Open matsla opened 4 years ago
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
@matsla Recommended option of connecting is by creating an AAD app registration. Simply create one in your tenant and do not assign it any rights in AAD. Take the application/client id AAD generated for it, go to your SharePoint site, add to the URL /_layouts/appinv.aspx, paste in the client Id from AAD and you can give it fine tuned permissions, just for that list/document library/web/site collection.
Let me know if you require more detailed steps to get this done.
@KoenZomers this is a option if you have to support one SharePoint site. In my scenario we need to support > 1000 SharePoint site. We have a backgroud job to ensure correct metadata on all documents for each SharePoint site.
This options seems to work better in my scenario: Create an Azure AD App with Delegated permission for all SP Sites using a deamon account (Dedicated Azure AD Account). This will also work when LegacyAuthProtocolsEnabled = $False
@matsla, correct, that could work, but it would require you to request permission for the app registration to all of their SharePoint Online sites. If that's fine by the ones who own the tenants, then you're good to go indeed. Likely needless to say, but be very careful with the PFX you connect to that app registration. You definitely don't want that to fall into the wrong hands.
@KoenZomers yes, thanks for the advice.
But is it possible for PnP Powershell/PnP Core to support Connect-PnPOnline with username and password when LegacyAuthProtocolsEnabled = $False ?
We have a lot of customizations that use this approch and when customers use LegacyAuthProtocolsEnabled = $False this will be an issue.
@matsla, no, that will not be possible. Connecting with just a username and password relies on SharePointOnlineAuthentication, which is effectively a legacy authentication protocol and considered very insecure and therefore highly recommended against to enable this on any tenant.
@KoenZomers thanks for the input. I instead to use a dedicated Azure AD service account to acquire tokens for both Graph API /Sharepoint with an Azure AD App with delegated permissions.
If this is considered very insecure it's intresting when you create a new M365 tenant why LegacyAuthProtocolsEnabled is set to $True.
@matsla Good question. Not sure why it's still enabled by default. Perhaps to allow for clients not capable of using modern authentication to connect as well? I heard a rumor recently that the standard mail client on iOS still uses legacy authentication and is still very popular amongst users of that platform.
@KoenZomers I am having trouble reconciling this issue #1725 with your explanation in this issue. In my understanding:
LegacyAuthProtocolsEnabled = $True
-> legacy authentication is used (NOT GOOD IN CLOUD SITUATION!!)LegacyAuthProtocolsEnabled = $False
-> modern oauth authentication flow is usedusing the second option does allow all Conditional Access possibilities for the account to be triggered (and monitored) and as long as MFA is not being forced, you can use this account in unattended solutions. I have no issues with this manner of connecting and also prevent (among others) the issue that is being proposed here: #2618
Also I have a Block Legacy Authentication CA policy configured which also works just fine allowing the PowerShell connection when modern auth is being used.
Would be great if you could comment on this, maybe I am doing or interpreting something not in the right way. Thanks!
When using Connect-PnPOnline with username and password and LegacyAuthProtocolsEnabled = $False we get following error, below. As we are using this in a deamon process we cant use the UseWebLogin switch. We are not able to connect using an Azure AD App due to Application Permission can only be assined to all sites in tenant.
Can this issue be corrected? Any work arounds to get this working with username & password and LegacyAuthProtocolsEnabled = $False?
Connect-PnPOnline -url https://xxxx.sharepoint.com/ Connect-PnPOnline : Exception has been thrown by the target of an invocation.
Exception has been thrown by the target of an invocation.
Stacktrace : at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at OfficeDevPnP.Core.PnPClientContext.<>c__DisplayClass12_0.b0(Object oSender,
WebRequestEventArgs webRequestEventArgs)
at System.EventHandler`1.Invoke(Object sender, TEventArgs e)
at Microsoft.SharePoint.Client.ClientRuntimeContext.OnExecutingWebRequest(WebRequestEventArgs
args)
at Microsoft.SharePoint.Client.ClientContext.GetWebRequestExecutor()
at Microsoft.SharePoint.Client.ClientContext.d b.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContext.d8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContext.d 4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
Microsoft.SharePoint.Client.ClientContextExtensions.d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext
clientContext, Int32 retryCount, Int32 delay, String userAgent)
at
SharePointPnP.PowerShell.Commands.Base.SPOnlineConnectionHelper.InstantiateSPOnlineConnection(Uri
url, PSCredential credentials, PSHost host, Boolean currentCredentials, Int32 minimalHealthScore,
Int32 retryCount, Int32 retryWait, Int32 requestTimeout, String tenantAdminUrl, Boolean
disableTelemetry, Boolean skipAdminCheck, ClientAuthenticationMode authenticationMode)
at SharePointPnP.PowerShell.Commands.Base.ConnectOnline.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
ScriptLineNumber : 1
Which version of the PnP-PowerShell Cmdlets are you using?