search

pnp / powershell

PnP PowerShell
https://pnp.github.io/powershell
MIT License
658 stars 342 forks source link

[BUG] New-PnPSite is not working after PNP Management shell tenant app was discontinued. #4261

Closed prachigoyal90 closed 5 days ago

prachigoyal90 commented 6 days ago

After PNP Management shell tenant app was discontinued on 9/9, the script that we had for site provisioning stopped working. We have created Entra App registration and added below permissions to the app:

ChannelMember.ReadWrite.All | Delegated Directory.AccessAsUser.All | Delegated Directory.ReadWrite.All | Delegated Group.ReadWrite.All | Delegated Team.Create | Delegated TeamMember.ReadWrite.All | Delegated TeamsAppInstallation.ReadWriteForUser | Delegated TeamSettings.ReadWrite.All | Delegated   TeamsTab.ReadWrite.All | Delegated User.Read | Delegated AllSites.FullControl | Delegated Sites.FullControl.All | Application Sites.Search.All | Delegated TermStore.ReadWrite.All | Delegated User.ReadWrite.All | Delegated

We were able to use the commands: Connect-PnPOnline -url $TenantUrl -ClientId "" -ClientSecret "" Connect-PnPOnline -Url "" -ClientId "" -ClientSecret ""

but for New-PnPSite -Title $Title -Type TeamSite -Alias $Alias, we are receiving the error: New-PnPSite : Creating a new teamsite requires an underlying Microsoft 365 group. In order to create this we need to acquire an access token for the Microsoft Graph. This is not possible using ACS App Only connections.

What is the version of the Cmdlet module you are running?

New-PnPSite -Title $Title -Type TeamSite -Alias $Alias

Which operating system/environment are you running PnP PowerShell on?

jackpoz commented 6 days ago

As you are connecting with ClientSecret , your connection is of type "ACS App Only". As the error message says, this doesn't support all cmdlets, with New-PnPSite -Type TeamSite apparently being one of them due to the interaction with Microsoft Graph.

The solution would be to use a certificate instead of a secret.

Please note that ACS will be retired on April 2026, announcement at https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/azure-acs-retirement-in-microsoft-365/ba-p/3982039 , documentation at https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs . This means that you should replace the usage of client secret with PnP PowerShell with a certificate by that date.

Your app registration has many Delegated permissions, which are unused when using a client secret. Are you using the same app registration with -Interactive authentication with an account or could that be an oversight ?

gautamdsheth commented 6 days ago

You can create an EntraID app with certificates as mentioned here:

https://pnp.github.io/powershell/articles/registerapplication.html#setting-up-access-to-your-own-entra-id-app-for-app-only-access

gautamdsheth commented 5 days ago

Moving this to a discussion as it is a configuration issue and not an issue with the cmdlet itself. As suggested above, please create a certificate and upload it to your EntraID app and use that to authenticate.