search

pnp / PnP-Sites-Core

Microsoft 365 Dev PnP Core component (.NET) targeted for increasing developer productivity with CSOM based solutions.
Other
416 stars 642 forks source link

Apply PnP Provisioning template throwing error after update on August 2020 Release #2733

Closed tmaestrini closed 4 years ago

tmaestrini commented 4 years ago

Environment

[x] Office 365 / SharePoint Online [ ] SharePoint 2016 [ ] SharePoint 2013

Expected or Desired Behavior

I am trying to apply the following template:

<pnp:Provisioning xmlns:pnp="http://schemas.dev.office.com/PnP/2020/02/ProvisioningSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://schemas.dev.office.com/PnP/2020/02/ProvisioningSchema https://raw.githubusercontent.com/OfficeDev/PnP-Provisioning-Schema/experimental/OfficeDevPnP.ProvisioningSchema/ProvisioningSchema-2020-02.xsd"
                  Author="bee365"
                  Generator="Human being"
                  Version="1.0">

  <pnp:Preferences Author="bee365.ch" Version="1.0" Generator="Human being">
    <pnp:Parameters>
      <pnp:Parameter Key="TeamTitle">Test bee365</pnp:Parameter>
      <pnp:Parameter Key="TeamAlias">testteam.bee365</pnp:Parameter>
      <pnp:Parameter Key="CompanyName">bee365</pnp:Parameter>
    </pnp:Parameters>
  </pnp:Preferences>

  <pnp:Templates ID="SAMPLE-TEMPLATES">
    <pnp:ProvisioningTemplate ID="SPO.SITE.01" Version="1.0"
      BaseSiteTemplate="GROUP#0"
      DisplayName="Test team site"
      Description="Test team site"
      Scope="RootSite"
      TemplateCultureInfo="2055">

    </pnp:ProvisioningTemplate>
  </pnp:Templates>

  <pnp:Sequence ID="SAMPLE-SEQUENCE">
    <pnp:SiteCollections>
      <pnp:SiteCollection xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="pnp:TeamSite"
                          ProvisioningId="TEAM.SITE.01"
                          Title="{parameter:CompanyName} Projects"
                          Alias="{parameter:TeamAlias}"
                          DisplayName="{parameter:CompanyName} Projects"
                          IsPublic="true"
                          IsHubSite="true"
                          Description="{parameter:CompanyName} Projects"
                          HideTeamify="true"
                          Language="2055">
        <pnp:Templates>
          <pnp:ProvisioningTemplateReference ID="SPO.SITE.01" />
        </pnp:Templates>
      </pnp:SiteCollection>
    </pnp:SiteCollections>
  </pnp:Sequence>

  <pnp:Teams>
    <pnp:Team GroupId="{sequencesitegroupid:TEAM.SITE.01}"
              DisplayName="{parameter:TeamTitle}" Description="This is a Team provisioned with PnP"
              Visibility="Private" Archived="false" MailNickname="{parameter:TeamAlias}">
      <pnp:FunSettings AllowGiphy="true" GiphyContentRating="Strict"
                       AllowStickersAndMemes="true" AllowCustomMemes="true"/>
      <pnp:GuestSettings AllowCreateUpdateChannels="true" AllowDeleteChannels="false"/>
      <pnp:MembersSettings AllowCreateUpdateChannels="true" AllowDeleteChannels="false"
                           AllowAddRemoveApps="true"
                           AllowCreateUpdateRemoveConnectors="true"
                           AllowCreateUpdateRemoveTabs="false" />
      <pnp:MessagingSettings AllowUserEditMessages="true" AllowUserDeleteMessages="true"
                             AllowOwnerDeleteMessages="false"
                             AllowTeamMentions="true"
                             AllowChannelMentions="true"/>
    </pnp:Team>
  </pnp:Teams>

</pnp:Provisioning>

Calling the provisioning engine for the script above using PnPPowerShell through Apply-PnPTenantTemplate:

$credentials = Get-Credential
Connect-PnPOnline "https://<tenant>.sharepoint.com/" -Credentials $credentials

Apply-PnPTenantTemplate -Path "path-to-script\Template.xml" -Parameters @{"TeamTitle"="Test Team by Toby";"TeamAlias"="bee365.demo01";"CompanyName"="bee365"}

I want to create a team in Microsoft Teams and provision the connected SharePoint Site Collection accordingly.

Observed Behavior

I am always getting this error:

Apply-PnPTenantTemplate : AADSTS500011: The resource principal named https://https://graph.microsoft.com// was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 8018c179-d013-41b2-b9f3-08392f0e3a00
Correlation ID: 63af9425-67f7-4246-aa8a-a457e3835eb3
Timestamp: 2020-08-16 21:09:12Z
In Zeile:1 Zeichen:1
+ Apply-PnPTenantTemplate -Path "C:\Users\toma\...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Apply-PnPTenantTemplate], MsalServiceException
    + FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate

Steps to Reproduce

I tried to run this and other scripts on different tenants with different global admin credentials. The error shows up after today, having updated my SharePointPnPPowerShellOnline version on August 2020 Release.

I'd like to mention @PaoloPia if he had any idea for a suitable solution. Thanks for your support!

ghost commented 4 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

erwinvanhunen commented 4 years ago

Hi! In order to create teams artifacts, we need to be able to authenticate you towards the Microsoft Graph. The only way we can do that is by the means of an access token, and the only way we can retrieve an access token is by means of you providing consent to an Azure application we created specifically for this reason. The way it works is as follows:

Connect-PnPOnline -PnPManagementShell -LaunchBrowser -Url https://<yoursite>.sharepoint.com

You only have to issue this command one time. You will see that a browser will pop up and you will be asked to provide consent to a certain number of rights we request. Notice that we -cannot- receive your credentials. They all stay on your end. Basically what happens is that a registration is added to the "Enterprise Applications" list in your Azure AD which states that users within your organization can use this application id to authenticate towards the Microsoft Graph and SharePoint.

Once this consent is in place you can connect as you used to do before with the -Credentials parameter as in your snippet above and things should start to work.

Additional info: what happens after you provided consent is the following:

  1. You authenticate with Connect-PnPOnline using normal credentials
  2. The provisioning engine will start doing its work towards SharePoint if any SharePoint artifacts are in place
  3. The moment the engine notices that a Teams artifact is to be provisioned it will ask PnP PowerShell to provide an access token. For that reason we need to you provide consent before as PnP PowerShell will then use your credentials to acquire an Access Token towards the Microsoft Graph. Once successfully acquired it will send this token to the provisioning engine code which will then include that token in all requests towards the Microsoft Graph to provision teams.
tmaestrini commented 4 years ago

Thank you, @erwinvanhunen. I also tried this before - without success. Even after your described way, the error is still the same: image

I also deleted the consented application in Azure AD and tried to authenticate again - no success. Please also have a look at the highlighted section in the screenshot above; is this correct?

tmaestrini commented 4 years ago

And just noticed the following fact: after having downgraded on July 2020 Release (aka 3.23.2007.0), the provisioning sequence runs like a charm!

tmaestrini commented 4 years ago

@PaoloPia referring the screenshot of the error warning above: could that be a bug?

acksoft commented 4 years ago

The way it works is as follows:

Connect-PnPOnline -PnPManagementShell -LaunchBrowser -Url https://<yoursite>.sharepoint.com

You only have to issue this command one time. You will see that a browser will pop up and you will be asked to provide consent to a certain number of rights we request.

Erwin,

I have followed this instruction but after I enter the code and manually provide my credentials, the browser does NOT pop up, so I am not asked to provide consent to the required rights. Are there any limitations that I need to be aware of? I have made sure that I am using the August 2020 Point Release which was supposed to fix things. What am I missing here?

tmaestrini commented 4 years ago

@erwinvanhunen same behaviour to me as described by @acksoft since I've updated to August 2020 release...

tmaestrini commented 4 years ago

@erwinvanhunen and @PaoloPia do you have any news or idea regarding this error?

PaoloPia commented 4 years ago

Hi, Thanks for your feedback. We're digging into this issue and we will update you as soon as possible.

PaoloPia commented 4 years ago

Hi, after digging into this issue, it looks like it is now fixed in DEV branch and with the upcoming monthly release of PnP Sites Core and PnP PowerShell, it should be fixed in the public release, too. Please, wait for the monthly release and try again. In case of any further problem, feel free to open another issue. Thanks for your comprehension.