Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
With Microsoft's changes away from user/password authentication, I'm trying to update a script to use a registered app but having trouble accessing the SharePoint Online list and getting a 401 Unauthorized error even though I've followed everything I've found online, so I'm turning to the community for help. 🙂
This is my test code:
Import-Module MSAL.PS
Import-Module PnP.PowerShell
$TenantId = "REDACTED"
$siteUrl = "REDACTED"
$listName = "People Who Are In"
$Scope = "https://graph.microsoft.com/.default"
# Clear-MsalTokenCache
$Client = Get-PnPStoredCredential -Name IntranetAzureApp
$authResult = Get-MsalToken -TenantId $tenantId -ClientId $client.UserName -ClientSecret $client.Password -Scopes $scope
$AccessToken = $authResult.AccessToken
Connect-PnPOnline $siteUrl -AccessToken $AccessToken
Get-PnPList -Identity $listName
When I run it, I get the following error:
Line |
26 | Get-PnPList -Identity "People Who Are In"
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The remote server returned an error: (401)
| Unauthorized.
I've tried a whole handful of things but nothing seems to be working. I figure the issue is likely permissions however I've tried every API permission I could think of. With the code and result above, the API Permissions are set to Sites.FullControl.All, however I've also tried, Sites.Manage.All, Sites.ReadWrite.All, and Sites.Selected (and the followed the process to give read/write permission to the site via a POST request). Both via Microsoft Graph and Sharepoint.
I've also read some places that the scope should be the Sharepoint, however I get the same 401 error when setting the scope to https://REDACTED.sharepoint.com/.default, and get the error:
AADSTS500011: The resource principal named https://REDACTED.sharepoint.com/sites/Intranet
was not found in the tenant named REDACTED This can happen if the application has not been
installed by the administrator of the tenant or consented to by any user in the tenant.
You might have sent your authentication request to the wrong tenant.
I've looked at trying to do this through the Microsoft.Online.Sharepoint.Powershell module, however that doesn't seem to support the use of AccessTokens and I need the script to run unattended.
I've also tried running this in PostMan hitting the endpoint for https://graph.microsoft.com/v1.0/sites/{{IntranetSiteId}}/lists/{{PWAI List ID}} and that + /items and was able to get a proper 200 response with data, which tells me the issue may not be one of permissions since the raw GET requests are succeeding.
I've also confirmed in jwt.ms that my token does in fact contain the roles needed.
"roles": ["Sites.FullControl.All"],
Any insight into what may be going on or what I may be missing would be greatly appreciated.
The error "The remote server returned an error: (401) Unauthorized" usually occurs if the access token is not valid or do not have required permissions to perform the action.
Note that: To fetch the lists using PnP PowerShell, you need to fetch the access token using SharePoint scope not Microsoft Graph API scope.
- You need to generate access token using certificate not client secret.
- If you generate access token using client secret then you will get error while accessing SharePoint and while making use of app only access token.
- And make sure to pass scope as
https://YourTenant.sharepoint.com/.default
Hence, Grant Sites.FullControl.All SharePoint API permission to the Microsoft Entra ID application:
Upload the .cer certificate in the Certificates & secrets blade:
Modify the script to generate access token via Certificate:
$TenantId = "TenantID"
$ClientId = "ClientID"
$siteUrl = "https://YourTenant.sharepoint.com/sites/testrukk"
$listName = "ruklist"
$Scope = "https://YourTenant.sharepoint.com/.default"
# Replace with your certificate thumbprint and path to the private key if needed
$certThumbprint = "ThumbPrintFromAbove"
$cert = Get-Item "Cert:\CurrentUser\My\$certThumbprint"
# Authenticate using the certificate
$authResult = Get-MsalToken -TenantId $TenantId -ClientId $ClientId -ClientCertificate $cert -Scopes $Scope
$AccessToken = $authResult.AccessToken
# Connect to the SharePoint site
Connect-PnPOnline $siteUrl -AccessToken $AccessToken
# Retrieve the list
$list = Get-PnPList -Identity $listName
Decoded token:
If still the issue persists, then Navigate to https://TenantDomain.sharepoint.com/sites/SiteName/_layouts/15/appinv.aspx . Pass the ClientID and give access by using the XML request. Refer this SO Thread by me.
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
And to create the .cer and .pfx certificates Refer this MsDoc
Reference:
[] Connect-PnPOnline AccessToken The remote server returned an error: (401) Unauthorized. · Issue #305 · pnp/powershell · GitHub by erwinvanhunen
- How to register your Azure resource as an Application in Azure Active Directory?
- Is it possible to add multiple audiences to AAD bearer token?
- Non-interactive way to authenticate to Azure AD using AADInternals?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO