SharePoint PnP Management Shell - Permissions Consent

The SharePoint PnP Management Shell is a PowerShell module that is a part of the open-source Microsoft 365 Community projects led by Microsoft Engineers and Microsoft MVPs (e.g. https://github.com/waldekmastykarz, https://github.com/erwinvanhunen). It complements Microsoft Online SharePoint Management Shell by adding over 500 PowerShell commandlets to query and manage various elements of SharePoint Online, many of which have no equivalents in other tools or in the user interface (e.g. Export-PnPTaxonomy, Get-PnPAvailableClientSideComponents, Get-PnPCustomAction, Get-PnPEventReceiver, Get-PnPJavaScriptLink, Get-PnPSearchConfiguration, Get-PnPSiteTemplate).

However, in order to use the module, it needs to be granted permission consent to the Azure Enterprise Application “PnP Management Shell” that is used by default by the module to access Microsoft Graph functionality in the tenant.


The following is an example of the types of permissions that are requested:



Such permissions are often received with skepticism by IT security administrators. However, the key is that the type of permissions is “Delegated”, which means that user credentials will be used to authorize the Microsoft Graph operations. The set of permissions just defines the scopes of the operations that the management shell will allow to request on behalf of the user.

If IT admins decide that the scopes must be limited or extended (e.g. to support Microsoft Project Online or to enable application-based Graph permissions for unattended accounts such as timer jobs, Azure functions, etc.), an alternative Azure Application registration can be created as described in the article https://pnp.github.io/powershell/articles/authentication.html.

In most cases, the easiest would be to grant consent to the default application “PnP Management Shell”. A tenant admin can do this by executing the following commands in PowerShell version 5.0 or greater:

Install-Module -Name "PnP.PowerShell"
Import-Module -Name "PnP.PowerShell"
Register-PnPManagementShellAccess

Note: The user must run PowerShell as administrator to install the module at the machine level. However, it can also be installed for the current user by executing: Install-Module -Name "PnP.PowerShell" -Scope CurrentUser.

After logging in, the tenant admin will be prompted to accept the permissions.

You should be able to check the application permission consent status at https://myapps.microsoft.com/managed-application/AzureADThirdParty%7Cc835d195-cab8-41b4-88c6-c75db300cb75 or in the Azure Active Directory » Enterprise Applications at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps.

The permission grants can be revoked, or the Azure Enterprise Application “PnP Management Shell” can be removed to prevent from unauthorized access, if necessary.

 


Comments

Post a Comment

Popular posts from this blog

Useful SharePoint PowerShell Snippets

SharePoint Update ```PowerShell if($env:USERNAME -notlike "*spfarm*"){     Write-Warning "Please, execute the script as SPFarm account";     return -1; } $thisFile = (Get-Item $PSCommandPath); $logsFolder = "$($thisFile.Directory.Parent.FullName)\Logs"; New-Item $logsFolder -ErrorAction Ignore; Start-Transcript "$($logsFolder)\$(Get-Date -Format 'yyyy-MMdd-HHmm')-$($thisFile.BaseName)-$($env:COMPUTERNAME).log" -IncludeInvocationHeader; try {     try{         Add-PSSnapin Microsoft.SharePoint.PowerShell;         Write-Host "`r`n`r`nUpgrading content databases`r`n`r`n" -ForegroundColor Yellow;         foreach($db in (Get-SPContentDatabase)){             Write-Host "Upgrading DB: $($db)";             Upgrade-SPContentDatabase $db -Confirm:$false -ErrorAction Continue;         }     } catch {         $Error | % { Write-Error $_; };         $Error.Clear();     }     #Install-SPApplication
Read more