[BUG] Add-PnPTeamsTeam fails with missing refresh token

[heinrich-ulbricht]

Reporting an Issue or Missing Feature

It's not possible to teamify a modern team site using Add-PnPTeamsTeam.

Expected behavior

After creating a modern team site using New-PnPSite I expect Add-PnPTeamsTeam to teamify it.

Actual behavior

The actual behavior of Add-PnPTeamsTeam is this:

PS C:\Users\heu> Add-PnPTeamsTeam 
Add-PnPTeamsTeam : {"odata.error":{"code":"10001","message":{"lang":"en-US","value":"Missing refresh token."},"error.redirectUrl":"https://tenant.shar
epoint.com/sites/A-784143115?reauthid=2.MXwwfA.X-SNIP-kib4lag"}}
At line:1 char:1
+ Add-PnPTeamsTeam
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Add-PnPTeamsTeam], Exception
    + FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Site.AddTeamsTeam

PS C:\Users\heu> Get-PnPException

CorrelationId    : 60a87b9f-a036-2000-72d5-be1c8e24543f
TimeStampUtc     : 19.09.2020 21:50:51
Message          : {"odata.error":{"code":"10001","message":{"lang":"en-US","value":"Missing refresh token."},"error.redirectUrl":"https://tenant.shar
                   epoint.com/sites/A-784143115?reauthid=2.MXwwfA.X_j4-SNIP-EXzdCktOINBxevOAPgf1ZlNFkib4lag"}}
Stacktrace       :    at OfficeDevPnP.Core.Utilities.RESTUtilities.<ExecutePostAsync>d__2.MoveNext()
                   --- End of stack trace from previous location where exception was thrown ---
                      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                      at OfficeDevPnP.Core.Sites.SiteCollection.<TeamifySiteAsync>d__21.MoveNext()
                   --- End of stack trace from previous location where exception was thrown ---
                      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                      at PnP.PowerShell.Commands.Site.AddTeamsTeam.ExecuteCmdlet()
                      at PnP.PowerShell.Commands.PnPSharePointCmdlet.ProcessRecord()
ScriptLineNumber : 1

Steps to reproduce behavior

Connect-PnPOnline https://<tenant>-admin.sharepoint.com
$url = New-PnPSite -Type TeamSite -Title "title" -Alias alias -IsPublic -Wait
Connect-PnPOnline $url
Add-PnPTeamsTeam # <-- fails

Which version of the PnP-PowerShell Cmdlets are you using?

• [ ] PnP PowerShell for SharePoint 2013
• [ ] PnP PowerShell for SharePoint 2016
• [ ] PnP PowerShell for SharePoint 2019
• [x] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

3.25.2009.1

How did you install the PnP-PowerShell Cmdlets?

• [ ] MSI Installed downloaded from GitHub
• [x] Installed through the PowerShell Gallery with Install-Module
• [ ] Other means

[cwcahill]

This is happening to me too...seems like its trying to use an auth token that has not been refreshed??

[haupth1992]

I got the same problem. I tried it with the 'New-PnPTeamsTeam' and the office group could be created, but it could not be converted to a team. When I recreated the situation step by step then this error occured. But if I try it often enough then eventually a team is created, hence I guess it has something to do with the token.

[heinrich-ulbricht]

Additional note: the error does not appear consistently. Sometimes it works, sometimes not :-(

[erwinvanhunen]

Can you provide a fiddler trace of the request? When you call Add-PnPTeamsTeam you'll notice a request to /sites/[yoursite ]/_api/GroupSiteManager/EnsureTeamForGroup. We're interesting in seeing that request. If you see an 'Authorization: Bearer ...' header, please remove the value after 'Bearer' before posting the trace here, as that's your actual access token. You can have a look at that token yourself by copy the value after 'Bearer' into https://jwt.ms. I'm interested in seeing what values there are for the "scp" property.

[heinrich-ulbricht]

@erwinvanhunen On my way :) (And feedback from the others is appreciated as well!)

[heinrich-ulbricht]

Hm I guess I might be using it wrong. There is no Authorization header when calling the EnsureTeamForGroup endpoint.

Connect-PnPOnline https://<tenant>-admin.sharepoint.com -Credentials <tenant>
$newSiteUrl = New-PnPSite -Type TeamSite -Alias "heu-test-pnp-2926" -Wait -Title "Heu Test PnP-2926"
Connect-PnPOnline $newSiteUrl -Credentials <tenant>
Add-PnPTeamsTeam

@erwinvanhunen The third line where I connect to the site. Should this be Connect-PnPOnline with Scopes instead? This is where I get the error message I originally reported.

Raw request to EnsureTeamForGroup from Fiddler:

POST https://<tenant>.sharepoint.com/sites/heu-test-pnp-2926/_api/groupsitemanager/EnsureTeamForGroup HTTP/1.1
accept: application/json; odata=nometadata
X-RequestDigest: 0x11AF0B135BCC127CDE5C853C21B36F9A734BF5F5EB72B5D05CEABFF59BC1334B372BC66C8EF0913C7CE73B351F57D58960AE11BBDAAD47369873C7BDAB5A3A73,25 Sep 2020 09:11:35 -0000
User-Agent: NONISV|SharePointPnP|PnPCore/3.25.2009.1
Host: <tenant>.sharepoint.com
Cookie: SPOIDCRL=<snip>=
Content-Length: 0

Response:

HTTP/1.1 400 Bad Request
Cache-Control: private, max-age=0
Transfer-Encoding: chunked
Content-Type: application/json;odata=nometadata;streaming=true;charset=utf-8
Expires: Thu, 10 Sep 2020 09:11:35 GMT
Last-Modified: Fri, 25 Sep 2020 09:11:35 GMT
Server: Microsoft-IIS/10.0
X-SharePointHealthScore: 2
X-SP-SERVERSTATE: ReadOnly=0
DATASERVICEVERSION: 3.0
SPClientServiceRequestDuration: 247
X-AspNet-Version: 4.0.30319
SPRequestGuid: 516b7d9f-d00c-2000-41ce-28b399f1fc16
request-id: 516b7d9f-d00c-2000-41ce-28b399f1fc16
MS-CV: n31rUQzQACBBziizmfH8Fg.0
X-RequestDigest: <snip>,25 Sep 2020 09:11:35 -0000
Strict-Transport-Security: max-age=31536000
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com;
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.20516
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Date: Fri, 25 Sep 2020 09:11:35 GMT

218
{"odata.error":{"code":"10001","message":{"lang":"en-US","value":"Missing refresh token."},"error.redirectUrl":"https://<tenant>.sharepoint.com/sites/heu-test-pnp-2926?reauthid=2.MXwwfA.X_j4N5HfjtlL<snip>b4lag"}}
0

[erwinvanhunen]

no, you're not using it wrong. That's exactly the info we were looking for. If there is an accesstoken in the request then legacy auth has been turned off for the tenant. But in this case there is a cookie instead. We were interested among others see what type of auth your tenant was using and now we know.

[heinrich-ulbricht]

Ok good. Let me know if you need more info. PowerShell is open and ready :)

[erwinvanhunen]

Our initial idea right now that this is something server side or at API level. We're monitoring this one right now. We analyzed the call and everything seems okay on the clientside/your end, including the request being made to the server. Just checking, if you create the site and you navigate to the site, clicking on the 'teamify' link in the bottom left works as expected?

[heinrich-ulbricht]

Yes it seems so creating the Team via the Teamify link in the site works. Here are screenshots from after clicking the Teamify link for a newly (via New-PnPSite) created site:

[heinrich-ulbricht]

If it helps, I created another Team via the Teamify link in the browser and this is the Fiddler capture from the successful call to EnsureTeamForGroup (from within the browser):

POST https://<tenant>.sharepoint.com/sites/heu-test-pnp-2926-teamify2/_api/GroupSiteManager/EnsureTeamForGroup HTTP/1.1
Host: <tenant>.sharepoint.com
Connection: keep-alive
Content-Length: 0
sec-ch-ua: "Google Chrome";v="87", "\"Not;A\\Brand";v="99", "Chromium";v="87"
accept: application/json;odata=verbose
x-requestdigest: <snip>,25 Sep 2020 12:02:43 -0000
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4273.0 Safari/537.36
Content-Type: application/json;odata=verbose
Origin: https://<tenant>.sharepoint.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<tenant>.sharepoint.com/sites/heu-test-pnp-2926-teamify2
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: <snip>

Answer:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Transfer-Encoding: chunked
Content-Type: application/json;odata=verbose;charset=utf-8
Content-Encoding: gzip
Expires: Thu, 10 Sep 2020 12:02:59 GMT
Last-Modified: Fri, 25 Sep 2020 12:02:59 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
Set-Cookie: rtFa=<snip>; domain=sharepoint.com; expires=Wed, 30-Sep-2020 11:57:18 GMT; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: FedAuth=<snip>=; expires=Wed, 30-Sep-2020 11:57:18 GMT; path=/; SameSite=None; secure; HttpOnly
X-SharePointHealthScore: 2
X-SP-SERVERSTATE: ReadOnly=0
DATASERVICEVERSION: 3.0
SPClientServiceRequestDuration: 5498
X-AspNet-Version: 4.0.30319
SPRequestGuid: 1f757d9f-b097-2000-63fe-2d6d772de091
request-id: 1f757d9f-b097-2000-63fe-2d6d772de091
MS-CV: n311H5ewACBj/i1tdy3gkQ.0
X-RequestDigest: <snip>,25 Sep 2020 12:02:59 -0000
Strict-Transport-Security: max-age=31536000
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com;
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.20516
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Date: Fri, 25 Sep 2020 12:03:03 GMT

*** FIDDLER: RawDisplay truncated at 128 characters. Right-click to disable truncation. ***

[markgort86]

I've got also an issue with the same commandlet, only the error is a bit different. Please have a look over here: https://github.com/pnp/PnP-PowerShell/issues/2963

[markgort86]

@VesaJuvonen @erwinvanhunen any update on this issue?

I've got also an issue with the same commandlet, only the error is a bit different. Please have a look over here: #2963

[waaromikniet]

@erwinvanhunen We have a similar issue. We get the invalid refreshtoken error described by @markgort86 But when we use

Connect-PnpOnline -UseWebLogin

Add-PnPTeamsTeam works. But when using CredentialManager credentials or Get-Credential we get this error