powershell icon indicating copy to clipboard operation
powershell copied to clipboard
verified publisher icon pnp

[BUG] Sites.Selected permission in App Only context not working properly

Open eprach opened this issue 4 months ago • 8 comments

Reporting an Issue or Missing Feature

I have an app registration with Sites.Selected permission for Graph and SharePoint Online

Image

On a specific SharePoint site, I have assigned full control using the "Grant-PnPAzureADAppSitePermission" to my app registration. Checking with Get-PnPAzureADServicePrincipalAssignedAppRole and Get-MgSitePermission, all good the permission is set.

Now I try to run the following commands, all of them result with "Attempted to perform an unauthorized operation":

  • Invoke-PnPSiteTemplate
  • Rename-PnPTenantSite
  • New-PnPList
  • Set-PnPList
  • Set-PnPListPermission
  • Add-PnPFolder

Expected behavior

Once connected with Connect-PnPOnline -Url "siteUrl" -ClientId xxxx -Tenant xxx.onmicrosoft.com -CertificatePath 'C:\TEMP\xxx.pfx' The commands should work because my app registration has full control through the Sites.Selected.

Running my script with my App registration having "Sites.FullControl.All" on Graph and SharePoint Online works well so it is not an issue in my script.

Actual behavior

See description above

Steps to reproduce behavior

See description above

What is the version of the Cmdlet module you are running?

3.1.0

Which operating system/environment are you running PnP PowerShell on?

  • [ X] Windows
  • [ ] Linux
  • [ ] MacOS
  • [ ] Azure Cloud Shell
  • [ X] Azure Functions
  • [ ] Other : please specify

eprach avatar Nov 24 '25 15:11 eprach

There's a related bug to it , https://github.com/pnp/powershell/issues/5139. I could reproduce it. I feel the issue is from Microsoft. @gautamdsheth , @NishkalankBezawada , any ideas how to deal with this issue.

reshmee011 avatar Nov 25 '25 20:11 reshmee011

Need to provide access to the site - for the AppId https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html

_Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

Grant the app access to a specific site

Grant-PnPAzureADAppSitePermission -AppId "YOUR-APP-ID" -DisplayName "Your App Name" -Site "https://yourtenant.sharepoint.com/sites/yoursite" ` -Permissions Write # or Read, FullControl_

kachihro avatar Nov 25 '25 22:11 kachihro

Hi @kachihro, Thanks for your message but, as written in my description, all these steps have been already done (and it is not the first time I do this so I know the process for using Sites.Selected with App Only permissions quite well :) )

eprach avatar Nov 26 '25 06:11 eprach

Is it an issue you started experiencing? There are a couple of issues related to it and as you mentioned the PnP cmdlets are doing the right thing, not sure how to escalate to Microsoft for them to confirm what's happening. They introduced list and item level selected permissions, not sure if it affected that functionality.

reshmee011 avatar Nov 26 '25 06:11 reshmee011

@reshmee011 beginning of last week it worked well but, since this week, it doesn't work anymore yes.

eprach avatar Nov 26 '25 10:11 eprach

Thanks for sharing @eprach .Is it possible if you have postman to use the token generated using Get-PnPAccessToken -ResourceTypeName SharePoint (or Graph) and see any errors you are getting. Potentially you can use it as a medium to raise an incident with Microsoft as Ms won't support any PnP PowerShell related issues.

reshmee011 avatar Nov 26 '25 15:11 reshmee011

Just to confirm @reshmee011, I did a test this morning with postman and got an access denied when simply trying to create a new list with Graph in my site specified in the Sites.selected (full control).

I will create a ticket to MS and will let you know :)

eprach avatar Nov 27 '25 09:11 eprach

Thanks so much , it will help many others facing the same issue.

reshmee011 avatar Nov 27 '25 11:11 reshmee011