[FEATURE] - Connect using AccessToken generated from a CSP tenant to CSP delegated tenants

[magnusjak]

What are we doing? We are developing a solution which can do changes on multiple customer tenants. The solution is for example so far able to manipulate Azure AD and Azure Subscriptions on all customers. We now want to add SharePoint Online to this set of things we can manipulate.

Explanation of the authentication logic

1. By adding a user (service user) from our tenant to the Azure AD Group “AdminAgents” this user can reach all the customers that are connected to our CSP Partner Center
2. Using the service user, we interactively login using an Azure AD Application in our own Azure AD Tenant to authenticate using “auth code flow” so that we get a set of tokens (Access and Refresh).

Example URL which we navigate to and login using the service user to create the auth code that is later exchanged for the tokens. [https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_mode=form_post&response_type=code id_token&scope=openid profile offline_access https://management.azure.com/.default https://graph.microsoft.com/.default https://app.vssps.visualstudio.com/.default https://vault.azure.net/.default https://api.manage.microsoft.com/.default https://manage.office.com/.default https://analysis.windows.net/powerbi/api/.default https://microsoft.sharepoint-df.com/.default https://print.print.microsoft.com/.default&state=1234&nonce=1]

3. The refresh tokens are placed in an Azure Key Vault so that we can use this refresh token to create new access tokens for any customer tenant whenever we need them. Typically, we have API’s referencing the secrets in the Key Vault to later use them for creating their own tokens.

What is failing? When we try to do this same procedure, we are not able to come through and we get access denied 401 problems.

PowerShell example _$customerAccessTokenUri = ('https://login.microsoftonline.com/{0}/oauth2/v2.0/token' -f $TenantId) $params = @{ grant_type = "refresh_token"; client_secret = $AOBOAppRegistration.GetNetworkCredential().password client_id = $AOBOAppRegistration.'UserName' refreshtoken = $AOBORefreshToken scope = “https://CSPCustomerTenant.sharepoint.com/.default” # https://microsoft.sharepoint-df.com/.default - We have tried both }

$MsgToken = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params

This one connects without any errors Connect-PnPOnline -Url "https://CSPCustomerTenant.sharepoint.com" -AccessToken $MsgToken.access_token

Test if login is working Get-PnPSite # <---- This is failing with: The remote server returned an error: (401) Unauthorized.

Other information

• AccessToken authentication works fine when first connecting to PNP using a tenant native user and then fetching the AccessToken using the Get-PnPAppAuthAccessToken command. However, we want to do this without a native user.
• Creating tokens as described above works perfectly fine when connecting to CSP-customers Graph or Azure API (just using a different scope)
• Authenticating using our CSP credentials directly to the customers sharepoint-site through a browser works without any issues.

Is this something that can be done with the current PnP module, or are there improvements that can be done to achieve this? Are we perhaps missing something regarding our setup? Or could there perhaps be limitations within SharePoint regarding this problem?

Edit:

We ended up doing a workaround here. Using our DAP(AOBO) access to create an application/ServicePrincipal and add the required permissions to it, add a certificate and then save the appID and certEncoding in our own keyvault, we are able to use this when authentication to the customer through PNP.

We also had a discussion with Microsoft about this, more or less saying that it won't work using the DAP access directly.

[gautamdsheth]

Closing this since its not really a issue.

Has been answered here in the discussion:

https://github.com/pnp/powershell/discussions/2236