powershell
powershell copied to clipboard
pnp
[FEATURE] Add ability to use Managed Identity with SharePoint Online
The documentation of PnP.PowerShell describes that ManagedIdentity cannot be used when executing commands against SharePoint:
https://pnp.github.io/powershell/cmdlets/Connect-PnPOnline.html?q=ManagedIdentity#-managedidentity
However: I wonder why this is, as I can access SharePoint just fine in my C# Functions, using a combination of Azure Identity and PnP Framework.
It would be awesome if we could add this, so that people can execute their scripts without having to register an Azure AD app with certificate authentication.
@martinlingstuyl Sadly, the limitation isn't with PnP.PowerShell but SharePoint Online itself not supporting Azure managed identity as an authentication method.
If you would like SharePoint Online to support Azure managed identity, I would recommend posting your feedback on the Microsoft Feedback Portal.
Hi @CallumCrowley, I don't believe that's correct. Just this morning I've created a C# Function using Azure Identity and PnP Framework and was able to connect to SharePoint just fine:
using Azure.Core;
using Azure.Identity;
//...
var credentials = new ManagedIdentityCredential();
var accessToken = await credentials.GetTokenAsync(new TokenRequestContext(new[] { $"{baseUrl}/.default" }));
var authManager = new PnP.Framework.AuthenticationManager();
var clientContext = authManager.GetAccessTokenContext(siteUrl, accessToken.Token);
@martinlingstuyl That's interesting, I ran in to access problems when I tried to use managed identity with SharePoint but it could be that I had not given the service principal access in the correct way. There's a conversation about framework using managed identity, which seems to suggest the same thing.
It would be awesome to use managed identity instead of app registration for most scenarios, though I needed app registrations recently for multitenant access.
You need to give the service principal permissions indeed! Check out my blog about how to do this using the CLI for Microsoft 365: https://www.blimped.nl/how-to-run-the-cli-for-microsoft365-on-an-azure-function/#2-adding-app-only-permissions
Yes, that makes sense. I had preemptively given up on using managed identity with SharePoint, since it's not documented much by Microsoft (though I also would not have been able to use it, since I needed to work across multiple tenants). The PnP documentation also suggested managed identity would be misguided for SharePoint.
Assuming there would be no issue with framework, it would certainly be nice for PnP.PowerShell to support this scenario.
Slightly off-topic, but at least in the authentication department:
Do any of you know if it is possible to generate an AccessToken using a CSP account and then use connect-PnPOnline -AccessToken? I am able to do this after logging in with interactive logon, then fetch the accesstoken generated. But I wish to do this with multiple tenants without ever having to do an interactive login. I asked a question in discussions (https://github.com/pnp/powershell/discussions/2236) But haven't received any replies there.
Any help would be much appreciated
Hi @magnusjak, I would advise you to create a separate issue for this, or ask it in the discussion tab.
A quick thought: you would have to sign into all those tenants anyway. There's no way to use a single token for multiple tenants afaik. But have you looked into using -ReturnConnection and -Connection options? Using those options you can at least sign in beforehand, and run a single script without interuptions against multiple tenants.
Thanks @martinlingstuyl, I'll create a separate issue and explain as best as I can =)
Managed Identity for all PNP cmdlets instead of "only" the ones using graph would really be a great addition.
Howdy guys, i managed to figure out a way of using a managed identity for PnP.PowerShell on PowerShell Azure Functions and Runbooks, using Connect-PnPOnline -AccessToken. As soon im at the office ill create the post.
would that be:
m365 login --authType identity
$token = m365 util accesstoken get --resource sharepoint --output text
Using the CLI for Microsoft 365 😂 that would be a fun option I now think. The only drawback is mashing different tools together 😅
I hope your solution is more elegant. I'm waiting for it!
@martinlingstuyl - have created a PR to add support this. Fingers crossed, looks good to me at least. Will wait for reviewer to check it. Fingers crossed.
@martinlingstuyl - if you have some time, no pressure 😊, could you also help us out by testing this from the feature branch ? We are testing this and seems to work but would be curious to hear from you about this and the cmdlets that you would want to use via managed identity .
I'll check it out asap, @gautamdsheth. What are you guys doing here: building and uploading the entire folder with dlls to a function?
Thank you so much 😊
Yeah , just build the project using vs code or visual Studio. Upload the DLLs via Azure storage explorer.
If you know a different way of doing it, go for that.
Howdy @martinlingstuyl , just published what im using take a peek https://bit.ly/sctMngIdPnPPowerShell
Hope it helps!
@martinlingstuyl Yep , it was there already and PnP.PowerShell allow us to use the token . I have an Azure Function to get the token and other functions and az runbooks can use it . Even in local scenarios, :P
🚀 Fantastic @ScoutmanPt, I just used your blog as a pointer to get me a token for a custom Azure AD App with an exposed api.
Hello, have merged the code necessary to use the managed identity for SharePoint cmdlets. Should be available mostly in tomorrow's nightly build.
Closing the feature request.
Hi @gautamdsheth, I didn't forget it, but I did not find the time to test it last week. I hope to do so today though. Even if it's a bit late. 😀
Should be available mostly in tomorrow's nightly build.
As soon as it's available of course
Hi @gautamdsheth, I just tested it using a dev build. It works like a glove! 🤙🥳 fantastic! I can not wait for this to come out as I need it right now 😂 When is the release date? (aside from the nightly)
Hi @ScoutmanPt , Indeed very interesting way to retrieve a token. I was wondering how to implement it for my Azure Functions, but couldn't figure out a way to have this work as well when developping locally.
Did you simply create a separate http endpoint for token retrieval? do you secure it with an App / Certificate or something similar?
Kind regards.
Hi @Studermarc,
For local development you'd need to create a separate app registration with the same permissions and a certificate.