what you are trying to do.
Regardless, of the API, you need to ensure the API supports application permissions. It may only support delegated (app+user) permissions for auditing requirements & not app-only.
garrytrinder
commented
5 years ago @andrewconnell appreciate your commenting on this issue and apologies for the lack of clarity...
I am working on replicating the New-PnPPersonalSite cmdlet functionality from PnP PowerShell, which creates "Creates a personal / OneDrive For Business site", into the Office 365 CLI.
POST /_vti_bin/client.svc/ProcessQuery HTTP/1.1
Host: tenant-admin.sharepoint.com
Content-Type: application/xml
Authorization: Bearer <token>
<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="16.0.0.0" ApplicationName="SharePoint PnP PowerShell Library" xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
<Actions>
<ObjectPath Id="5" ObjectPathId="4" />
<Method Name="CreatePersonalSiteEnqueueBulk" Id="6" ObjectPathId="4">
<Parameters>
<Parameter Type="Array">
<Object Type="String">user@tenant.onmicrosoft.com</Object>
</Parameter>
</Parameters>
</Method>
</Actions>
<ObjectPaths>
<StaticMethod Id="4" Name="GetProfileLoader" TypeId="{9c42543a-91b3-4902-b2fe-14ccdefb6e2b}" />
</ObjectPaths>
</Request>However this returns the below 200 OK response
[
{
"SchemaVersion": "15.0.0.0",
"LibraryVersion": "16.0.19318.12002",
"ErrorInfo": {
"ErrorMessage": "Access denied. You do not have permission to perform this action or access this resource.",
"ErrorValue": null,
"TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67",
"ErrorCode": -2147024891,
"ErrorTypeName": "System.UnauthorizedAccessException"
},
"TraceCorrelationId": "7c05089f-70d6-1000-af48-5aaa8564ad67"
}
]The app used to generate the bearer token only uses delegate permissions for SharePoint Online (the common Office 365 CLI app identity) so no app-only calls here to SharePoint.
Further investigation into the PnP-PowerShell cmdlet also showed that the cmdlet only worked when authenticating with SharePoint Online by passing username and password (Forms Based Auth) as the same error is thrown when using a Bearer Token.
andrewconnell
commented
5 years ago @garrytrinder said
I am working on replicating the New-PnPPersonalSite cmdlet functionality from PnP PowerShell, which creates "Creates a personal / OneDrive For Business site", into the Office 365 CLI.
That's not correct... the PnP cmdlets do not interact with the O365 CLI. The O365 CLI is an alternative to the POSH cmdlets. Both are using public REST APIs in SharePoint / Office 365 to do their work. I think what you wrote is a typo.
If you have specific questions about the PNP cmdlets, you should post those to the github project for the PnP POSH project, not here, as that's the more relevant place.
The underlying question I'm tracking down with SP engineering is "is app only supported for this task"... will follow up if I get an answer.
garrytrinder
commented
5 years ago That's not correct... the PnP cmdlets do not interact with the O365 CLI. The O365 CLI is an alternative to the POSH cmdlets. Both are using public REST APIs in SharePoint / Office 365 to do their work. I think what you wrote is a typo.
This is not a typo, I am well aware of the difference between the two libraries and I am not trying to make them interact.
I am contributing to the Office 365 CLI project, not PnP PowerShell. The contribution refers to replicating the "functionality" of the New-PnPPersonalSite cmdlet.
A new command, spo personalsite add has been designed and proposed for this, it is using the public REST API to create a new personal site. (Ref: https://github.com/pnp/office365-cli/issues/929).
If you have specific questions about the PNP cmdlets, you should post those to the github project for the PnP POSH project, not here, as that's the more relevant place.
I already have and raised this as an issue, which I have referenced (Ref: https://github.com/SharePoint/PnP-PowerShell/issues/2267)
The point I am trying to raise is that the same underlying API call is reacting in the same way when when passing a bearer token in the authorisation header, whether that is using delegated (the signed in user) or application permissions (without signed in user).
I have updated the issue title, description and steps to reproduce to make this clearer, as I think I caused the confusion by getting my terminology wrong in the first place 🤦🏻♂️.
I appreciate you responding to this issue 👍🏻
andrewconnell
commented
5 years ago @garrytrinder Gotcha... my bad as I didn't read your comment about the CLI correctly. I thought you were saying POSH was using the CLI... I didn't get you were trying to replicate functionality from POSH cmdlet => CLI.
At any rate, I've ping'd someone in engineering who's looking into it. I can't answer it so waiting on what the find out & when there's something to report, I'll do that.
garrytrinder
commented
4 years ago Hey @andrewconnell any update from engineering on this?
waldekmastykarz
commented
4 years ago Ping @andrewconnell, any update on this issue?
garrytrinder
commented
4 years ago Ah apologies, I meant to raise this with the team directly after speaking with @andrewconnell but didn't get around to it. It's with me @waldekmastykarz
RyanSmith-00
commented
4 years ago Hi, can you use a Bearer Token with Sharepoint Online? https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread FAQ Can I use other means besides certificates for realizing app-only access for my Azure AD app? No, all other options are blocked by SharePoint Online and will result in an Access Denied message.
RyanSmith-00
commented
4 years ago Turns out my issue with Access Denied was the API permissions. For Sharepoint Online Lists I needed to add Application permissions to the Microsoft Graph | Sites.Read.All
mbuergi
commented
3 years ago @garrytrinder, is there an update on this issue?
clientbala
commented
3 years ago Is there any update on this? We want to automate PersonalSite creation using the Azure AD app within Automation Runbook and currently looking into workaround solution.
emi662002
commented
3 years ago Any updates on this? Or workaround?
emi662002
commented
3 years ago Is there any update on this? We want to automate PersonalSite creation using the Azure AD app within Automation Runbook and currently looking into workaround solution.
@clientbala did you find a workaround for this ?
garrytrinder
commented
3 years ago Apologies for the delay on updating, unfortunately I have been unable to ascertain whether this is supported through the REST API using a Bearer token with delegate permissions.
klennan
commented
3 years ago I landed here after having the same issue when using Request-PnPPersonalSite and New-PnPPersonalSite, both returning 403 Access Denied.
I had been connecting with Connect-PnPOnline -Url <mysite> -Credentials <mycreds>
But just now I connected with Connect-PnPOnline -Url <mysite> -UseWebLogin
And this time around, Request-PnPPersonalSite worked with no error! Though I've yet to verify the site is being created.
Category
Expected or Desired Behavior
The below HTTP call should create a new personal site for the user
Observed Behavior
Above request results in
200 OKresponse but returns the below error, no personal site is created for the user.Steps to Reproduce
Related Issues
https://github.com/SharePoint/PnP-PowerShell/issues/2267 https://github.com/OneDrive/onedrive-api-docs/issues/530 https://github.com/pnp/office365-cli/issues/929