Authentication - PNP PowerShell
Authentication - PNP PowerShell
Authentication - PNP PowerShell
Authentication
Setting up Access
PnP PowerShell allows you to authenticate with credentials to your tenant. However, due to
changes in the underlying SDKs we require you first to register a Azure AD Application which will
allow you to authenticate.
Register-PnPManagementShellAccess
You'll notice that the cmdlet is not called Register-PnPPowerShellAccess . This is because both
PnP PowerShell and the CLI for Microsoft 365 make use of this Azure AD application.
IMPORTANT
You need to run this cmdlet with an identity that has write access to the Azure AD. You are not
creating a new application in the sense of something that runs in your Azure AD tenant. You're
only adding a registration to your Azure AD, a so called 'consent' for people in your tenant to
use that application. The access rights the application requires are delegate only, so you will
always have to provide credentials or another way of identifying the user actually using that
application.
During execution of the cmdlet you will be talked through the consent flow. This means that a
browser window will open, you will be asked to authenticate, and you will be asked to consent to a
number of permissions. After this permissions has been granted a new entry will show up if you
navigate to Enterprise Applications in your Azure AD. If you want to revoke the consent you
can simply remove the entry from the Enterprise Applications.
https://pnp.github.io/powershell/articles/authentication.html 1/6
11/02/2022 08:42 Authentication | PnP PowerShell
$result
When you run the cmdlet above you will be asked to navigate to the shown url and enter the code
shown. After that a new app will be registerd in the Azure AD (make sure you have the rights to do
this), and a certificate will be generated and uploaded to that app. After this a URL will be shown
which you have to navigate to to provide consent for this application. By default a limited set of
permissions scopes is added, but you can provide the one of the permission parameters
( GraphApplicationPermissions , GraphDelegatePermissions , SharePointApplicationPermission
s , SharePointDelegatePermissions ) to provide your own permission scopes.
It also returns the private key certificate encoded in base64 encoding. As it spans multiple lines, it
is recommended to assign the outcome of Register-PnPAzureAdApp to a variable so you have
access to this value more easily. The Base64 encoded private key certificate can be used in your
Connect-PnPOnline voiding the need to have access to the physical file:
The cmdlet will also save both the CER and PFX files to the location specified with the -Outpath
parameter. The names of the files will be matching the -ApplicationName parameter, e.g. in the
example above the files will be called PnP Rocks.cer and PnP Rocks.pfx . The output of the
cmdlet will show the clientid. After all is set up and consent has been provided you can login using:
and you will be prompted for credentials. Using this method you're required to have granted the
PnP Management Shell multi-tenant application access rights. You can however register your own
application using Register-PnPAzureAzureApp and then provide the -ClientId parameter with the
client id/app id of your custom application.
https://pnp.github.io/powershell/articles/authentication.html 2/6
11/02/2022 08:42 Authentication | PnP PowerShell
You will be prompted to provide a password. After that you can login using:
When you create the stored credentials (with Add-PnPStoredCredential or any other tool) if the
Name you give it is the URL for your tenant you can omit the -Credentials parameter with Connect-
PnPOnline. Using the example above create your stored credential with this command:
Connect-PnPOnline will look through the Windows Credential Manager for a credential matching
the URL. If it finds one it will use it. It will also match that credential with deeper connection URLs
like https://contoso.sharepoint.com/sites/IT. You can create additional stored credentials for deeper
sites if you routinely connect to them with different credentials. If you want to connect with a
different set of credentials you can use the -Credentials parameter to specify them. A stored
credential can be used for other URLs, like the Admin site:
Set-SecretStoreConfiguration
https://pnp.github.io/powershell/articles/authentication.html 3/6
11/02/2022 08:42 Authentication | PnP PowerShell
This creates a new secret vault on your computer. You will be asked to provide a password to
access the vault. If you access the vault you will be prompted for that password. In case you want
to want to write automated scripts you will have to turn off this password prompt as follows:
For more information about these cmdlets, check out the github
repositories: https://github.com/powershell/secretmanagement and https://github.com/powershell/s
ecretstore.
This will show a popup window which will allow to authenticate and step through the multi-factor
authentication flow.
You are required to register your own Azure AD App in order to authentication
https://pnp.github.io/powershell/articles/authentication.html 4/6
11/02/2022 08:42 Authentication | PnP PowerShell
The AzureEnvironment parameter only allows one value. Select the correct one that matches your
cloud deployment.
The above statement grants a few permission scopes. You might want to add more if you want to.
Alternatively, after registering the application, navigate to the Azure AD, locate the app registration,
and grant more permissions and consent to them.
There is a limitation in the Azure AD for national cloud environments where you cannot select
permission scopes for SharePoint Online. In order to add specific SharePoint rights you will have to
manually add them to the manifest that you can edit in Azure AD:
Locate the requiredResourceAccess section and add to or modify the existing entries. See the
example below (notice, this is an example, do not copy and paste this as is as it will limit the
permissions to only AllSites.FullControl):
"requiredResourceAccess": [
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
Connect
https://pnp.github.io/powershell/articles/authentication.html 5/6
11/02/2022 08:42 Authentication | PnP PowerShell
The AzureEnvironment parameter only allows one value. Select the correct one that matches your
cloud deployment.
https://pnp.github.io/powershell/articles/authentication.html 6/6