Connect-PnPOnline Fails w/ PS 7.2 & PnP 2.1.1 in Azure Runbook #3779

dremillard · 2023-05-05T11:31:02Z

dremillard
May 5, 2023

Discussed in #3088

Hi all,

I'm moving this to from discussions to issues since it's something that used to work that now doesn't. This is all about running in an Azure Runbook. I can successfully connect using Connect-PnPOnline with a cert and thumbprint in Azure Runbooks with PowerShell 5.1 and 7.1 using PnP.Powershell 1.12. This is the typical move:

$AdminURL = "https://mytenant-admin.sharepoint.com"
$TenantID = "b3asdf75-cca6-4bbf-9eb6-b01asdf8e5cf"
$ThumbPrint = "FA6738420527962ASDF3F3FE79B0CE68410F610FC"
$ClientID = "59sdfedf-6aa0-4d28-a2d9-1b3dsssd3115"

$Conn = Connect-PnPOnline -Url $AdminURL -ClientId $ClientID -Tenant $TenantID -Thumbprint $ThumbPrint -ReturnConnection

Get-PnPTeamsTeam -Connection $Conn

But now I need some of the new capabilities in PnP.PowerShell 2.1.1 and the above no longer works. Now, when I do the above move in an Azure Runbook using PowerShell 7.2 and PnP.PowerShell 2.1.1, it gives an error saying that it can't find a certificate with that thumbprint. And this runbook is in the same Automation Account using the same Shared Resources (certificate) as the PnP 1.12 that is working.

The actual error is: "Cannot find certificate with this thumbprint in the certificate store".

Any thoughts on what could be causing this? Did the methodology for using a certificate in Shared Resources change with 2.1.1?

Thanks in advance for your help!

Dave

BlazeOfFeathers · 2023-05-13T08:42:07Z

BlazeOfFeathers
May 13, 2023

The same issue here. Any updates yet?

0 replies

MrDrSushi · 2023-05-17T01:10:26Z

MrDrSushi
May 17, 2023

Same here - Azure runtime version 7.2 (preview), it can't find the certificate - in my case the certificate is tied to an Azure App for the authentication - I assume @BlazeOfFeathers and @dremillard are using the same model like me to connect to SharePoint Online through an Azure App - is this still the model or should I use something else?

"Cannot find certificate with this thumbprint in the certificate store."

0 replies

ollimenzel · 2023-06-28T12:40:01Z

ollimenzel
Jun 28, 2023

Have a similar problem, only the error message is slightly different "ERROR! Keyset does not exist".

0 replies

BlazeOfFeathers · 2023-06-30T11:11:10Z

BlazeOfFeathers
Jun 30, 2023

I have found a solution for this issue. You need to migrate your runbooks to managed identities.
The updated documentation of PnP outlines the necessary steps.

https://pnp.github.io/powershell/articles/azureautomationrunbook.html?q=ManagedIdentity

Instead of using an App Registration, you need to grant permissions to your Runbook through a managed identity.

0 replies

bckrma · 2023-07-31T09:12:48Z

bckrma
Jul 31, 2023

Has anyone found a way to authenticate using a certificate in an azure automation runbook (powershell 7.2)?
Unfortunately I cant use a managed identity since its not working with the 'Sites.Selected' permission

0 replies

KoenZomers · 2023-07-31T09:34:43Z

KoenZomers
Jul 31, 2023
Maintainer

I'm pretty sure I've had this working with PnP Posh 2.x in Azure Runbooks with certs as well as a managed identity using sites.selected. Would need to see if I still have the examples as I've lost quite a bit of Azure components recently, but it was pretty straightforward from what I remember. What's the issue you're running into trying to use sites.selected @bckrma ?

0 replies

bckrma · 2023-07-31T10:35:09Z

bckrma
Jul 31, 2023

Ah okay, i thought it was a general problem with the Sites.Selected permission.
My problem is that my request fail with a 401 error. If its helpful I can also create a separate issue for this.

My steps

I have created a new Azure Automation Account and enabled the system assigned managed identity.
After that I assigned the Sites.Selected permission, for 'Microsoft Graph' and 'Office 365 SharePoint Online'. Both permissions are visible in the Managed Identity object in the azure portal
I have used the Grant-PnPAzureADAppSitePermission cmdlet to grant write permission for the managed identity on the target site. The permission is listed when i run get-pnpazureADAppSitePermission on the target site.

The results of my testing runbook:

PnP.PowerShell - Managed Identity

$Connection = Connect-PnPOnline -Url $SiteURL -ManagedIdentity -ReturnConnection
$Lists = Get-PnPList -Connection $Connection
$Lists

Output

Get-PnPList: 
Line |
   9 |  $Lists = Get-PnPList -Connection $Connection
     |           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Attempted to perform an unauthorized operation.

PnP.Powershell - Access Token

Connect-AzAccount -Identity
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/.default").Token
$Connection = Connect-PnPOnline -Url $SiteURL -Accesstoken $token -ReturnConnection
$Lists = Get-PnPList -Connection $Connection
$Lists
$Connection = $null
$Lists = $null

Output

Get-PnPList: 
Line |
  19 |  $Lists = Get-PnPList -Connection $Connection
     |           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The remote server returned an error: (401) Unauthorized.

Graph - SDK

Connect-AzAccount -Identity
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/.default").Token
Connect-MgGraph -Accesstoken $token
$SiteID = "tenantname.sharepoint.com,xxxxxx-3343-4199-xxxxxxx-c894104f62c0,7f53ac34-xxxxxx-4995-8871-xxxxxx"
$ListID = "xxxxxx-3a26-xxxxx-af55-xxxxxxxx"
Get-MgSiteListItem -ListId $ListID -SiteId $SiteID

Output

Get-MgSiteListItem_List: 
Line |
  38 |  Get-MgSiteListItem -ListId $ListID -SiteId $SiteID
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Access denied

Graph - Invoke-RestMethod

$Header = @{
    "Authorization" = "Bearer $token"
    "Content-Type" = "application/json"
}
$URI = "https://graph.microsoft.com/v1.0/sites/tenantname.sharepoint.com:/sites/sitename:/lists/listname/items"
$Response = Invoke-RestMethod -URI $URI -Header $Header -Method GET
$Response

Output

Invoke-RestMethod: 
Line |
  31 |  $Response = Invoke-RestMethod -URI $URI -Header $Header -Method GET
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"error":{"code":"accessDenied","message":"Access denied","innerError":{"date":"2023-07-31T10:22:07","request-id":"xxxxxx-xxxx-xxxx-xxxx-xxxxxxx","client-request-id":"xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"}}}

I have also used a jwt encoder to look at the access token returned by $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/.default").Token
'Sites.Selected' is listed under roles, so the token looks valid for me

Greetings

0 replies

nicole-ge · 2024-02-20T20:33:25Z

nicole-ge
Feb 20, 2024

@bckrma I have done the same procedure as you and got the same error. Are there any News how it works?

0 replies

vdias · 2024-06-21T08:46:17Z

vdias
Jun 21, 2024

Having a similiar problem using user credentials... do not want to give managed identity full write on all sites...

# Get user credentials
$user = Get-AutomationPSCredential -Name "USER1"

# Conect to sharepoint
$SiteURL = "https://XXXXXXXXXXXXXXX.sharepoint.com"
$PnpConnection = Connect-PnPOnline -Url $SiteURL -Credentials $user -ReturnConnection

any solution to use Connect-PnPOnline with user credentials using a 7.2 powershell runbbok?

0 replies

Connect-PnPOnline Fails w/ PS 7.2 & PnP 2.1.1 in Azure Runbook #3779

Uh oh!

Discussed in #3088

Replies: 9 comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

KoenZomers Jul 31, 2023 Maintainer

Uh oh!

Uh oh!

Uh oh!

KoenZomers
Jul 31, 2023
Maintainer