Connect-PnPOnline with AppId/AppSecret succeeds, but any operation using the connection returns (403) Forbidden

sathya-bhat commented 4 years ago

Notice: many issues / bugs reported are actually related to the PnP Core Library which is used behind the scenes. Consider carefully where to report an issue:

Are you using Apply-SPOProvisioningTemplate or Get-SPOProvisioningTemplate? The issue is most likely related to the Provisioning Engine. The Provisioning engine is not located in the PowerShell repo. Please report the issue here: https://github.com/officedev/PnP-Sites-Core/issues. No
Is the issue related to the cmdlet itself, its parameters, the syntax, or do you suspect it is the code of the cmdlet that is causing the issue? Then please continue reporting the issue in this repo. No
If you think that the functionality might be related to the underlying libraries that the cmdlet is calling (We realize that might be difficult to determine), please first double check the code of the cmdlet, which can be found here: https://github.com/OfficeDev/PnP-PowerShell/tree/master/Commands. If related to the cmdlet, continue reporting the issue here, otherwise report the issue at https://github.com/officedev/PnP-Sites-Core/issues Looks like a code issue within PnP or the SharepointOnline does not support AppId/AppSecret combination?
Reporting an Issue or Missing Feature

Please confirm what it is that your reporting The Connect-PnPOnline succeeds against my O365 site with AppId/AppSecret, but any subsequent call using the returned connection results in error '(403) Forbidden'.

The AppId has all the required permissions in Sharepoint. MFA is not enabled on the tenant.

The Same AppID works with Certificate based connection. Its the AppId/AppSecret combination that does not work. Looking at following documentation, it appears that PnP cmdlets using AppId can work only with Certificate (not with AppSecret). Could you please confirm?

https://github.com/pnp/PnP-PowerShell/tree/master/Samples/SharePoint.ConnectUsingAppPermissions

Expected behavior

Please describe what output you expect to see from PnP-PowerShell Cmdlets The returned connection from Connect-PnPOnline cannot be used in any subsequent calls.

Actual behavior

Please describe what you see instead. Please provide samples of HTML output or screenshots The Get-PnPList or any other call using the returned connection fails with '403 Forbidden' error

The PnP trace log shows

PowerShell_ISE.exe Error: 0 : 2020-05-18 13:32:38.6259 [OfficeDevPnP.Core] [0] [Error] ExecuteQuery threw following exception: System.Net.WebException: The remote server returned an error: (403) Forbidden.

Steps to reproduce behavior

Create an AppId/AppSecret combination, grant the App all Sharepoint permissions with admin consent. Run the following simple cmdlet against a O365 Sharepoint site. Connect-PnPOnline should suceed, but the next call Get-PnPList fails with 403 Forbidden.

Please include complete code samples in-line or linked from gists

Import-Module Microsoft.Online.SharePoint.PowerShell -ea Stop Import-Module SharePointPnPPowerShellOnline -ea Stop

$ConnectionOptions =@{ AppId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' AppSecret = 'yyyyyyyyyyyyyyyyyyyyyyyyyyyy' Url = 'https://tenant1.sharepoint.com/sites/mysite'

ErrorAction = 'Stop' Verbose = $True ReturnConnection = $True };

$SPOPnPConnection = Connect-PnPOnline @ConnectionOptions

Write-Host 'Connection succeeded. Now trying an operation on the session.'

Get-PnPList -Connection $SPOPnPConnection -ea Stop -Verbose

Which version of the PnP-PowerShell Cmdlets are you using?

[ ] PnP PowerShell for SharePoint 2013
[ ] PnP PowerShell for SharePoint 2016
[ X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name *pnppowershell* -ListAvailable) 3.21.2005.1 Also tried with 3.20.2004.0

How did you install the PnP-PowerShell Cmdlets?

[ ] MSI Installed downloaded from GitHub
[ x] Installed through the PowerShell Gallery with Install-Module
[ ] Other means

ghost commented 4 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

ajhawkins110 commented 4 years ago

I am experiencing the same issue. I have a 20% success rate in connecting to a SharePoint site. However I am using Connect-PnpOnline -Site $site -credentials $Credentials.

KoenZomers commented 4 years ago

Please try this again with the June 2020 release which will come out next Tuesday on June 9th, 2020. There are some known issues with authentication in the April and May releases which have been fixed in the upcoming release.

Using a combination of an AppId and AppSecret is perfectly supported. For an overview of all supported connect options as of the June 2020 release, have a look at https://github.com/pnp/PnP-PowerShell/wiki/Connect-options. This wiki page will be updated in the future to contain more detailed information on each of the connect options.

Closing this issue for now as I'm pretty sure the June release will address it. If it turns out it doesn't, feel free to reopen.

sathya-bhat commented 4 years ago

Thanks!. I think I found the root cause of this issue. I had to grant permissions using AppPermissionRequests XML. Then it worked with AppId and AppSecret. Its described here. I will test June 9th release as well.

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

pnp / PnP-PowerShell