Connect-PnPOnline -AccessToken is not working

[AlexSen]

Reporting an Issue or Missing Feature

Issue

Expected behavior

Connected to tenant using AzureAD registered App Need this connection to use:

Get-PnPUnifiedAuditLog -ContentType SharePoint -StartTime (Get-Date).AddDays(-1) -EndTime (Get-Date).AddDays(-2) | Select -First 1

Actual behavior

Error on connection

Connect-PnPOnline : Object reference not set to an instance of an object.
At line:1 char:1
+ Connect-PnPOnline -AccessToken (Get-PnPManagementApiAccessToken -Tena ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Steps to reproduce behavior

Connect-PnPOnline -AccessToken (Get-PnPManagementApiAccessToken -TenantId $TenantId -ClientId $AzAppClientId -ClientSecret $AzAppClientSecret)

Which version of the PnP-PowerShell Cmdlets are you using?

• [ ] PnP PowerShell for SharePoint 2013
• [ ] PnP PowerShell for SharePoint 2016
• [X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

Name                          Version    
----                          -------
SharePointPnPPowerShellOnline 3.20.2004.0

How did you install the PnP-PowerShell Cmdlets?

• [ ] MSI Installed downloaded from GitHub
• [X] Installed through the PowerShell Gallery with Install-Module
• [ ] Other means

Azure App permission in AzureAD

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[KoenZomers]

Confirmed. Working on a fix for the May 2020 release. For now, please revert to the March 2020 release to use this functionality.

[KoenZomers]

May 2020 has been released but it doesn't contain the fix yet due to personal circumstances of the repository owner. Please stick with March 2020 for now until the next PnP PowerShell release, which may still be in May. This is yet to be defined.

[angelstephen]

Hi @KoenZomers was this issue fixed? when can we expect the release. Please let us know...need to implement the same functionality.

[KoenZomers]

@angelstephen The fix for it is ready, but it didn't make it into the May 2020 release unfortunately. Erwin van Hunen is the end responsible for this GitHub project and going through some really difficult times in his personal life at the moment. He needs to do the final approval and merge. Not sure yet when he will be able to focus on this project again. In the meantime please stay with the March 2020 release not to run into this issue. If you need something from the April 2020 release, I can give you a private build in the meantime to get the fix for this already on top of the May 2020 release. Just let me know in case you would like to have that. Once the official release gets out with the patch included, you can simply overwrite your files with the official release again and continue from there.

[angelstephen]

@KoenZomers .....thank you so much...we have worked out an alternate way.....and wish and pray everything goes well for Erwin van Hunen...

[levmel]

What about the version from yesterday? Can we log in with AccessToken again? I'm getting a "401 Unauthorized" error message with my valid token.

[KoenZomers]

@leothereal that release still doesn't contain any PR unfortunately. Aim is to get the PRs included in the next release on June 8.

[levmel]

@KoenZomers is there any other possibility? I would like to connect with an access token or Appid and AppSecret. The goal is to run it via an Azure Automation Account so "Connect-PnPOnline -Url $url -UseWebLogin" seems not to be an option. The access token response is positive but when I try to use it with the "Connect-PnPOnline" method I cant't use Get-PnPGroup. My error message is "401 unauthorized".

[KoenZomers]

@leothereal Get-PnPGroup or Get-PnPUnifiedGroup? I'm assuming it's the latter you're trying to use?

[levmel]

@KoenZomers is it not valid ? https://docs.microsoft.com/de-de/powershell/module/sharepoint-pnp/get-pnpgroup?view=sharepoint-ps

[KoenZomers]

@leothereal It is, but that's a SharePoint cmdlet, so then it would not make sense to try to connect with -Accesstoken. I've filed PR #2657 which will make all of this A LOT clearer and easier for end users. Have a look at this PR. I put a table in there with the possible connect options. For using Get-PnPGroup you can use any of the options that has an X in the SPO column. You'll see you'll have many options to connect. Perhaps the best one for Azure Automation would be:

Connect-PnPOnline -Url https://contoso.sharepoint.com -ClientId '' -Tenant 'contoso.onmicrosoft.com' -Certificate "

[levmel]

@KoenZomers Thank you for your help. My goal is to create groups and assign user to these groups automatically. Can you give me an advice. Which option would you recommend? And where can I get this certificate from?

[fastlaneb]

Hi @leothereal I second @KoenZomers recommendation that connecting via a certificate is the best way here. You will need to create the certificate yourself and register it with your Azure App Registration. Your best bet is to check many of the resources on the web that outline doing this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

[levmel]

@fastlaneb but the certificate is a file path. I can't use this parameter due to Azure Automation Runbook.

[fastlaneb]

@leothereal You can upload the certificate into the Azure Runbook and then use it.

[levmel]

@fabianseither Alright.. thank you guys!

[KoenZomers]

@leothereal Also have a look at @erwinvanhunen his new magical PnP PowerShell command Initialize-PnPPowerShellAuthentication to generate the certificate for you and register it in AAD all with a single cmdlet :)

[haroldvandekamp]

@leothereal, like @KoenZomers mentioned, I also used the PnP PowerShell Initialize-PnPPowerShellAuthentication command.

The following videos were of great inspiration for the solution I had to build based on App-Only and works in a tenant with Security Defaults on:

• Microsoft 365 & SharePoint Community - PnP Community Demo – Introduction to Initialize-PnPPowerShellAuthentication cmdlet https://www.youtube.com/watch?v=QWY7AJ2ZQYI
• PiaSys Tech Bites - Episode #98 - Creating "modern" Team Sites in PowerShell with App-only Tokens https://www.youtube.com/watch?v=5JK2gq1Zchw

[KoenZomers]

Nice addition @haroldvandekamp! I've filed PR #2696 to include a link to the YouTube recording in the detailed description of the cmdlet.

[haroldvandekamp]

@leothereal @KoenZomers In my solution, as a workaround I switched from Azure Runbook to Azure Functions. I like Azure Runbooks more than Azure Functions because it's much easier to import PowerShell modules, e.g. the SharePointPnPPowerShellOnline module. However, when I used the Azure Runbook it returned the error mentioned in issue #2679

Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'

When I switched to Azure Functions I had to extract all the DLL's and upload them using the KUDU tool. To exact the DLL's I used the following PowerShell command: Save-Module -name SharePointPnPPowerShellOnline -Path C:\temp\SharePointPnPPowerShellOnline\binaries

[levmel]

@KoenZomers @haroldvandekamp The thing ist that I'm not the administrator. The certificate should only be valid for one site collection on SharePoint Online. I should not have the permission to connect to all and everything. In the meanwhile I could register my App on the SharePoint site collection. I should only be able to control the group- and user management in one site collection. As I understand it, only my admin can create this certificate and the admin portal can only grant Api authorization to the whole SharePoint Online. Is it right?

[KoenZomers]

@leothereal @KoenZomers In my solution, as a workaround I switched from Azure Runbook to Azure Functions. I like Azure Runbooks more than Azure Functions because it's much easier to import PowerShell modules, e.g. the SharePointPnPPowerShellOnline module. However, when I used the Azure Runbook it returned the error mentioned in issue #2679

Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'

When I switched to Azure Functions I had to extract all the DLL's and upload them using the KUDU tool. To exact the DLL's I used the following PowerShell command: Save-Module -name SharePointPnPPowerShellOnline -Path C:\temp\SharePointPnPPowerShellOnline\binaries

I have never used Runbooks yet and always use Azure Functions in the way you describe. You can nicely store the certificate in an Azure Vault. PnP PowerShell has built in functionality to support that.

[KoenZomers]

@KoenZomers @haroldvandekamp The thing ist that I'm not the administrator. The certificate should only be valid for one site collection on SharePoint Online. I should not have the permission to connect to all and everything. In the meanwhile I could register my App on the SharePoint site collection. I should only be able to control the group- and user management in one site collection. As I understand it, only my admin can create this certificate and the admin portal can only grant Api authorization to the whole SharePoint Online. Is it right?

Not entirely right. It depends on how the Azure Active Directory has been configured if you can register new applications as a normal end user. Just go to https://aad.portal.azure.com and then to App registrations to see if it allows you to create a new registration. If not, you need an admin, if so, you can proceed yourself. Just register a new application without assigning it permissions. Go to https://yourtenant.sharepoint.com/sites/yoursite/_layouts/appinv.aspx, enter the Client Id from the Azure App Registration in the App Id field and provide it with the fine grained permissions you need for only that site. Only requirement will be that you are a site collection admin on the site you wish to give it permissions to.

[levmel]

@KoenZomers Perfect! We've got a SharePoint admin. He will grant permission to my app. I've got an additional question. When I use "Initialize-PnPPowerShellAuthentication", should the application name be the same like the one I've registered in the AAD and can I create the certificate or should my admin do it?

[levmel]

@KoenZomers @haroldvandekamp @fastlaneb I did it with "Connect-PnPOnline -Url https://contoso.sharepoint.com -ClientId '' -Tenant 'contoso.onmicrosoft.com' -Certificate "" but after this I try to use "Get-PnPUnifiedGroup" and my message is:

My Context Authentication Mode is default by the way...

Get-PnPUnifiedGroup : Specify PowerShell Credentials or AppId and AppSecret At line:10 char:1

• Get-PnPUnifiedGroup

• 
  + CategoryInfo          : NotSpecified: (:) [Get-PnPUnifiedGroup], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,SharePointPnP.PowerShell.Commands.Graph.GetUnifiedGroup

[fastlaneb]

Hi @leothereal Do any cmdlets work after connecting? Did you give your app reg the appropriate permissions in the AAD app reg? In this case the perms to read the groups?

[levmel]

@fastlaneb but @KoenZomers told me that I don't have to give any permission in AAD ... only in https://yourtenant.sharepoint.com/sites/yoursite/_layouts/appinv.aspx because my app needs to be permitted only on one site collection.

[fastlaneb]

@leothereal That would be if you are only executing cmdlets on that particular site collection. I'm pretty sure Get-PnPUnifiedGroup extends beyond that.

[levmel]

@fastlaneb so is there no other option than giving my app the permission on the whole SharePoint?

[levmel]

this is my Scope "http://sharepoint/content/sitecollection" but my error message still say that I'm not authorized.

[fastlaneb]

Get-PnPUnifiedGroup uses the Graph, so you need the graph perms: https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http

[levmel]

@fastlaneb okay are there any other possibilities to get and create groups with that what I've done before?

[KoenZomers]

@fastlaneb but @KoenZomers told me that I don't have to give any permission in AAD ... only in https://yourtenant.sharepoint.com/sites/yoursite/_layouts/appinv.aspx because my app needs to be permitted only on one site collection.

That was in response to you confirming that you were trying to use Get-PnPGroup and not Get-PnPUnifiedGroup, which are technically two entirely different things. For Get-PnPUnifiedGroup you would at least need Group.Read.All permissions:

Please clarify what it is you're trying to accomplish.

[levmel]

@KoenZomers Thank you for your help. My only goal is to read and write groups on one site collection (I can't have access to any other site collection) and assign users to these groups from my Azure Automation Account. That's it. It sounds actually like a pretty easy job and I've already done more complicated things with the AAAccount. The main issue is that I can't have permission to anything else besides one special site collection. All the API permissions grant permission for the whole SharePoint.. but it is not my goal. Due to security it is not possible. In the meanwhile I could establish a connection with an authentication type default. The thing is that I can't read and write any groups on that specific site collection because I'm still not authorized.

[KoenZomers]

@leothereal The question then would be, do you want to assign permissions based on adding users to the Microsoft 365 Group behind the site collection or do you only want to give them direct rights to the SharePoint site collection only?

[levmel]

@KoenZomers @fastlaneb @haroldvandekamp Guys, I finally did it. It was the right way to use AppSecret and AppId as connection parameters. Thank you for your hint @KoenZomers with the AAD app registration and appinv.aspx. Now I can use the standard method Get-PnPGroup. It was not necessary to use a certificate. By the way, the connection with a certificate still doesn't work. Appreciate your time and help! You've helped me a lot. Thank you!!!

[KoenZomers]

The current released version indeed has some issues with some connect-pnponline options unfortunately. Good news is that the patch for them is ready and I'm doing everything I can to get it in the June 8th release.

[KoenZomers]

June release is expected on June 9th, 2020. It should be fixed in that release, therefore closing this issue. Feel free to reopen if the issue persists in the June 2020 release.