search

pnp / PnP-PowerShell

SharePoint PnP PowerShell CmdLets
https://pnp.github.io/powershell
Other
988 stars 665 forks source link

Set-PnPUserProfileProperty with Application Permission in Azure Function #2582

Open sudharsank opened 4 years ago

sudharsank commented 4 years ago

Issue

When using Set-PnPUserProfileProperty in Azure Function with PowerShell and the permissions has been defined using the Application Permission. Once connected to the admin site url using clientid, tenant and cert and try to update the UserProfile Property, it throws error.

Expected behavior

The User Profile Properties must have been updated.

Actual behavior

2020-03-15T07:49:48.239 [Error] Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource. at run.ps1: line 50

Attached the screenshot for the reference PnP PS Issue

Below are the permissions given for the application in Azure API Permissions Permission List

Steps to reproduce behavior

$tenant = $env:Tenant $clientid = $env:ClientID $thumbprint = $env:Thumbprint

Connect to the root site collections using cert

Connect-PnPOnline -Url $targeturl -ClientId $clientid -Thumbprint $thumbprint -Tenant $tenant Set-PnPUserProfileProperty -Account 'UserID@tenant.onmicrosoft.com' -Property 'Title' -Value 'Title Value'

Which version of the PnP-PowerShell Cmdlets are you using?

What is the version of the Cmdlet module you are running?

Used both the versions mentioned below. Both are throwing error 3.17.2001.2 3.19.2003.0

How did you install the PnP-PowerShell Cmdlets?

Followed the video by Paolo Pialorsi (PiaSys) https://www.youtube.com/watch?v=plS_1BsQAto&list=PL-KKED6SsFo8TxDgQmvMO308p51AO1zln&index=2&t=0s

ghost commented 4 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

AlexSen commented 4 years ago

Have exactly same issue.

sudharsank commented 4 years ago

Hi, Is there any update on this issue? Any solution?

machv commented 4 years ago

Hi @sudharsank, I just run into a similar issue (403 Forbidden) when I was trying to update user profile pictures using the app identity via Azure Automation and in my case, it helped to switch to SharePoint App-Only principal instead of Azure AD application.

As stated on docs page https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only:

User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal

Might this help in resolving your issue too?

AlexSen commented 4 years ago

@machv , using SharePoint App-Only permissions would create duplicated app records(instances) which would create additional security risk and more difficult maintenance of the solution. Additionally, here is purpose of using this principal :):

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online

machv commented 4 years ago

@Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.

But currently, this is the only way that I am aware of, how to resolve this.

AlexSen commented 4 years ago

What scope and permissions level do you use in your SP App only?

Alex | Sen IT Consultant | Office 365 Expert Mobile: +48 532 292 764

From: Vladimír notifications@github.com Sent: Tuesday, May 26, 2020 3:17:08 PM To: pnp/PnP-PowerShell PnP-PowerShell@noreply.github.com Cc: Alex Sen alex@sen.pm; Mention mention@noreply.github.com Subject: Re: [pnp/PnP-PowerShell] Set-PnPUserProfileProperty with Application Permission in Azure Function (#2582)

@Forkethttps://github.com/Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.

But currently, this is the only way that I am aware of, how to resolve this.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/pnp/PnP-PowerShell/issues/2582#issuecomment-633988213, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTMLOAJ3J27VB6D6R2DLKLRTOXMJANCNFSM4LNCBVMA.

joeljeffery commented 4 years ago

I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.

image

In terms of permissions, it's full control on the UPS:

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>

You may want/need full control at the tenancy level, in which case also add this:

<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

Then to use this from PnP PowerShell, you can connect like this:

Connect-PnPOnline -Url https://[YOUR_TENANT_HERE]-admin.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"

Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:

$adminConection = Connect-PnPOnline -Url $adminUrl -ReturnConnection -AppId $appId -AppSecret $appSecret;
Set-PnPUserProfileProperty -Account $user -PropertyName $propertyName -Value $value -Connection $adminConection;

The only real gotchas when setting this up are:

Enjoy!

Joel Jeffery w:joelblogs.co.uk t:@joelblogs

vaderj commented 3 years ago

Can confirm (SharePointPnPPowerShellOnline v3.26.2010), when I attempt to update User Profile properties :

Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Manage" />

Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />

Success (together):
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" /> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

MatthewSammut commented 3 years ago

Is this open issue still active?

I am trying with the latest PnP.PowerShell libraries (0.3.36) and still faced this issue when trying to update a user profile property using this command:

Set-PnPUserProfileProperty -Account "name.onmicrosoft.com" -PropertyName "NameOfProperty" -Value "1"

I'm connecting using the TenantAdminUrl and Global Admin credentials:

Connect-PnPOnline -Url $tenantAdminUrl -Credentials $mycredentials

This is the Access Denied error:

Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource.
At C:\Code\CP - ATLAS - Extensibility Framework\09 PowerShell\ClearPeople.Atlas.PowerShell\01 Scripts (Development)\test.ps1:17 char:1
+ Set-PnPUserProfileProperty -Account "estark@tenantname.onmicrosoft.com" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Set-PnPUserProfileProperty], ServerUnauthorizedAccessException
    + FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.SetUserProfileProperty

Are there plans for making this work using the new PnP.PowerShell without needing workarounds or additional steps on the Tenant?

Is there an approach to get this to work without having to create a new SharePoint App Principal on the SharePoint Tenant and/or without assigning 'FullControl' over the tenant (content and social)? For example, it is possible to add the permissions to the existing SP App Principal which is already created by the PnP.PowerShell App when you register it; but then was wondering, is there a way to find the ClientSecret for that existing SP App Principal?