Add-PnPSiteCollectionAdmin: The remote server returned an error: (401) Unauthorized.

Question

Add-PnPSiteCollectionAdmin: The remote server returned an error: (401) Unauthorized.

Yesh Rajawat 115

I'm encountering an issue while using the Add-PnPSiteCollectionAdmin cmdlet in SharePoint PnP PowerShell. The error message I'm receiving is:

"Add-PnPSiteCollectionAdmin: The remote server returned an error: (401) Unauthorized."

Here's my scenario:

I'm connecting to SharePoint PnP PowerShell using client credentials (Client ID and Client Secret).
I've registered an enterprise application in Azure AD.
The application has been granted the "Site.FullControl" permission for SharePoint.
I've obtained the Client ID and Client Secret from the application's configuration.
The initial connection (Connect-PnPOnline) works with a warning
WARNING:

Connecting with Client Secret uses legacy authentication and provides limited functionality. We can for instance not

execute requests towards the Microsoft Graph, which limits cmdlets related to Microsoft Teams, Microsoft Planner,

Microsoft Flow and Microsoft 365 Groups. You can hide this warning by using Connect-PnPOnline [your parameters] -

WarningAction Ignore

However, when I run the Add-PnPSiteCollectionAdmin cmdlet or other similar commands, I face the 401 Unauthorized error.
# Connect to SharePoint using Azure AD enterprise application credentials $clientId = "your_client_id" $clientSecret = "your_client_secret" Connect-PnPOnline -ClientId $clientId -ClientSecret $clientSecret -Url "https://contoso.sharepoint.com/sites/yoursite" # Attempt to add site collection admin Add-PnPSiteCollectionAdmin -SiteUrl "https://contoso.sharepoint.com/sites/yoursite" -Owners "user@example.com"

1 answer

Your answer

Answer 1

RaytheonXie_MSFT 40,481 Microsoft External Staff

Hi @Yesh Rajawat ,

To connect pnponline, you should use following cmdlet

Connect-PnPOnline [yourtenant].sharepoint.com -ClientId [clientid] -Tenant [yourtenant].onmicrosoft.com -CertificateBase64Encoded [pfx base64 encoded]

Here is the documents for more details, please make a reference

https://pnp.github.io/powershell/articles/authentication.html

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Yesh Rajawat 115 Reputation points

2023-08-14T04:34:38.98+00:00
Hi @RaytheonXie_MSFT ,

I'm looking for some guidance on connecting to the PnP PowerShell module using a client ID and client secret for authentication, instead of the client ID and certificate approach. I've explored the documentation but failed to connect . For clarity, I'd like to achieve a connection similar to the approach discussed in this reference link: Connect Using ClientID and Client Secret.
While following the above step I have encountered no errors while connecting using client id and client secret but when I perform any other operation using any other command

Get-PnPTenantSite

An error is thrown as following

The remote server returned an error: (401) Unauthorized.

After doing my research I found out that I can remove this error using this command

Set-PnPTenant DisableCustomAuthenticationApp $false

But Still I am facing the same issue

remote server returned an error: (401) Unauthorized.

Here are some reference links that might help you
https://vladilen.com/sharepoint/testing-sites-selected-sharepoint-and-ms-graph-api/

https://techcommunity.microsoft.com/t5/windows-powershell/how-to-authenticate-multi-geo-sites-via-client-id-and-secret/m-p/3875178

I'm in need of urgent assistance regarding connecting to the If you have insights, suggestions, or can point me in the right direction to achieve this specific connection method, your prompt response would be immensely appreciated. Thank you for your understanding and support in helping me resolve this matter swiftly.
RaytheonXie_MSFT 40,481 Reputation points Microsoft External Staff

2023-08-16T01:44:46.04+00:00
Hi @Yesh Rajawat ,

The permission you grant is sitecollection level, and if you want to use **Add-PnPSiteCollectionAdmin **cmdlet, you will need tenant level permission. You could register app only in https://contoso.sharepoint.com/_layouts/15/appregnew.aspx. Then grant permissions to the newly created principal in https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx with following xml

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>

Here is the document for more details

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

And here is the document for permission scope

https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint
Yesh Rajawat 115 Reputation points

2023-08-16T04:40:09.14+00:00

Hi @RaytheonXie_MSFT ,
I appreciate your guidance on the process of creating a SharePoint app by going on appregnew.aspx, obtaining the client ID and secret, and configuring app permissions via the appinv.aspx page. However, despite meticulously following these steps, I'm still grappling with the recurring unauthorized error.

To eliminate any potential oversights, I've revisited each stage of the process, ensured the correct permissions are granted, and cross-verified the accuracy of the client ID and secret. Despite these efforts, I'm unable to overcome the unauthorized issue.

At this juncture, I'm seeking more specific troubleshooting steps or insights that could help pinpoint the root cause.

Thank you for your continued assistance and support.

RaytheonXie_MSFT 40,481 Microsoft External Staff

Hi @Yesh Rajawat ,

Per my test, if you want to use Get-PnPTenantSite. You will need tenant scope permission. You can grant access by following xml

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

And you will need to connect to adminSiteUrl instead of SiteUrl which should be like following

#Parameters
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
   
#Connect to Admin Center
Connect-PnPOnline -Url $TenantAdminURL -ClientId "3c85uc19-f1b9-41ba-8c16-c3281x09b82" -ClientSecret "1KLekxb775bhs/C3*aqqWE6Gs13u4="

RaytheonXie_MSFT 40,481 Reputation points Microsoft External Staff

2023-08-31T06:26:03.69+00:00

Hi @Yesh Rajawat ,

I am checking to see if the problem has been resolved.
RaytheonXie_MSFT 40,481 Reputation points Microsoft External Staff

2023-09-04T01:56:32.17+00:00

Hi @Yesh Rajawat ,

Would you tell me whether your issue has been resolved or have any update?

I am looking forward to your reply.

Share via

Add-PnPSiteCollectionAdmin: The remote server returned an error: (401) Unauthorized.

1 answer

Your answer