具有应用程序权限的 PnP Powershell Sharepoint：远程服务器返回错误：（403）禁止

Question

I'd like to use PnP Powershell for provisioning modern Sharepoint Online sites by making a copy of an existing site in the tenant. I'm running the SharePointPnPPowerShellOnline module, version 3.22.2006.2.

If I connect using the -UseWebLogin option like this:

Connect-PnPOnline -Url https://<tenant>.sharepoint.com/sites/<sitename> -UseWebLogin

…and then run

Get-PnPProvisioningTemplate -Out file.xml

…then everything works fine, and I can then go on to provision a new site from the XML file that it creates.

What I'd like to do, however, is to use Application Permissions with a Registered App in Azure AD. I've registered an app, and given it every Sharepoint-related permission I can think of (with a view to cutting permissions back to the minimum once I've got it working). I connect like this:

connect-PnPOnline -ClientID "<ClientID>" -ClientSecret "<ClientSecret>" -url https://<tenant>.sharepoint.com/sites/<sitename>

... and it appears to make the connection with no issues. However, when I try to run the following:

Get-PnPProvisioningTemplate -Out file.xml

…it fails with the error:

Get-PnPProvisioningTemplate : The remote server returned an error: (403) Forbidden.
At line:1 char:1
+ Get-PnPProvisioningTemplate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Get-PnPProvisioningTemplate], WebException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Provisioning.Site.GetProvisioningTemplate

The permissions I gave my Azure AD Registered App are:

• Microsoft Graph: Directory.ReadWrite.All
• Microsoft Graph: Group.Create
• Microsoft Graph: Group.ReadWrite.All
• Microsoft Graph: Sites.FullControl.All
• Microsoft Graph: Sites.Manage.All
• Microsoft Graph: Sites.Read.All
• Microsoft Graph: Sites.ReadWrite.All
• Sharepoint: Sites.FullControl.All
• Sharepoint: Sites.Manage.All
• Sharepoint: Sites.Read.All
• Sharepoint: TermStore.Read.All
• Sharepoint: TermStore.ReadWrite.All
• Sharepoint: User.Read.All
• Sharepoint: User.ReadWrite.All

I also tried creating a Sharepoint App Principal according to this article: https://www.sharepointdiary.com/2019/03/connect-pnponline-with-appid-and-appsecret.html . If I use the Client ID and Client Secret from this in my connect-PnpOnline line, again I can connect with no issues. But again I get the same error when trying to run Get-PnPProvisioningTemplate .

I've also tried connecting to a different site within the same tenant, and I get the same error with all of them.

I'm starting to run out of ideas on this - can anyone shed some light, please?

Answer 1

Got it working.

When I created my Sharepoint App Principal, I'd granted it permissions with this XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
       <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

But what I needed was:

<AppPermissionRequests AllowAppOnlyPolicy="true">
       <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

...in other works FullControl for the whole tenant, not just SiteCollection.

Answer 2

You can also register the app on Azure AD. if in that case, you need to configure a Certificate and grant permission to SharePoint API instead of MS Graph.

Below is the tutorial:

• Setting up an Azure AD app for app-only access

BR