pnp / PnP-PowerShell

SharePoint PnP PowerShell CmdLets
https://pnp.github.io/powershell
Other
990 stars 662 forks source link

[BUG] Term Store PnP functions fail when using Connect-PnPOnline -SPOManagementShell #3020

Open acou1304 opened 3 years ago

acou1304 commented 3 years ago

I have a client environment that is using ADFS and MFA. In my own dev tenant I have neither, but for testing purposes I used Connect-PnPOnline -Url -ClearTokenCache -SPOManagementShell (note that when using -WebLogin option in the customer's tenant you just get a blank popup screen).

When using that authentication option, although Get-PnPTerm works, New-PnPTerm does not and results in Access denied.

If I switch to using the -WebLogin option in my tenant, the above command works fine (but unfortunately as I stated above, this option does not work in my client's ADFS/MFA environment).

I need a way to reliably script against the term store. I am using version 3.25.2009.1 of SharePointPnPPowerShellOnline (I had to uninstall the latest and install this version because of https://github.com/pnp/PnP-PowerShell/issues/2983).

  1. Is the issue related to the cmdlet itself, its parameters, the syntax, or do you suspect it is the code of the cmdlet that is causing the issue? Then please continue reporting the issue in this repo. I suspect the code of the cmdlet.

  2. If you think that the functionality might be related to the underlying libraries that the cmdlet is calling (We realize that might be difficult to determine), please first double check the code of the cmdlet, which can be found here: https://github.com/pnp/PnP-PowerShell/tree/master/Commands. If related to the cmdlet, continue reporting the issue here, otherwise report the issue at https://github.com/pnp/PnP-Sites-Core/issues I assume the issue has something to do with the underlying authentication code.

Reporting an Issue or Missing Feature

New-PnPTerm failing with Access Denied when using Connect-PnPOnline -SPOManagementShell

Expected behavior

New-PnPTerm should work.

Actual behavior

New-PnPTerm : Access denied. You do not have permission to perform this action or access this resource. At line:1 char:1

Steps to reproduce behavior

Login to any tenant using the SPOManagementShell option, then try to create a term using Add-PnPTerm.

Which version of the PnP-PowerShell Cmdlets are you using?

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name sharepointpnppowershell* -ListAvailable) 3.25.2009.1

How did you install the PnP-PowerShell Cmdlets?

sympmarc commented 3 years ago

This is admittedly a very basic suggestion, but are you a Term Store Administrator in the client tenant, at least for the Term Set you want to update? (This catches me me up all the time.)

ToddKlindt commented 3 years ago

The -SPOManagementShell does not have permission to the Term Store. It's expected, though still frustrating, that New-PnPTerm won't work if that's how you authenticate.

acou1304 commented 3 years ago

Yes I am a term store administrator. In my own tenant (which doesn't have ADFS or MFA) I can switch to the normal -UseWebLogin and update the term store. It is only because I have to use the -SPOManagementShell option in the other tenant that does have ADFS/MFA that I am testing in my own tenant. I did also try using AppId/Secrets but writing to the term store using that also does not work. At the moment my only work around is to effectively populate my own tenant term store, then use Sharegate to copy the terms across. It is interesting that Sharegate doesn't have an issue in that environment, which I suspect is because they are using old SharePoint api methods rather than MS Graph.

ToddKlindt commented 3 years ago

Have you tried using Initialize-PnPPowerShellAuthentication to create an app reg that has all the permissions you need? In this case it would look like Example 3 under help Initialize-PnPPowerShellAuthentication -Examples and add "TermStore.ReadWrite.All"

acou1304 commented 3 years ago

Hi Todd, no I haven't tried that. In terms of -SPOManagementShell, I spoke to a tech support person at Microsoft and they the following:

I have tried to do some tests and could reproduce the issue when using -SPOManagementShell parameter. Then I compared the authentication of these two method, found:

thumbnail_image004

thumbnail_image008

So, I think that’s why it will return 403 error when using -SPOManagementShell for authentication to manage term store.

ToddKlindt commented 3 years ago

Yeah, that's what I said in this reply.

acou1304 commented 3 years ago

I found that the customer had setup MFA via a conditional policy rather than directly against the user in the admin center. By removing the conditional access policy and setting MFA directly against the migration account, I was able to create an App password. Even though I didn't use the app password I found that I could just use the username/password in a stored credential, thus bypassing the -SPOManagementShell option. When using the -SPOManagementShell option, often the next line of code runs before the authentication prompt is complete.