401 error when connecting with AccessToken generated through CSP

[magnusjak]

Hi,

We are trying to replicate the AccessToken you get when using 'Connect-PnPOnline -Interactive; Get-PnPAppAuthAccessToken' through a separate application. We manage to create the AccessToken with 'https://yourTenantSite.sharepoint.com' as the resource for the token and O365 SharePoint Online AllSites.FullControl scope, but we are still getting 401 after connecting successfully and trying to run Get-PnPSite or Get-PnPWeb etc.
Are these things possible with application permissions, or does it have to be delegated permissions?
If this works with app permissions, how would you go about creating the token?

This is what we are using as of now.

$params = @{
resource = "https://yourTenantSite.sharepoint.com/";
grant_type = "refresh_token";
client_secret = $AOBOAppRegistration.GetNetworkCredential().password
client_id = $AOBOAppRegistration.'UserName'
refresh_token = $AOBORefreshToken
}

$customerAccessTokenUri = ('https://login.microsoftonline.com/YourTenantID/oauth2/v2.0/token')
$AccessToken = (Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params).access_token

Connect-PnPOnline -Url $RootURL -AccessToken $AccessToken
Get-PnPSite

When decoding the token we receive, the scope shows the following:
"scp": "AllSites.FullControl User.ReadWrite.All TermStore.ReadWrite.All". We have added a lot of graph permissions to our app as well, but these don't seem to get applied to the token when the resource is specified as sharepoint. Could this be the issue, or something else we are missing?
The reason we are trying to do it like this is to use Admin on behalf of (AOBO) through our CSP tenant to all our customers without having to create specific servicePrincipals in each tenant.

[martinlingstuyl]

Hi @magnusjak,

If you are retrieving a token with the audience (aud) "https://yourtenantsite.sharepoint.com/", you'll not be seeing the Microsoft Graph scopes, you'd need to request a token for the microsoft graph to do that. (The resource value being https://graph.microsoft.com in that case)

Further more: AllSites.FullControl is a delegated scope. The scp property also means you have an user access token.

If you like to communicate using App only permissions, you'd need to apply for the Sites.FullControl.All app only scope.
Also you'd need to authenticate using a Client ID and Certificate, SP does not support the Client Credentials flow.
check this link here to see how to set up the connection.

[magnusjak]

Hi @martinlingstuyl,

We ended up doing a workaround here. Using our DAP(AOBO) access to create an application/ServicePrincipal and add the required permissions to it, add a certificate and then save the appID and certEncoding in our own keyvault, we are able to use this when authentication to the customer through PNP.

We also had a discussion with Microsoft about this, more or less saying that it won't work using the DAP access directly.

[martinlingstuyl]

Nice @magnusjak, awesome that you found a solution. Good day to you!