Closed prachigoyal90 closed 5 days ago
As you are connecting with ClientSecret , your connection is of type "ACS App Only". As the error message says, this doesn't support all cmdlets, with New-PnPSite -Type TeamSite
apparently being one of them due to the interaction with Microsoft Graph.
The solution would be to use a certificate instead of a secret.
Please note that ACS will be retired on April 2026, announcement at https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/azure-acs-retirement-in-microsoft-365/ba-p/3982039 , documentation at https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs . This means that you should replace the usage of client secret with PnP PowerShell with a certificate by that date.
Your app registration has many Delegated permissions, which are unused when using a client secret. Are you using the same app registration with -Interactive authentication with an account or could that be an oversight ?
You can create an EntraID app with certificates as mentioned here:
Moving this to a discussion as it is a configuration issue and not an issue with the cmdlet itself. As suggested above, please create a certificate and upload it to your EntraID app and use that to authenticate.
After PNP Management shell tenant app was discontinued on 9/9, the script that we had for site provisioning stopped working. We have created Entra App registration and added below permissions to the app:
ChannelMember.ReadWrite.All | Delegated Directory.AccessAsUser.All | Delegated Directory.ReadWrite.All | Delegated Group.ReadWrite.All | Delegated Team.Create | Delegated TeamMember.ReadWrite.All | Delegated TeamsAppInstallation.ReadWriteForUser | Delegated TeamSettings.ReadWrite.All | Delegated TeamsTab.ReadWrite.All | Delegated User.Read | Delegated AllSites.FullControl | Delegated Sites.FullControl.All | Application Sites.Search.All | Delegated TermStore.ReadWrite.All | Delegated User.ReadWrite.All | Delegated
We were able to use the commands: Connect-PnPOnline -url $TenantUrl -ClientId "" -ClientSecret "" Connect-PnPOnline -Url "" -ClientId "" -ClientSecret ""
but for New-PnPSite -Title $Title -Type TeamSite -Alias $Alias, we are receiving the error: New-PnPSite : Creating a new teamsite requires an underlying Microsoft 365 group. In order to create this we need to acquire an access token for the Microsoft Graph. This is not possible using ACS App Only connections.
What is the version of the Cmdlet module you are running?
New-PnPSite -Title $Title -Type TeamSite -Alias $Alias
Which operating system/environment are you running PnP PowerShell on?