OAuth token scope for tenant template

[joelfmrodrigues]

Hi,

Working on a project with many environment limitations where we were forced by the client policies to handle OAuth2 refresh tokens when connecting with PnP PowerShell. The refresh token is initially generated outside of our Function.
In summary:

• When our Azure Function triggers, we have a refresh token to start with and we request an access token.
• We store the new refresh token that we also get back for future use
• We then use the access token with Connect-PnPOnline -Url $SiteUrl -AccessToken $AccessToken for operations.

I tried with two tokens where the scope was SharePoint and Graph and this is working well. I can use the access token for SharePoint to execute SharePoint operations and the Graph token for Graph operations.

But I am now facing a problem that I don't know how to address, but hope this is a simple question:
My script now needs to apply a tenant template with Invoke-PnPTenantTemplate -Path "$templateFilePath" -Parameters $templateParameters that will provision a SharePoint site and a Teams team. But I don't know what the scope of my access token needs to be in order to support SharePoint and Teams provisioning.

What should be the scope of my access token that I use with ConnectPnPOnline in order to provision SharePoint and Teams with a single tenant template?

[magnusjak]

Hi @joelfmrodrigues,
Did you ever figure this part out? And how did you create your SharePoint access token? I am having problems creating an access token for SharePoint, keep getting 401 errors when calling for example Get-PnPSite or Get-PnPWeb after connecting to the rootsite.

[joelfmrodrigues]

Hi @magnusjak, I never ended up resolving the issue with Invoke-PnPTenantTemplate as shortly after facing this issue, the project requirements changed and I no longer needed to use that command, but I can use the access tokens with the other commands and all works fine. I just need to ensure that I always use the access token with the right scope for the command I need to execute.
To get access and refresh tokens, I created a script that I run manually once and it uses an app registration and executes a request as per the info in documentation from MS using a client ID and Client secret from an Azure AD app registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Just make sure that you specify the right scope for the token. In my case, I get 3 access tokens for the different scopes that I need:

$SCOPE_SP = "offline_access https://$SPOTenantName.sharepoint.com/.default"
$SCOPE_SP_ADMIN = "offline_access https://$SPOTenantName-admin.sharepoint.com/.default"
$SCOPE_GRAPH = "offline_access https://graph.microsoft.com/.default"

URLs for the requests:

$authorizeRequestUri = "https://login.microsoftonline.com/$SPOTenantId/oauth2/v2.0/authorize"
$tokenRequestUri = "https://login.microsoftonline.com/$SPOTenantId/oauth2/v2.0/token"

[magnusjak]

Thanks! I will try this

[joelfmrodrigues]

Just reading this again and not sure if your scenario is as complex as mine...so I may be introducing more complexity that you may not need.
Have you tried https://pnp.github.io/powershell/cmdlets/Get-PnPAccessToken.html after connecting first to the relevant site?

In my case, I had an Azure Function that used refresh tokens to get access tokens without user interaction as it was a background process and had to authenticate that way due to security barriers on the client tenant.
If you are just executing commands manually,

[magnusjak]

I actually think our scenario might be even more complex. We have a CSP tenant and use AOBO (Admin on behalf of) and use our clientID, secret and refresh token created there to request tokens from our CSP customers. Creating tokens for Graph isn't a problem, but it doesn't seem to work for Sharepoint even though the tokens we create looks to have the correct audience and scope.

By testing manually through interactive logon and using the Get-PnPAppAuthAccessToken command we get a token that is working with the Connect-PnPOnline -AccessToken command. But when connecting this way using the token we create through our CSP AOBO app just gives us a 401 error when doing the get-site/get-web commands.
Our main goal is full automation without having to create any app/account in the customer tenant. As long as they gone through the CSP-customer agreement. Too bad Graph doesn't have the same capabilities as the PnP module does within SharePoint.