powershell icon indicating copy to clipboard operation
powershell copied to clipboard
verified publisher icon pnp

[BUG] New-PnPSiteFileVersionExpirationReportJob does not work with managed identity

Open bansalanshuman opened this issue 5 months ago • 5 comments

Description

I am trying to create a SPO site file version expiration report job using an Azure Function that uses a managed identity.
The Connect-PnPOnline command works fine, but when I run New-PnPSiteFileVersionExpirationReportJob it fails.

Error Message

It throws the below error:

NFORMATION: System.Management.Automation.PSInvalidOperationException: Cannot call this API with an app-only principal. at PnP.PowerShell.Commands.Base.PnPConnectedCmdlet.ProcessRecord() in c:\build\src\Commands\Base\PnPConnectedCmdlet.cs:line 101 at PnP.PowerShell.Commands.PnPSharePointCmdlet.ProcessRecord() in c:\build\src\Commands\Base\PnPSharePointCmdlet.cs:line 121 at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord()

Also, my requirements.psd1 has this entry:
'PnP.PowerShell' = '2.12.0'

Expected behavior

I should be able to generate the reports using managed identity if I am able to connect to the site.

Actual behavior

The command fails with the error above (Cannot call this API with an app-only principal.).

Image

Steps to reproduce behaviour

Create an Azure function app, enable identity and then grant rights to the app(I have Sites.FullControl.All), then create a simple http triggered function and connect the site using command Connect-PnpOnline run the command New-PnPSiteFileVersionExpirationReportJob

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name "PnP.PowerShell" -ListAvailable)

Which operating system/environment are you running PnP PowerShell on?

  • [ ] Windows
  • [ ] Linux
  • [ ] MacOS
  • [ ] Azure Cloud Shell
  • [X ] Azure Functions
  • [ ] Other : please specify

bansalanshuman avatar Oct 01 '25 12:10 bansalanshuman

Is it possible for you to try same using the latest PnP PowerShell module which is 3.1.0 or even better with the latest nightly version?

reshmee011 avatar Oct 10 '25 13:10 reshmee011

I have tried them, what I have understood is the underlying commands do not support authentication via an app, if someone wants to use these commands they have to authenticate via a username and pwd

bansalanshuman avatar Oct 10 '25 13:10 bansalanshuman

The error specified same, it will be up to Microsoft to update the behaviour to allow app only authentication. Have you tried it outside of Azure function using client id?

reshmee011 avatar Oct 10 '25 13:10 reshmee011

Yes I have tried it, it works as expected there, but as a part of automation and cloud only solution this was a huge setback.

bansalanshuman avatar Oct 10 '25 13:10 bansalanshuman

Probably we need to update the documentation to reflect this limitation. Is it possible for you to raise with Microsoft to enable it in the background through the CSOM endpoint? I can't see it's possible to achieve through Graph API which could have been a solution.

reshmee011 avatar Oct 19 '25 19:10 reshmee011