microsoft
SPO System.Net.WebException: The remote server returned an error: (403) Unauthorized
Description of the issue
I have been trying to export the SharePoint tenant settings and it has been failing despite all the required permissions provided to the app registration that is being used for this. I am trying the below cmdlet:
Export-M365DSCConfiguration -Components @("SPOSharingSettings") -ApplicationId 'xxxxxxx' -ApplicationSecret 'xxxxxxx' -TenantId xxxxx.onmicrosoft.com
I have provided the error from the log file in the below section.
Permissions provided to the application Reg:
Microsoft 365 DSC Version
1.24.731.1
Which workloads are affected
SharePoint Online
The DSC configuration
No response
Verbose logs showing the problem
System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.SPWebRequestExecutor.<ExecuteAsync>d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContext.<GetFormDigestInfoPrivateAsync>d__37.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContext.<EnsureFormDigestAsync>d__36.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContext.<ExecuteQueryAsync>d__28.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext clientContext, Int32 retryCount, String userAgent)
at PnP.PowerShell.Commands.Admin.GetTenant.ExecuteCmdlet()
at PnP.PowerShell.Commands.Base.PnPConnectedCmdlet.ProcessRecord()
"Error retrieving data:"
at Get-TargetResource, C:\Users\XXXX\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\DSCResources\MSFT_SPOSharingSettings\MSFT_SPOSharingSettings.psm1: line 175
at Export-TargetResource, C:\Users\XXXX\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\DSCResources\MSFT_SPOSharingSettings\MSFT_SPOSharingSettings.psm1: line 868
at Start-M365DSCConfigurationExtract, C:\Users\XXXX\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Users\XXXX\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\Modules\M365DSCUtil.psm1: line 1394
at <ScriptBlock>, <No file>: line 10
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US}
Key : PSVersion
Value : 5.1.22621.3958
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.22621.3958
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
Have you configured the "Allow public client flow" setting for the app. This should be configured to Yes for SharePoint to work:
Thank you so much @ykuijs. Above configuration change did result in some progress but it still fails. Now the error is:
{WriteError} Microsoft.SharePoint.Client.ClientRequestException: Cannot contact site at the specified URL https://XXXXX-admin.sharepoint.com/. The app principal does not exist. at Microsoft.SharePoint.Client.ClientContext.<GetFormDigestInfoPrivateAsync>d__37.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.SharePoint.Client.ClientContext.<EnsureFormDigestAsync>d__36.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.SharePoint.Client.ClientContext.<ExecuteQueryAsync>d__28.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext clientContext, Int32 retryCount, String userAgent) at PnP.PowerShell.Commands.Admin.GetTenant.ExecuteCmdlet() at PnP.PowerShell.Commands.Base.PnPConnectedCmdlet.ProcessRecord() "Error retrieving data:"
I know the app required for SharePoint can be quite sensitive. Therefore the PnP team has created a cmdlet for it, so it is created correctly all the time:
- https://pnp.github.io/powershell/articles/authentication.html#setting-up-access-to-your-own-entra-id-app-for-app-only-access
- https://pnp.github.io/powershell/cmdlets/Register-PnPAzureADApp.html
Thank you so much @ykuijsfor the above. So, I did create a new app with the Register-PnPAzureADApp cmdlet. I even change the authentication method from App ID secret to certificate based but I am still getting the last error that I shared. I may be doing it wrong but not sure.
Registration: Register-PnPAzureADApp -ApplicationName xxxxx -Tenant xxxxx.onmicrosoft.com -Store CurrentUser -SharePointApplicationPermissions "Sites.FullControl.All" -Interactive
Exporting the configuration: Export-M365DSCConfiguration -Components @("SPOSharingSettings") -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId
Let's try to walk down the authentication stack. Are you getting any errors running the following?
Connect-M365Tenant -Workload PnP -ApplicationID <appID> -TenantId <TenantId> -CertificateThumbprint <thumbprint>
Get-PnpTenant
Let's try to walk down the authentication stack. Are you getting any errors running the following?
Connect-M365Tenant -Workload PnP -ApplicationID <appID> -TenantId <TenantId> -CertificateThumbprint <thumbprint> Get-PnpTenant
Thank you for your response @NikCharlebois. The above runs fine and is coming up with all the tenant details
@arnabdeb-lilly Did you already try with the latest version? I know it has been some time.
