Send-PnPMail permissions using AAD App Registration

AlexSen commented 4 years ago

Reporting an Issue or Missing Feature

Reporting an Issue

Expected behavior

Email sent from SPO Site used in Connection

Actual behavior

Send-PnPMail : Object reference not set to an instance of an object.
At line:1 char:1
+ Send-PnPMail -To "user@contoso.com" -Subject $EmailSubj ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Send-PnPMail], NullReferenceException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Utilities.SendMail

Steps to reproduce behavior

AzApp has:

Sites.Read.All permission granted via Azure Ad
Scope="http://sharepoint/content/sitecollection" Right="FullControl" via SharePoint App-Only (Site Collection used to send email from)

$PSDefaultParameterValues["Connect-PnPOnline:Tenant"] = "$TenantName.onmicrosoft.com"
$PSDefaultParameterValues["Connect-PnPOnline:ClientId"] = $AzAppClientId
$PSDefaultParameterValues["Connect-PnPOnline:Thumbprint"] = (Get-AutomationCertificate -Name $CertificateAssetName).Thumbprint

$MailSendFromSitConnection = Connect-PnPOnline -Url $MailSendFromSiteUrl
Send-PnPMail -To "user@contoso.com" -Subject "MySubject" -Body "MyBody" -Connection $MailSendFromSitConnection

Which version of the PnP-PowerShell Cmdlets are you using?

[ ] PnP PowerShell for SharePoint 2013
[ ] PnP PowerShell for SharePoint 2016
[X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

Name                          Version    
----                          -------
SharePointPnPPowerShellOnline 3.21.2005.1
SharePointPnPPowerShellOnline 3.20.2004.0
SharePointPnPPowerShellOnline 3.19.2003.0
SharePointPnPPowerShellOnline 3.18.2002.0

How did you install the PnP-PowerShell Cmdlets?

[ ] MSI Installed downloaded from GitHub
[X] Installed through the PowerShell Gallery with Install-Module
[ ] Other means

ghost commented 4 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

KoenZomers commented 4 years ago

I can't reproduce this issue. I tried to follow your steps and have thus created a new Azure App Registration with just these permissions:

I then went to /_layouts/appinv.aspx for the same Client ID and gave it these permissions:

  <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
  </AppPermissionRequests>

I just get an access denied, but not the object reference error you're seeing. I had a look at the code and in this way you are connecting, it will only use the permissions set on AAD and not the ones you set through appinv.aspx for executing Send-PnPMail. So you would need to raise the AAD permissions to at least Sites.ReadWrite.All and then Send-PnPMail should work.

There are some known issues with PowerShell sessions not getting cleaned up correctly, even when using Disconnect-PnPOnline. Could it be that your PowerShell session has gotten polluted because of that and that makes you get into the object reference error?

KoenZomers commented 4 years ago

Closing as no response received. Feel free to reopen in case you have further information to share.

pnp / PnP-PowerShell