How to connect Sharepoint site without human interaction

[Gorthog]

What I'm trying to do is have the admin enter their credentials on the web page (client side), then transfer the token to the backend and execute powershell commands to query their sharepoint site state. Specifically Get-PnPTenant

I tried running:

Connect-PnPOnline -Url "https://$tenant.sharepoint.com" -AccessToken $token
Get-PnPTenant

but i get Get-PnPTenant: The remote server returned an error: (401) Unauthorized.

So I tried a different approach, I have setup all the needed access for a single tenant, let's call it tenant1, and generated certificate for that tenant. Now I can connect perfectly fine for tenant1:

Connect-PnPOnline -Url "https://tenant1.sharepoint.com" -ClientId "xxxxxxxx-xxxx-...." -Tenant "tenant1.onmicrosoft.com" -CertificatePath cert.pfx -CertificatePassword (ConvertTo-SecureString -String "pass" -AsPlainText -Force)

However, it required running this command:
Register-PnPAzureADApp -ApplicationName appname -Tenant=tenant1.onmicrosoft.com -DeviceLogin

But this command is interactive, and I require unattended approach that works on Linux - because I run on the server side.

This is where I hit a dead end. Any help would be appreciated, specifically - Explanation how I can connect an app without user interaction. We can assume I have the admin token, or even the actual username and password of the admin.

[Gorthog]

@erwinvanhunen maybe you can help with this?

After reading a bit more, I think using access tokens would be the perfect solution for me.

But I can't make it work.

Here is what I tried:

• Call Connect-PnPOnline -Url "https://tenant1.sharepoint.com" -ClientId "xxxxxxxx-xxxx-...." -Tenant "tenant1.onmicrosoft.com" -CertificatePath cert.pfx -CertificatePassword (ConvertTo-SecureString -String "pass" -AsPlainText -Force)
• Call Get-PnPTenant works perfectly fine
• Copy value of Request-PnPAccessToken
• On a new shell:
• Connect-PnPOnline -AccessToken -Url "https://tenant1.sharepoint.com"
• Call Get-PnPTenant: The remote server returned an error: (401) Unauthorized.

What am I doing wrong?

[Gorthog]

So I've found that using office 365 cli to get token, and it's working very well

m365 login
# interactively login with the browser
m365 spo tenant settings list --debug

Then it outputs the token in debug logs. i stored it as $accessToken. then it this code works perfectly fine

Connect-PnPOnline -Url "https://$tenant.sharepoint.com" -AccessToken $token
Get-PnPTenant

now all that i need to understand is how the oauth2 flow works with m365 cli so i can use it on my app to get the same token.

[Gorthog]

after a lot of thorough digging, finally cracked it.

the flow is to get a refresh token and then exchange it for sharepoint token but for scope add -admin suffix to tenant.

like this:

http -f https://login.microsoftonline.com/common/oauth2/v2.0/token client_id=... refresh_token=$refreshToken grant_type=refresh_token scope="https://${tenantName}-admin.sharepoint.com/.default openid profile offline_access"

now

Connect-PnPOnline -Url "https://$tenant.sharepoint.com" -AccessToken $token
Get-PnPTenant

finally works!

[wfi-jonas]

Get-PnPTenant only worked for me when I'm connected to the admin url.
https://${tenantName}-admin.sharepoint.com instead of https://${tenantName}.sharepoint.com