question

Joannagowska-3550 avatar image
0 Votes"
Joannagowska-3550 asked WendyLi-MSFT edited

PowerShell: PnPOnline: OneDrive usage report | Authentication with App - access denied

Hello community!


I have to prepare report about OneDrive Usage, where I collect information about ItemCount. I have to do it for over 3000 Users.

Problem: PnPOnline requires connection to every Site Collection separately (not like SPOService - to tenant). Because of big amount of Sites, that I have to check, I don't want to login separately by every User. To avoid it, I wanted to use App with specific permissions. Currently my app has following access:

144358-image.png




I can connect with the ClientID and ClientSecret to the Site (there is no error).

When I try to run a simply script >GetPnPList< I get following error:

Get-PnPList
Get-PnPList : Exception has been thrown by the target of an invocation.
At line:1 char:1
+ Get-PnPList
+ ~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPList], TargetInvocationException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Lists.GetList


As far as I found out - it is caused by missing permissions.


Question: Which permissions are missing by the app?


sharepoint-dev
image.png (25.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Joannagowska-3550
To better help you, I would add a tag "sharepoint-dev". Thanks for your understanding.

0 Votes 0 ·

1 Answer

RaytheonXie-MSFT avatar image
0 Votes"
RaytheonXie-MSFT answered Joannagowska-3550 commented

Hi @Joannagowska-3550 ,
Per my test, this issue might not involve permission. Since Azure app is different with sharepoint app. Azure app is unable to use client secret to connect sharepoint. Certificate file is necessary. We need to login with following cmdlet :

 Connect-PnPOnline -ClientId <$application client id as copied over from the AAD app registration above> -CertificatePath '<$path to the PFX file generated by the PowerShell script above>' -CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url https://<$yourtenant>.sharepoint.com -Tenant "<$tenantname>.onmicrosoft.com"

Per my test, 'Site.Read.All' is enough for GetPnPList .
If you want to use Azure app you can refer to the following link:
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
If you want to use sharepoint app , please refer to the following link:
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs



If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I found out yesterday the same reason, with the certificate it is working.

Thank you for your time!

0 Votes 0 ·