'Connect-PnPOnline from Azure App and Runbook

we have an Azure App Registration and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store. The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles:

enter image description here

The PowerShell-Script connects to graph and pnponline by App which is working fine.

$serviePrincipalName = 'ZZZ-SPOScript'
$servicePrincipalConnection=Get-AutomationConnection -Name $serviePrincipalName   
Connect-MgGraph -TenantId $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
Connect-PnPOnline -Url "https://ourtenant-admin.sharepoint.com" -Tenant $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -Thumbprint $servicePrincipalConnection.CertificateThumbprint

We can get all users from aad:

$users = Get-MgUser -All -Property "Id,mail,UserPrincipalName,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_townCode,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_costNumber,extension_b8fc35d8e8ec45e689d332303177957a_employeeID,extension_b8fc35d8e8ec45e689d332303177957a_employeeNumber,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_title,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_office,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute6,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute7"

We iterate over all users:

foreach($user in $users) {...

But when we try to get the user profile properties from SharePoint by calling

$fldValue = (Get-PnPUserProfileProperty -Account $user.UserPrincipalName).UserProfileProperties."ZZZ-CostNumber";

we get Current user is not a tenant administrator.

Our Service Principal ZZZ-SPOScript which runs the Script within the RunBook is of course not a tenant admin (and will never be).

So, we added an App Permission entry for the Azure App Registration by /_layouts/15/AppInv.aspx

enter image description here

with following Permissions to elevate to FullControl

<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

But still we get Current user is not a tenant administrator. if the Scripts is trying to call Get-PnPUserProfileProperty

Are we missing something or can this be a bug in pnponline?

Additional finding: As stated here we should add Full Control permissions for the social features. So, I upated the permissions to

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />

But still same error.

powershellsharepoint-onlineazure-runbook


Solution 1:[1]

Looks like there is simply a typo in the very first string:

$serviePrincipalName = 'ZZZ-SPOScript'

The correct one should be

$servicePrincipalName = 'ZZZ-SPOScript'

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 user18522804

Related Questions

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

New-ExoPSSession: Index was out of range

PowerShell Cannot dot-source this command because it was defined in a different language mode

How do I get only directories using Get-ChildItem?

Powershell - windows hard-disk health status is giving inconsistent results

The term 'AzCopy' is not recognized as a name of a cmdlet, function, script file

check if an string exists in a list of strings, using powershell

Can Powershell Run Commands in Parallel?

How can ensure that a function only accepts a positive integer?

Powershell: Two dimension arrays

PowerShell and process exit codes

PowerShell Script to set the size of pagefile.sys

Trying to install Angular 2 Material from npm - unrecognized token in source text