Calling Connect-PnPOnline several times with -UseWebLogin causes delay

[MartijnOnGithub]

I tried to create a script that is processing all sites in an collection while:

• you need to authenticatie once
• the script is MFA compatible (in case the "admin account" uses MFA)

So I created a script that used an connection call like in the attached script: it uses the -UseWebLogin parameter, in combination with Connect-PnPOnline. Often running the script for a first time cause no delay. But running it for example again, causes a delay at each Connect-PnPOnline. The delay is about 5 mins for each new connect. So if you want to loop throught 13 sites it will take 13x 5 minutes. I tried to change so parameters related to the retry and time out but it did not solve the problem.

Steps to reproduce behavior Please check try attached script

PnP-SiteCollection-demo-SSO-weblogon.zip

Example output below. Beware of the long time between the authentication actions. Also strange that the script did not write the $SiteCollections data to screen at the moment of testing...

Please logon to connect to the administration site https://ORGANISATIONNAME-admin.sharepoint.com with ORGANISATIONNAME Enter the name of your Office 365 organization (ORGANISATIONNAME): xyzdemo Logging on at 10/05/2018 17:41:32 ... Retrieving site collection data at 10/05/2018 17:41:34 ... Retrieved collection of 13 items

Processing collection at 10/05/2018 17:41:35 Connecting to subsite at 10/05/2018 17:41:35 - ICT Services - https://xyzdemo.sharepoint.com/ Connecting to subsite at 10/05/2018 17:46:36 - Community - https://xyzdemo.sharepoint.com/portals/Community Connecting to subsite at 10/05/2018 17:51:39 - PointPublishing Hub Site - https://xyzdemo.sharepoint.com/portals/hub (etc)

Which version of the PnP-PowerShell Cmdlets are you using?

• [ ] PnP PowerShell for SharePoint 2013
• [ ] PnP PowerShell for SharePoint 2016
• [X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

Module version: 3.1.1809.0

How did you install the PnP-PowerShell Cmdlets?

• [ ] MSI Installed downloaded from GitHub
• [X] Installed through the PowerShell Gallery with Install-Module
• [ ] Other means

[annigam01]

I agree, i have a need to extract all the features, when i do foreach and connect to new site, there is no way to "pass" cred, or reuse a previous client context

[HeKr09]

Same problem. I am able to solve this when I close the PowerShell-Session but it is not a good approach. Is there a chance to get a solution? I tried to log on with AppId and AppSecret but I am using Microsoft Cloud Germany and I guess the MS Graph endpoint is not implemented correctly. So my only chance is the UseWebLogin.

[RyanFromIT]

I'm trying to do the same thing as you (do something for all site collections) and we have MFA turned on. I keep running in to the same problem no matter how I go about doing it and the same thing when I run your code snippet, it asks me to log in for every site collection.... We have over 1700 site collections (and only been on Office 365 for 4 months). So having to log in each time, is a big problem :|

[Il00Il0I]

I thought it was fixed this morning it ran through about 30 sites so fast then it all came back to a crawl. My colleague suggested it may be a web protection from DDOS attacks. Based on the behavior this seems the best theory why the dial seems to be turned down after a few calls to Connect-PnPOnline.

[svest79]

Any update on this? I run into a similar problem where I am running through all the sites to apply a template, but it gets through one or two and actually "times out". At least I assume this is what happens, I am receiving a 404 rejection from the server. This is very frustrating.

[AbhishekGarg]

This is still an issue.. now 10 months from when it was raised, and counting. Is there any workaround for this?

I thought this might be due to too many "Connect" requests and not cleaning up with a "Disconnect" after the work is done, or before making a new connection. But, even using Disconnect-PnPOnline before another Connect-PnPOnlne does not help.

[MartijnOnGithub]

This is still an issue.. now 10 months from when it was raised, and counting. Is there any workaround for this? The fact this issue is still not assigned to a member of the team that maintains 'PnP-PowerShell', is very disappointing.

[ToddKlindt]

The contributions to this project are made by volunteers who do this in their spare time out of love for the community. Please don't shame them.

[MartijnOnGithub]

The contributions to this project are made by volunteers who do this in their spare time out of love for the community. Please don't shame them.

I do understand there is a limited capacity to solve problems, and did not want to offend.

[codejunky-uk]

I experienced this problem today whilst working on a SharePoint file upload script. To get around it I've just used the credentials switch with a Windows Credential Manager entry. This is shown in example 4 on the docs page: https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline?view=sharepoint-ps

[AbhishekGarg]

The contributions to this project are made by volunteers who do this in their spare time out of love for the community. Please don't shame them.

Are all contributors volunteers? We were under the impression that Microsoft is primarily maintaining the repo, along with support from volunteers from the community, of course. Does not look like a great direction to take, from MS standpoint, if they are trying to increase their product's adoption among the dev community, when nothing has a fixed timeline for resolution.

[AbhishekGarg]

I experienced this problem today whilst working on a SharePoint file upload script. To get around it I've just used the credentials switch with a Windows Credential Manager entry. This is shown in example 4 on the docs page: https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline?view=sharepoint-ps

Unfortunately, the credentials switch does not work with the MFA accounts, and that is where we need to use -UseWebLogin.

[syd-git]

Hello everyone, This is my first post here. I have the same problem. Firstly I retrieve get-pnpsubwebs -recurse and then foreach loop and connecting to sites using -useweblogin. For the first 25 sites the process is very fast and then slowed down to 5 min for each to connect. Any fix or workaround is really appreciated.

[tmoii]

Hi there. Any updates on this issue? So i noticed the following:

Im running my scripts on a Windows Server 2008. I was on PowerShell version 4 and PnP-Module 2.xx and did not have this issue.

Now i upgraded to PowerShell version 5 and PnP-Module 3.12.xx and experience these delays. Any help would be greatly appreciated.

[felixbohnacker]

Are there any updates regarding this issue already? I can still reproduce it unfortunately.

[Rafaelki]

Running Connect-PnPOnline in a different thread worked for me:

Function DoSomething($SiteUrl){
  Connect-PnPOnline -Url $SiteUrl -UseWebLogin
  ...
}

$sites | ForEach-Object {
  $site = $_
  Start-Job -ScriptBlock ${Function:DoSomething} -ArgumentList $site.Url | Wait-Job | Receive-Job
}

[AbhishekGarg]

@KoenZomers any possibility you could help with this issue, or maybe a comment to point in the right direction?

[KoenZomers]

Weird one guys. I have personally never seen this behavior before and from the code I wouldn't be able to think of something that could be causing this. For me doing a Connect-PnPOnline -UseWebLogin takes less than a second, no matter how often I do it again.

Can any of you experiencing this run a Fiddler capture when you try this and share it privately with me? Don't share it in here as it may contain authentication tokens.

[KoenZomers]

The contributions to this project are made by volunteers who do this in their spare time out of love for the community. Please don't shame them.

Are all contributors volunteers? We were under the impression that Microsoft is primarily maintaining the repo, along with support from volunteers from the community, of course. Does not look like a great direction to take, from MS standpoint, if they are trying to increase their product's adoption among the dev community, when nothing has a fixed timeline for resolution.

It currently still is 100% a community driven effort in which anyone is free and welcomed to contribute. There happen to be quite a few people from Microsoft, myself included, in the group to lovingly spend their spare time on this, but this is in no way supported by Microsoft. Going through a single issue typically takes a few hours or more to fully understand the issue, have some discussions on how to best fix it, build a scenario to reproduce it, dive into the issue, figure out if it's an error in code or an error in the API and circle back. I understand it may be frustrating that we can't get to every single issue being reported, but we're trying to do our best to make this a great community effort. I would very much welcome you to help out. Even if you don't have dev skills, going through the issues would already be something that can help. Sometimes they are just relatively simple "how do I do this?" questions. Or update the documentation on how to make use of PnP PowerShell. Together we can make great things!

[tmoii]

Can any of you experiencing this run a Fiddler capture when you try this and share it privately with me? Don't share it in here as it may contain authentication tokens.

Thanks for looking into this. I ran Fiddler while experiencing this. As I am not an expert with Fiddler, how can i export the capture and share it with you? Fiddler would let me save the session in a ".saz" format, is that what you need? How can i send it to you?

[KoenZomers]

@tmoii save as SAZ will work. E-mail me the file at koen@zomers.eu and I'll have a look if I can find out why it takes so long.

Did you enable HTTPS decryption in Fiddler? Otherwise I won't have the insight I need to troubleshoot it.

[tmoii]

@tmoii save as SAZ will work. E-mail me the file at koen@zomers.eu and I'll have a look if I can find out why it takes so long.

Did you enable HTTPS decryption in Fiddler? Otherwise I won't have the insight I need to troubleshoot it.

I did enable the HTTPS decryption after doing the capture. I guess that is too late then? Should i create another capture? I guess you treat this file confidential as it will contain company urls.

[KoenZomers]

@tmoii, yes it needs to be done before capturing. It will indeed contain PII which I will treat it confidentially. I will delete the information directly after the research for the cause of the issue.

[tmoii]

Ok, I sent you the newly created capture. Lets hope you can find out what is going on there. Thank you.

[KoenZomers]

Thanks for sharing the Fiddler trace @tmoii! It allowed me to fairly easy get an understanding of what's going on in your scenario and even be able to reproduce it on my own environment now.

If you connect using Connect-PnPOnline -UseWebLogin -Url https://yourtenant-admin.sharepoint.com, it will retrieve the homepage and even follow the 302 redirect it returns by default. In the scenario where you are still using the classic SharePoint Online Admin Center, it will wait until this entire extremely slow page has been loaded before it continues.

The easy solution here would be to switch your SharePoint Online Admin Center to make use of the new admin center. You can do this by going to https://yourtenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/settings/NewPortalAsDefault and setting it to New SharePoint admin center:

If you now connect with PnP PowerShell, the login should take less than a second to complete.

I will have a look if we can change the login procedure to not have to fetch the homepage anymore. Use this as an easy workaround. Switching to the new SharePoint admin center is highly recommended anyway, regardless whether or not you are using PnP PowerShell.

[KoenZomers]

Had a look at the code behind this. In the current way it has been implemented, we unfortunately have no way of fixing this behavior in code. We may be able to fix it in PnP PowerShell version 4 which will become available cross platform. For now, please follow the recommendation I described above to switch to the new modern SharePoint Online Admin center on your tenant.

Closing this issue as there's nothing else we can do about it from our side at this point. Feel free to reopen or comment if you are still experiencing the issue after having switched to the new modern admin experience.

[KoenZomers]

I have found an option to fix this in the code anyway. I have submitted a PR for it. Still would recommend to update your SharePoint Online Admin Center experience to new/modern.

[gredionprajena]

I experienced this problem today whilst working on a SharePoint file upload script. To get around it I've just used the credentials switch with a Windows Credential Manager entry. This is shown in example 4 on the docs page: https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/connect-pnponline?view=sharepoint-ps

Thank you @codejunky-uk I use the Example 11 and it much faster than UseWebLogin Here the code: Connect-PnPOnline -Url $Row.SiteURL -SPOManagementShell

[SjoerdV]

If you use an account with MFA enabled AND do not have an App account available AND do not have SharePoint Admin permissions then using the UseWebLogin parameter is still your only option as I see it right now (please correct me if I am wrong!)

Not working: I was able to 'alleviate' the issue by using a Start-Sleep -Seconds 10 command before switching to a different site context.

Reconnecting any faster than with 10 second intervals seems to trigger the 5 minute 'hang'.