Share via

Get-PnPProvisioningTemplate : {code;-2147024891, System.UnauthorizedAccessException;message:{value:Access denied. You do not have permission to perform this action or access this resource.}

b m 1 Reputation point
2020-10-23T08:30:00.457+00:00

I am getting unauthorized(401) error when trying to executing Get-PnPProvisioningTemplate in Azure funciton app powershell(runtime version ~1), I am passing appid and appsceret as parameters at tenant level and site collection level. I am getting the same errors when executing them in Windows powershell.

Connect-PnPOnline -AppId $appId -AppSecret $appsecret -Url $url
Get-PnPProvisioningTemplate -Out $dropPath

Thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,605 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ruben Andreassen 6 Reputation points
    2021-01-12T10:31:42.633+00:00

    I'm having the same problem, but have done a bit more debugging.

    At first I used my users credentials and everything was fine.

    Then I switched to Client ID and Client Secret, and the error was: 

    401 Client Error: Unauthorized for url: https://[tenant].sharepoint.com/_api/Web

    This command resolved that issue 

    Set-SPOTenant -DisableCustomAppAuthentication $false

    After this everything was fine.

    Then I switched to certificate, and the error is: 

     ('-2147024891, System.UnauthorizedAccessException', 'Access denied. You do not have permission to perform this action or access this resource.', '403 Client Error: Forbidden for url: https://[tenant].sharepoint.com/sites/MySite/_api/Web')

    But the wierd thing is that the error only comes when accessing a spesific site like: 

    https://[tenant].sharepoint.com/sites/MySite

    If I change the URL to the root (or whatever its called), I have access: 

    https://[tenant].sharepoint.com/

    But that does not help much when I can't access the sites.

    Relevant information from Get-SPOTenant: 

    LegacyAuthProtocolsEnabled                    : True
DisableCustomAppAuthentication                : False
    1 person found this answer helpful.
    0 comments
  2. Mike Urnun 9,786 Reputation points Microsoft Employee
    2020-10-25T22:55:34.227+00:00

    Hi @b m - Could you confirm that you added your Function App as Trusted App to your Tenant?

    Per the documentation, the following steps need to be taken:

    1. Go to https://[yourtenant]-admin.sharepoint.com/_layouts/appinv.aspx (notice the -admin in the URL).
    2. In the App Id field, paste the Client ID that you copied, and choose Lookup.
    3. In the Permission Request XML field, paste the following XML: <AppPermissionRequests AllowAppOnlyPolicy="true" >
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
      </AppPermissionRequests>
    4. Choose Create.
    5. To confirm that you want to trust this app, choose Trust It.
  3. sadomovalex 3,631 Reputation points
    2020-10-26T15:20:19.387+00:00

    just to ensure: when your tenant was created? In Aug 2020 MS introduced new tenant level property DisableCustomAppAuthentication which is true by default which means app permissions based on clientId/clientSecret won't work. You can't set it to false by the following PowerShell (needs the latest SharePoint admin PowerShell): 

    Set-SPOTenant -DisableCustomAppAuthentication $false