powershell
powershell copied to clipboard
pnp
[BUG] Get-PnPAzureACSPrincipal not returning all SharePoint Site level AppPrincipals
Hi,
I'm finding that the "Get-PnPAzureACSPrincipal" cmdlet does not consistently return the app-only registered site level apps that are shown in "[SiteURL]/_layouts/15/AppPrincipals.aspx" for a site. For example, I have a site that shows 2 registered apps in the "AppPrincipals.aspx" list, yet "Get-PnPAzureACSPrincipal" returns an empty result site. This is not always the case. In many cases it "does" return the correct list of apps for a site.
I'm doing the typical "Connect-PnPOnline https://siteurl/ -ClientId zzzzz" to set the "context", and then calling "Get-PnPAzureACSPrincipal". My Azure App has the "Application" level SharePoint "Sites.FullControl.All" and my login running the script has the SharePoint Admin role.
Expected behavior
All Site level App Principles would be returned in the result set
Actual behavior
In some cases a empty result set is returned when there are App Principles shown in "[SiteURL]/_layouts/15/AppPrincipals.aspx"
Steps to reproduce behavior
Connect-PnPOnline $site.Url -ClientId "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzz" -Tenant "ZZZZ.onmicrosoft.com" -Thumbprint "zzzzzzzzzzzzzzzzzzzzzzzzzzzzz" $apps = Get-PnPAzureACSPrincipal -IncludeSubsites
What is the version of the Cmdlet module you are running?
2.2.0
Which operating system/environment are you running PnP PowerShell on?
- [ X] Windows
- [ ] Linux
- [ ] MacOS
- [ ] Azure Cloud Shell
- [ ] Azure Functions
- [ ] Other : please specify
@jansenbe - can you take a look into this ? We are consuming the PnP Core SDK methods, so maybe something is missing ?
@MikeGitUser, @gautamdsheth : are the listed principals granted actual permissions and stil valid? If not they're not listed.
Hi @jansenbe and @gautamdsheth,
Thanks for the quick response!
That's a good question! However, in this case I have a site where the users "claim" they are using the Site level App Principle to migrate data to the site. Do you know if there is a way to check the app to see if it's valid?
UPDATE: This is actually what we were hoping that Get-PnPAzureACSPrincipal would help us with. What we are trying to do is inventory all old legacy SharePoint App Principles in order to eventually disable the feature and require users to create modern Azure App Registrations. :) I guess what would be ideal would be if the cmdlet still returned the invalid app, but had a active/inactive status attribute or something. We are looking to determine the impact of disabling the legacy app token generation.
Thanks!
Hi @jansenbe and @gautamdsheth,
I confirmed with the site owner in one specific example where they are actively using the app to complete a data migration and uploading files to the site.
Thanks!
@MikeGitUser, the tool has been updated in the meantime. Could you take the latest version and try and see if you still run into missing results?
I am using 2.3.0 and can confirm I now see all my valid ACS apps.
Is there a way to get all principals even when no longer valid? To be able to report all ACS apps needed to be migrated because of deprecation of ACS.
@MikeGitUser, the tool has been updated in the meantime. Could you take the latest version and try and see if you still run into missing results?
Thanks @KoenZomers! I will do some testing.
@waaromikniet You were seeing the same issue previously?
@MikeGitUser I was seeing this behaviour sometimes. But I could not reproduce always. Haven't seen it happen with latest version.
Closing this as fixed with latest versions , please reopen this issue if it still exists.