[BUG] Add-PnPTeamsChannel returning Insufficient privileges when using -ManagedIdentity

[dappleby300]

Reporting an Issue or Missing Feature

When using the PNP module within an Azure function managed indentity (Connect-PnPOnline -ManagedIdentity -Url:'Contoso.microsoft.com'), the command Add-PnPTeamsChannel returns: Insufficient privileges to complete the operation.

This works fine under other connection methods but seems to fail when using -ManagedIdentity

The managed identity has been granted permissions:

Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Channel.Create" -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Group.ReadWrite.all" -BuiltInType MicrosoftGraph

Expected behavior

Add-PnPTeamsChannel should complete succesfully if the require permissions are granted

Actual behavior

It failes with error: "Insufficient privileges to complete the operation."

The verbose output is:

2024-06-05T04:48:47.237 [Trace] VERBOSE: Acquiring token for resource graph.microsoft.com using Managed Identity
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using scope https://graph.microsoft.com/ for managed identity token coming from the cmdlet permission attribute
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using identity endpoint: http://127.0.0.1:41131/msi/token/
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using identity header: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using the system assigned managed identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Sending token request to http://127.0.0.1:41131/msi/token/?resource=https://graph.microsoft.com/&api-version=2019-08-01
2024-06-05T04:48:47.238 [Trace] VERBOSE: Acquiring token for resource graph.microsoft.com using Managed Identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using scope https://graph.microsoft.com/ for managed identity token coming from the cmdlet permission attribute
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using identity endpoint: http://127.0.0.1:41131/msi/token/
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using identity header: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using the system assigned managed identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Sending token request to http://127.0.0.1:41131/msi/token/?resource=https://graph.microsoft.com/&api-version=2019-08-01

Steps to reproduce behavior

Create an azure powershell function following this: https://pnp.github.io/powershell/articles/azurefunctions.html

Grant the following permissions to the managed identity:

Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Channel.Create" -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Group.ReadWrite.all" -BuiltInType MicrosoftGraph

Run the following code in an azure powershell function:

Connect-PnPOnline -ManagedIdentity -Url:'contoso.microsoft.com
Add-PnPTeamsChannel -Team:'XXXXXXX-XXXX-XXX-XXXXXXX' -DisplayName:'Test Channel' -ChannelType Private -OwnerUPN:'[email protected]' -Verbose

What is the version of the Cmdlet module you are running?

2.4.0

Which operating system/environment are you running PnP PowerShell on?

• [ ] Windows
• [ ] Linux
• [ ] MacOS
• [ ] Azure Cloud Shell
• [ X ] Azure Functions
• [ ] Other : please specify

[gautamdsheth]

@dappleby300 - can you please try again with the latest nightly builds and let us know ? There's been quite a few changes , maybe it can help with your issue.

Managed identity is sometimes slow and can take some time for permissions to be available, maybe its the delay causing this. Sometimes, trying after 24 hours usually resolves this.

[gautamdsheth]

Closig this due to lack to response. Please do reopen it if the issue still persists after updating to the latest version.