gautamdsheth
commented
17 hours ago hi @erobillard , thanks for providing this detailed steps to reproduce the issue.
It has been fixed now and will be available in tomorrow's nightly build and the ones after that. Much appreciated.
Add-PnPAzureADServicePrincipalAppRole always returns "Service principal not found"
Expected behavior
BEFORE Microsoft's restriction on interactive logins, a Global Admin was able to use Connect-PnPOnline in an interactive mode to connect to a tenant, and grant permissions for an Azure Automation Account to run PnP.PowerShell commands with the Add-PnPAzureADServicePrincipalAppRole cmdlet.
NOW, the following steps should succeed to grant API permissions to an Azure Automation Account: 1/ Created an App Registration for running PowerShell with the certificate option with: Register-PnPAzureADApp -ApplicationName "Xyz.PnP.PowerShell" -Tenant [mytenant].onmicrosoft.com -CertificatePath "c:\certs\Xyz.PnP.PowerShell.pfx" -Interactive
The [PowerShell App ID] returned by the above is used in subsequent connections.
2/ In AAD/Entra, assign the above App Registration the following API permissions, and Grant admin consent for the org:
3/ Connect-PnPOnline using the -ClientId and -CertificatePath parameters from my App Registration: Connect-PnPOnline [mytenant].sharepoint.com -ClientId [PowerShell App ID] -Tenant [mytenant].onmicrosoft.com -CertificatePath "c:\certs\Xyz.PnP.PowerShell.pfx"
ALSO TRIED (per Todd's article https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904) Connect-PnPOnline [mytenant].sharepoint.com -ClientId [PowerShell App ID] -Tenant [mytenant].onmicrosoft.com -Interactive
4/ The following incantation should now succeed: Add-PnPEntraIDServicePrincipalAppRole -Principal "[Azure Automation Account ID]" -AppRole "Group.Read.All" -BuiltInType MicrosoftGraph
Actual behavior
Step 4 fails with error: "Service principal not found"
Note that Get-PnPEntraIDServicePrincipal DOES list the Azure Automation Account including the ID being used in step 4. However the Add cmdlet continues to fail with the error above.
-verbose output: VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=id eq '[Azure Automation Account ID]' VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appid eq '[Azure Automation Account ID]' VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All Add-PnPAzureADServicePrincipalAppRole: Service principal not found
Similar output when the Azure Automation Account display name is used instead: VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq '[AutomationAccountName]' VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All Add-PnPAzureADServicePrincipalAppRole: Service principal not found
Steps to reproduce behavior
The following articles describe the steps, though Denis's article is slightly more specific: https://pnp.github.io/powershell/articles/azureautomationrunbook.html https://spdenis.com/run-pnp-powershell-from-azure-automation/
The difference now is that it's also necessary to create an App Registration and cert in order to execute PnP.PowerShell cmdlets: https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904
What is the version of the Cmdlet module you are running?
2.99.18 - nightly build is required to register PowerShell in the Application registry, the last official release contained a bug that prevented the Register-PnPAzureADApp step from working.
Which operating system/environment are you running PnP PowerShell on?