Unable to create Modern Team site using PnP powershell and AAD App only Authentication

Faisal 1 Reputation point
2022-11-22T09:19:30.21+00:00

Hi All,

I am trying to create a Modern Team site using PnP Powershell with AAD App only authentication.

unfortunately, I am getting below error.

New-PnPSite : Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

I have granted all required permissions and Admin Consent (SharePoint: Sites.FullControl.All , Microsoft Graph: Team.Create) etc.

I tried both Client Secret and Certificate credentials but no success. We have got above error when tried with Certificate. We have got another error when tried with Client ID and Client Secret

403 Forbidden Error

I am able to successfully create Modern Communication Site, Classic Team Site. 

The only catch and suspect that we don't have active Azure subscription for this M365 Tenant, and we are using Microsoft development Sandbox subscription for M365. 

Does this cause the issue? Can anyone confirm as I didn't find any proper info anywhere.

I will definitely appreciate any help.

Best Regards,

Faisal. N

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,653 questions
Microsoft 365 Publishing
Microsoft 365 Publishing
Microsoft 365: Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line. Publishing: The process of preparing, producing, and releasing content for distribution or sale.
595 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. RaytheonXie_MSFT 31,226 Reputation points Microsoft Vendor
    2022-11-23T07:38:33.07+00:00

    Hi @Faisal
    Per my test, I can reproduce your issue like following picture.
    263381-image.png
    After doing some research, I found there are some limitations when using app-only

    Creating modern team sites does not support app-only when you use the SharePoint API for it.

    Here is the document for details
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only
    It says create modern team sites does not support with SharePoint API. But per my test, it may also have the limitation with New-PnPSite when create a team site.

    I feel regretful to inform you that it turns out to be a by-design one. And I noticed that some end users have also proposed the same request, it is highly recommended that you can vote this ticket. Many features of our current products are designed and upgraded based on customers’ feedback. With requirements like this increase, the problem may well be released in the future. Thanks for your understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Faisal 1 Reputation point
    2022-11-23T10:05:45.493+00:00

    Hi RaytheonXie,

    Thanks for doing some test and sharing some meaningful insight. However, as I said we are not using SharePoint App-Only authentication and we have tried with preferred Azure AD Application Registration and granting relevant permissions and Admin Consent.

    I do know the App-only limitation as Modern Team site using AAD group as collaboration using Teams. As per my knowledge there is no limitation for the Azure AD application as mentioned in the link you have shared as shown below highlighted in bold

    There are two approaches for doing app-only for SharePoint:

    • Using an Azure AD application: this is the preferred method when using SharePoint Online because you can also grant permissions to other Office 365 services (if needed) + you’ve a user interface (Azure portal) to maintain your app principals.
    • Using a SharePoint App-Only principal: this method is older and only works for SharePoint access, but is still relevant. This method is also the recommended model when you’re still working in SharePoint on-premises since this model works in both SharePoint on-premises as SharePoint Online.