search

pnp / PnP-Sites-Core

Microsoft 365 Dev PnP Core component (.NET) targeted for increasing developer productivity with CSOM based solutions.
Other
415 stars 644 forks source link

Apply-PnPTenantTemplate authentication issue #2480

Open jonathanhotono opened 4 years ago

jonathanhotono commented 4 years ago

Category

[x] Bug [ ] Enhancement

Environment

[x] Office 365 / SharePoint Online [ ] SharePoint 2016 [ ] SharePoint 2013

Apply-PnPTenantTemplate does not work when LegacyAuth is disabled and MFA enable. It always returns Apply-PnPTenantTemplate : The remote server returned an error: (401) Unauthorized.

What I observed so far:

  1. It does not work when I'm using -useWebLogin
  2. It does not work when I'm using Azure AD Application Permissions (https://github.com/SharePoint/PnP-PowerShell/tree/master/Samples/SharePoint.ConnectUsingAppPermissions)
  3. It does not work when I'm using PnPO365ManagementShell

I know the easiest is we enable legacyAuth and disable MFA, but I think at some point legacyAuth will be turned off soon, so a permanent solution is needed.

ghost commented 4 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

mjarmstrong commented 4 years ago

Running into the same issue.

Disable MFA on my tenant, and Apply-PnPTenantTemplate works fine. Enable MFA, and 403.

Any update? @VesaJuvonen

VesaJuvonen commented 4 years ago

Can someone please share details on their template content as by default this certainly works with MFA enabled... but we would need to understand the exact scenario to be able to build a repro.

mjarmstrong commented 4 years ago

@VesaJuvonen - in my case, the tenant template is defining themes (pnp:themes), site scripts and designs, and a sequence with site collections, and a couple termsets (I am term store admin, so it isn't that). One of the premier support engineers was also able to reproduce (case 19181236 if you this helps any).

VesaJuvonen commented 4 years ago

Have you tried removing different sections until things work? Just reduce the sections to detect which handler is the one which throws the exception? Also can you run Get-PnPException right after you have this exception to get the full exception details. That's a critical piece of information to understand which piece of code actually failed. Thx.

jonathanhotono commented 4 years ago

For me @VesaJuvonen it always fails when uploading app into tenant app catalog <pnp:AppCatalog> and ApplicationLifeCycleManagement when using webLogin. The only bits working when using webLogin is uploading siteScript/site designs, site collection and themes.

Update error message:

CorrelationId    : f9ec4f9f-401a-b000-0454-c6b9ea8c743e
TimeStampUtc     : 07-May-20 12:56:59 AM
Message          : Object reference not set to an instance of an object.
Stacktrace       :    at OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.ApplyTenantTemplate(Tenant tenant,
                   ProvisioningHierarchy hierarchy, String sequenceId, ApplyConfiguration configuration)
                      at SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate.ExecuteCmdlet()
                      at SharePointPnP.PowerShell.Commands.PnPCmdlet.ProcessRecord()
ScriptLineNumber : 189

    Apply-PnPTenantTemplate : Object reference not set to an instance of an object.
At D:\Documents\full_site_provisioning.ps1:189 char:5
+     Apply-PnPTenantTemplate -ResourceFolder .\ -Path '.\tenant-provis ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Apply-PnPTenantTemplate], NullReferenceException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate

However running using normal Connect-PnPOnline without useWebLogin works just fine. I also tested using .pfx certificate file against Azure AD enterprise app and it also works fine.