PnP PowerShell - app permissions

[samveilleux]

My customer has the following questions that I'm trying to get to the bottom of:

• 1st issue – when we attempt to sign in via interactive sign in with the new PnP module, it prompts us to submit for basically every graph API permission available.
o I did that, so the first thing we need to know is where that went. The documentation references a PnP Management Shell Multi-Tenant Azure AD Application, but I have checked the test tenant where I submitted the request and that application does not currently exist there. There is not a new enterprise app that was created for those permissions so I need to know what app those permissions went to for consent so I know whom from SF to reach out to and where to direct them in order to move this forward. Also, is this per user that attempts to sign in or just done once?
o Secondly, we have absolutely no path to getting all of the permissions it requests by default. We will never get user read/write or group read/write, among many others, and we shouldn’t need them either for just using PnP for the administration of SharePoint Online but we need to know for certain that if they only consent to the SPO permissions that it wont automatically keep preventing us from signing in and telling us that we need to request additional permissions.

• Second issue, and probably the biggest, is that connecting with an app id, as we would for all automation we might build, connects with legacy ACS authentication, which is clearly documented in the PnP documentation. While for now, this does not appear to impact most of the SP cmdlets such as the set-pnpsite or get-pnpsite as those likely still use CSOM behind the scenes, it very clearly states that when you connect with it you can not use that connection context for anything that uses the graph API, which is the error I get when attempting to run the new cmdlet for scoping the permissions of an enterprise app. The issues this presents are:
o Currently using that app id is the only method we have for connecting with PnP until we sort out how we can be able to connect with our user account via that enterprise app wrapper. It works for most the ‘legacy’ SharePoint cmdlets outside of the newer ones mentioned above
o Longer term, given that it appears the direction with PnP is going to be using the graph API for everything, this could pose issues to any of our automation where we use a service principle should the SharePoint pieces ever transition to that. We are looking to understand if currently there is any way to authenticate with a service principle that does not use the legacy ACS authentication. There are around 8 different ways the documentation show to connect via a service principle via different certificates and Azure AD things you can do, but it doesn’t document or state their authentication method. We are currently just using a generated client secret.

[AndersRask]

Note that the permissions given are delegate permissions, not application permissions. It is not the first time we have a post here on this subject, but it is important to note the difference: Application permissions allows an application in AAD to act as it's own entity, rather than on behalf of a specific user, where delegate permissions allows an application in AAD to perform actions on behalf of a particular user.

From the Authentication documentation
_

You need to run this cmdlet with an identity that has write access to the Azure AD. You are not creating a new application in the sense of something that runs in your Azure AD tenant. You're only adding a registration to your Azure AD, a so called 'consent' for people in your tenant to use that application. The access rights the application requires are delegate only, so you will always have to provide credentials or another way of identifying the user actually using that application.

_

If you go to AAD > Enterprise applications and search for PnP Management Shell (or just pnp) the application should be there. If it isn't, try again following the guide linked above, you might have missed a step.
Once this is set up on the tenant, you don't really need to do anything more with it. It is just a prerequisite to do authentication on that tenant using PnP.

While it is right that the old PnP module (SharePointPnPPowerShellOnline) used app-only service principals, the way forward for your automation needs will be app registrations (client id) with certificates. Unless you have something very custom set up, all you should need to do is replace the app-only service principals with client id's and certificates (preferably stored in Key Vault) and then changing connect-pnponline to match. There can be some border cases where graph permissions still doesn't quite get you there (still having issues updating user profile properties with anything but app-reg's last i checked).

My advice to you would be to install your automation code on your dev tenant and test it out with the pnp.powershell module and see where the code might break, fix it there and then upload to your customers tenant with a clear RfC guide on what are required etc.

Hope this helps, but else @erwinvanhunen maybe can pipe on on some of the specific questions.

[LeHailender]

A stupid and possibly often asked question. Is it somehow possible to connect (Connect-PnPOnline...) with certificates and use then delegated permission (AllSites.FullControl )?
At a large customer, we need to connect to various SharePoint sites in an Azure Fuction. A connection with service account credentials is unfortunately not possible because MFA cannot be deactivated. And the IT department does not want to grant application permission (
Sites.FullControl.All), because otherwise the registered app would have access to all SharePoint sites of the company.

Is there a solution for such a scenario? Maybe the new introduced Sites.Selected permission? And is it possible to use the Get-PnPSiteTemplate command with the Sites.Selected permission?

[AndersRask]

Yes it is possible to grant access to selected sites, not just a blanket Sites.FullControl.All when using Windows Graph or PnP. SharePoint The sample below shows how to do this (I don't think there is a UI way to do this yet). • Create a Client ID and assign a secret/cert• Grant Sites.Selected under Microsoft Graph or SharePoint depending on what you want to do • Using an admin account grant specific site permissions• Grant-PnPAzureADAppSitePermission -AppId $appRegClientId -DisplayName $appRegName -Site "https://yourtenant.sharepoint.com/sites/yoursite" -Permissions Write• Permission can also be Read and you can see permissions using Get-PnPAzureADAppSitePermission -Site $siteUrl• Connect to the site with the client id either using PnP.PowerShell or Rest More info:https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/Kind regards Anders Rask On 5 Apr 2022 19.09, Jens Haile @.***> wrote:
A stupid and possibly often asked question. Is it somehow possible to connect (Connect-PnPOnline...) with certificates and use then delegated permission (AllSites.FullControl )?
At a large customer, we need to connect to various SharePoint sites in an Azure Fuction. A connection with service account credentials is unfortunately not possible because MFA cannot be deactivated. And the IT department does not want to grant application permission (
Sites.FullControl.All), because otherwise the registered app would have access to all SharePoint sites of the company.
Is there a solution for such a scenario? Maybe the new introduced Sites.Selected permission? And is it possible to use the Get-PnPSiteTemplate command with the Sites.Selected permission?

[LeHailender]

Thanks...

But I'm still not sure if the Site.Selected Write permission is enough to use/work with PnP site templates ( Get-PnPSiteTemplate and Invoke-PnPSiteTemplate).

The scenario is:

1. we create TeamSites with a customer API and set our service account as the owner.
2. on the created sites we want to apply PnP templates to make some specific customizations.
3. The idea was to use delegated AllSites.FullControl permissions with our service account to connect to these sites, but unfortunately this does not work as we are not allowed to disable MFA for security reasons.

[LeHailender]

FYI: You can set beside Read and Write permissions also Manage and FullControl permissions in combination with Site.Selected. But you need two calls:
First call set Read or Write permissions.
Second call to update with FullControl permissions.

Found this in the slightly hidden documentation ;-)
https://pnp.github.io/powershell/cmdlets/Set-PnPAzureADAppSitePermission.html