PnP-PowerShell
PnP-PowerShell copied to clipboard
pnp
Apply-PnPTenantTemplate 401
Reporting an Issue or Missing Feature
A potential issue in relation with Authentication methods.
Expected behavior
Apply a PnP Template whatever the authentication method used
Actual behavior
After creating a PnPTenant Template, a script is launched to apply this one, but for several reasons, the authentication method cannot be the same for all of my customers.
If the script is launched with credential (Get-Credential), the Template works like a charm. Everything is created and done with no error.
If the authentication method is an other one:
- UseWebLogin
- PnPO365ManagementShell
- SPOManagementShell
The cmdlet Connect-PnPOnline works well but once arrived to the Apply-PnPTenantTemplate, some error appear:
- 401 unauthorized
- 403 forbidden
- Don't access to this resources
The log does not bring more details...
The Template is really simple - a sequence that create a site collection with one library and 2 site columns (linked to an existing termstore).
Steps to reproduce behavior
Create a PnPTenantTemplate and try to apply it with an authentication method that failed like mentioned above.
Which version of the PnP-PowerShell Cmdlets are you using?
- [ ] PnP PowerShell for SharePoint 2013
- [ ] PnP PowerShell for SharePoint 2016
- [x] PnP PowerShell for SharePoint Online
What is the version of the Cmdlet module you are running?
PnPPowerShellOnline version: 3.15.1911.0
How did you install the PnP-PowerShell Cmdlets?
- [x] MSI Installed downloaded from GitHub
- [ ] Installed through the PowerShell Gallery with Install-Module
- [x] Other means: include dll directly from the script
Thx by advance 🙏🏻
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
I have the same issues. Running Azure Workbook with SharePointPnPPowerShellOnline 3.15.1911.0.
Connect-PnPOnline -AppId "xxxxx" -AppSecret "xxxxxx" -Url "https://tenant.sharepoint.com/sites/anysite"
Apply-PnPTenanTemplate then gives "Apply-PnPTenantTemplate : The remote server returned an error: (401) Unauthorized"
Apps API permissions given in Azure are:
Hi.
Have you tried with Office 365 SharePoint Online permission ( AllSites.FullControl ) and Microsoft Graph ( AllCatalog.ReadWrite.All ) ? like this.
Hi @pcardosolei,
Yes, in my case I granted access to my app with all permissions related to SharePoint to try... Nothing change
Edit: I forgot to mention that this command needs tenant permissions to work. I might be wrong but the sites permissions only reflect on the /sites level.
I took a brief look on the portal and the delegated permissions have more options then the application permissions. take a look on that.
specially on Microsoft.Graph -> AppCatalog and Sharepoint as the image follows.
Did you still tried to use the AppId and Secret? Can you try with user credentials to see if it works?
As I mentioned:
If the script is launched with credential (Get-Credential), the Template works like a charm.
But the user credential does not work anymore with the modern authentication, you have to force the legacy; force legacy is not always possible.
I'm sorry. I looked at @FredrikThorn comment and thought it was yours.
It works because it uses the delegated permissions that are less restrictive then the application ones. ( personal thought - I can be wrong ). I would advice maybe using the oauth 2 as a way to access. maybe the following link can help:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Any update on this? Running into the same issue.
When MFA is enabled, and the -UseWebLogin switch is used for Connect-PnpOnline, Apply-PnpTenantTemplate fails with a 403. MFA disabled, works fine.
