Problems with managed identity and sharepoint

Question

I have an azure function that creates sites in sharepoint.

The problem is that after giving Sites.FullControl.All permissions under Microsoft Graph on the Managed Identity that the Azure function authenticates with, it creates the site correctly but when it goes to add the newly created site to the Sites.Selected application record it fails authentication:

Instruction:

Grant-PnPAzureADAppSitePermission -AppId $envAppIdProvisioning -DisplayName $envAppNameNameProvisioning -Site $paramUrlSite -Permissions FullControl

Error message:

{“error”:{“code”: “AccessDenied”, “message”: “Either scp or roles claim need to be present in the token. “,”innerError“:{”date“:”2024-06-05T06:53:07“,”request-id“:”43e0cf99-c8b5-4cda-b783-de3fd1a241c8“,”client-request-id“:”43e0cf99-c8b5-4cda-b783-de3fd1a241c8"}}}

Answer 1

Hi @Azahara Cruz ,

Those are two different permissions. The AllSites.FullControl is delegated, running under the user context. The Sites.FullControl.All is an application type (app only) permission, that allows the app to access the resource without a user. I think you also need to include:

SharePointOnlineScope = "AllSites.FullControl"