'What type of accessToken scope/resourceType do I need when using Pnp-Powershell

In the PNP Docs it shows: https://pnp.github.io/powershell/cmdlets/Connect-PnPOnline.html#example-13

you can access the resource with an Oauth2 AccessToken: Connect-PnPOnline -Url https://contoso.sharepoint.com -AccessToken $token

When I try to get the access token via the Az Cli in powershell... https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token

$token=az account get-access-token --resource-type ms-graph --query accessToken 
$token=$token.Trim('"')

Connect-PnPOnline -Url https://mysharepointdomain.com/sites/SiteINeedToAccess -AccessToken $token

Get-PnPSiteCollectionAdmin                                                                        
Get-PnPSiteCollectionAdmin: The remote server returned an error: (401) Unauthorized.

When I use the alternate Connect-PnPOnline method using a pfx certificate with password, I can access the resources fine.

Is there another type of access-token I should be requesting?

powershellsharepointazure-active-directory


Solution 1:[1]

As you mentioned "Connect-PnPOnline method using a pfx certificate with password" is working fine. Please check whether you have assigned required permissions and scopes while generating the access token via Azure CLI.

To validate the scopes, make use of JSON Web Tokens - jwt.io website to decode the token.

enter image description here

If scp attribute doesn't include SharePoint online permissions like: Sites.FullControl.All, Sites.ReadWrite.All etc., then this might lead to 401 unauthorized error.

Make sure to grant the permissions like below:

Go to Azure Portal -> Azure Active Directory -> Your app -> API permissions -> Add permissions -> SharePoint

enter image description here

For more information, please refer below links if helpful:

Azure app cannot access SharePoint v1 API - 401 unauthorized access error - Microsoft Q&A

pnp powershell - PnP Cmdlets / Provisioning: What are the minimal required permissions for basic SharePoint operations? - SharePoint Stack Exchange

UPDATE:

As mentioned by you in the comment, please note that Get-PnPSiteCollectionAdmin also uses legacy CSOM that has limitation which we can't change even Sites.FullControl.All permission is granted. To avoid that, continue using pfx certificate with password for Connect-PnPOnline method as a workaround !

Reference: https://github.com/pnp/powershell/issues/305

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

New-ExoPSSession: Index was out of range

PowerShell Cannot dot-source this command because it was defined in a different language mode

How do I get only directories using Get-ChildItem?

Powershell - windows hard-disk health status is giving inconsistent results

The term 'AzCopy' is not recognized as a name of a cmdlet, function, script file

check if an string exists in a list of strings, using powershell

Can Powershell Run Commands in Parallel?

How can ensure that a function only accepts a positive integer?

Powershell: Two dimension arrays

PowerShell and process exit codes

PowerShell Script to set the size of pagefile.sys

Trying to install Angular 2 Material from npm - unrecognized token in source text