PnP-PowerShell
PnP-PowerShell copied to clipboard
pnp
Apply-PnPProvisioningTemplate fails with error {"error_description":"Invalid issuer or signature."} when connected w/App Identity for plain SPO-Site
Reporting an Issue or Missing Feature
Issue
Expected behavior
Expected behavior would be that the PnPProvisioningTemplate should be applied with no significant problems when applied to a vanilla (standard) Modern Groupless SharePoint Site (STS#3)
Actual behavior
After the latest release the commandlet fails around 60-70% progress, with the following error(s):
When connected by App: Apply-PnPProvisioningTemplate : {"error_description":"Invalid issuer or signature."}
When connected by PSCredentials/WebLogin etc. Apply-PnPProvisioningTemplate : Your template contains artifacts that require an access token. Please provide consent to the PnP Management Shell application first by executing: Connect-PnPOnline -Graph -LaunchBrowser
This beahviour occurs now on the latest version of PnP-Powershell, by running the exact same operations as with previous versions of PnP-Powershell. Even with a brand new and clean Modern Groupless Site (STS#3) without any modifications, generating a standard PnP-Template, and then reapplying to the same site fails.
From what I've experienced the issue might be two-fold:
After looking at the release-notes, and comparing the code for Apply-PnPProvisioningTemplate, it seems like it throws an error (when connected with credentials) stating that "Your template contains artifacts that require an access token", even though I cannot really see any validation of such (?). The template itself should not contain any Team-specific artefacts, given the fact that it is a plain STS#3 template.
When connected by App, it fails with the error stating "Invalid issuer or signature", and graphAccessToken is not accuired correctly (although it would be unnecessary to retrieve anyway, given it is not Teams-related?)
Downgrading to "July 2020 Intermediate Release 1" (3.23.2007.1), the commandlet works as expected again.
Steps to reproduce behavior
An example to reproduce the problem: Install latest version of PnP-Powershell Generate a standard PnP-Template for a Modern Groupless TeamSite (STS#3) Reapply the generated template to the same site
Which version of the PnP-PowerShell Cmdlets are you using?
- [ ] PnP PowerShell for SharePoint 2013
- [ ] PnP PowerShell for SharePoint 2016
- [ ] PnP PowerShell for SharePoint 20
- [x] PnP PowerShell for SharePoint Online
What is the version of the Cmdlet module you are running?
3.24.2008.1
How did you install the PnP-PowerShell Cmdlets?
- [ ] MSI Installed downloaded from GitHub
- [x] Installed through the PowerShell Gallery with Install-Module
- [ ] Other means
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Same issue here with error message: {"error_description":"Invalid issuer or signature."} The issue occurs when I try to apply header or footer in my PnP template. It works only with maximum version 3.23.2007.1. Version 3.24.2008.1 does not fix the issue
I have the same issue when applying a template to a Communications site via App auth, the template works when removing the header and footer components.
I can concur I get:
With PnP version 3.24.2008.1 I get:
Apply-PnPProvisioningTemplate : {"error_description":"Invalid issuer or signature."}
ServerErrorTraceCorrelationId: b824749f-60e4-b000-18dd-8b98ea4e96d0
With PnP version 3.23.2007.1 Apply-PnPProvisoningTemplate completes
I have the same issue when Running Apply-PnPTenantTemplate -Path .\starterkit.pnp
- Connect-PnPOnline -Graph -LaunchBrowser
- Connect-PnPOnline -PnPManagementShell -Url https://....-admin.sharepoint.com/
- Apply-PnPTenantTemplate -Path .\starterkit.pnp
error : Apply-PnPTenantTemplate : Your template contains artifacts that require an access token. Please provide consent to the PnP Management Shell application first by executing: Connect-PnPOnline -Graph -LaunchBrowser Au caractère Ligne:1 : 1
- Apply-PnPTenantTemplate -Path .\starterkit.pnp
...
- CategoryInfo : WriteError: (:) [Apply-PnPTenantTemplate], PSInvalidOperationException
- FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate
Microsoft.Online.SharePoint.PowerShell version 16.0.20414.0 SharePointPnPPowerShellOnline version 3.25.2009.1
It works only with maximum version 3.23.2007.1. Version 3.24.2008.1 does not fix the issue
What's the easiest way to remove a current ~3.25 version and get a 3.23 version?
Do you have an update on this issue? It's a bit annoying to not be able to upgrade since I'm dependent on this feature. Any status update would be really appreciated.
Still an issue in version 3.26.2010.0 I'm afraid :-(
Would greatly appreciate if this could be fixed, as we're stuck on 3.23.2007.1 until this is resolved...
Reading through a zillion threads today, I found a workaround. Many were saying that it ran successfully when they removed the Header and Footer from their template. I'm now building the templates on the fly and applying the instance to the new site. The load time takes longer but the Get-ProvisioningTemplate allows you to exclude handlers. Using -ExcludeHandlers SiteHeader, SiteFooter it ignores those tags and builds without errors on the latest version of pnp.
I can confirm this is happening on 3.26.2010.0. If I remove the navigation and sitefooter, then it is working. Please fix.
I can confirm this is happening on 3.28.2012.0.
Any progress or walkaround without the need to remove SiteHeader or Footer?
Thanks for looking into this.
I'm also seeing this in Azure Automation. The Automation gallery currently has 3.26.2010.0.
As noted, removing the header and footer elements is a workaround to the error, though not desired.
With the new module https://pnp.github.io/powershell/ getting out in January 2021. I feel that this bug will never be fixed. It's also very annoying that I cannot find ANY of the *-PnPPrivisioningTemplate cmdlets in the new module. Is that by design?
With the new module https://pnp.github.io/powershell/ getting out in January 2021. I feel that this bug will never be fixed. It's also very annoying that I cannot find ANY of the *-PnPPrivisioningTemplate cmdlets in the new module. Is that by design?
Those cmdlets are now Invoke-PnPSiteTemplate, etc. in PnP.PowerShell.
@tseward I had this same issue and was able to resolve it for now by manually installing 3.23 into Automation account.
I had the same error message and could resolve it by deleting the following line from the template:
<pnp:SiteSettings AllowDesigner="true" AllowCreateDeclarativeWorkflow="true" AllowSaveDeclarativeWorkflowAsTemplate="true" AllowSavePublishDeclarativeWorkflow="true" SearchBoxInNavBar="Inherit" SearchCenterUrl="" />
