Open sudharsank opened 4 years ago
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Have exactly same issue.
Hi, Is there any update on this issue? Any solution?
Hi @sudharsank, I just run into a similar issue (403 Forbidden) when I was trying to update user profile pictures using the app identity via Azure Automation and in my case, it helped to switch to SharePoint App-Only principal instead of Azure AD application.
As stated on docs page https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only:
User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal
Might this help in resolving your issue too?
@machv , using SharePoint App-Only permissions would create duplicated app records(instances) which would create additional security risk and more difficult maintenance of the solution. Additionally, here is purpose of using this principal :):
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online
@Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.
But currently, this is the only way that I am aware of, how to resolve this.
What scope and permissions level do you use in your SP App only?
Alex | Sen IT Consultant | Office 365 Expert Mobile: +48 532 292 764
From: Vladimír notifications@github.com Sent: Tuesday, May 26, 2020 3:17:08 PM To: pnp/PnP-PowerShell PnP-PowerShell@noreply.github.com Cc: Alex Sen alex@sen.pm; Mention mention@noreply.github.com Subject: Re: [pnp/PnP-PowerShell] Set-PnPUserProfileProperty with Application Permission in Azure Function (#2582)
@Forkethttps://github.com/Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.
But currently, this is the only way that I am aware of, how to resolve this.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/pnp/PnP-PowerShell/issues/2582#issuecomment-633988213, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTMLOAJ3J27VB6D6R2DLKLRTOXMJANCNFSM4LNCBVMA.
I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.
In terms of permissions, it's full control on the UPS:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>
You may want/need full control at the tenancy level, in which case also add this:
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
Then to use this from PnP PowerShell, you can connect like this:
Connect-PnPOnline -Url https://[YOUR_TENANT_HERE]-admin.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"
Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:
$adminConection = Connect-PnPOnline -Url $adminUrl -ReturnConnection -AppId $appId -AppSecret $appSecret;
Set-PnPUserProfileProperty -Account $user -PropertyName $propertyName -Value $value -Connection $adminConection;
The only real gotchas when setting this up are:
Enjoy!
Joel Jeffery w:joelblogs.co.uk t:@joelblogs
Can confirm (SharePointPnPPowerShellOnline v3.26.2010), when I attempt to update User Profile properties :
Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Manage" />
Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
Success (together):
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
Is this open issue still active?
I am trying with the latest PnP.PowerShell libraries (0.3.36) and still faced this issue when trying to update a user profile property using this command:
Set-PnPUserProfileProperty -Account "name.onmicrosoft.com" -PropertyName "NameOfProperty" -Value "1"
I'm connecting using the TenantAdminUrl and Global Admin credentials:
Connect-PnPOnline -Url $tenantAdminUrl -Credentials $mycredentials
This is the Access Denied error:
Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource.
At C:\Code\CP - ATLAS - Extensibility Framework\09 PowerShell\ClearPeople.Atlas.PowerShell\01 Scripts (Development)\test.ps1:17 char:1
+ Set-PnPUserProfileProperty -Account "estark@tenantname.onmicrosoft.com" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Set-PnPUserProfileProperty], ServerUnauthorizedAccessException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.SetUserProfileProperty
Are there plans for making this work using the new PnP.PowerShell without needing workarounds or additional steps on the Tenant?
Is there an approach to get this to work without having to create a new SharePoint App Principal on the SharePoint Tenant and/or without assigning 'FullControl' over the tenant (content and social)? For example, it is possible to add the permissions to the existing SP App Principal which is already created by the PnP.PowerShell App when you register it; but then was wondering, is there a way to find the ClientSecret for that existing SP App Principal?
Issue
When using Set-PnPUserProfileProperty in Azure Function with PowerShell and the permissions has been defined using the Application Permission. Once connected to the admin site url using clientid, tenant and cert and try to update the UserProfile Property, it throws error.
Expected behavior
The User Profile Properties must have been updated.
Actual behavior
2020-03-15T07:49:48.239 [Error] Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource. at run.ps1: line 50
Attached the screenshot for the reference
Below are the permissions given for the application in Azure API Permissions
Steps to reproduce behavior
Which version of the PnP-PowerShell Cmdlets are you using?
What is the version of the Cmdlet module you are running?
Used both the versions mentioned below. Both are throwing error 3.17.2001.2 3.19.2003.0
How did you install the PnP-PowerShell Cmdlets?
Followed the video by Paolo Pialorsi (PiaSys) https://www.youtube.com/watch?v=plS_1BsQAto&list=PL-KKED6SsFo8TxDgQmvMO308p51AO1zln&index=2&t=0s