PnP Management Shell | Azure Consent

PnP Management Shell | Azure Consent

Hey All, another fun one. We had a client who was uploading files to a SharePoint collection via a script, and using the PnP Management Shell. Sometime last year a new version of the PnP Management Shell was released, and the local module needed to be updated. After the update, the following error was being generated:

Error Message
Connect-PnPOnline : AADSTS65001: The user or administrator has not consented to use the application with ID ‘31359c7f-bd7e-475c-86db-fdb8c937548e’ named ‘PnP Management Shell’. Send an interactive authorization request for this user and resource.

Basically the new module/application requires a global administrators ‘consent’ within Azure. There are a few ways to grant this consent, however the method outlined below is what worked for us. If you try the following command: 

Connect-PnPOnline -Url https://<yoursite>.sharepoint.com/ -PnPManagementShell

                                   OR

Connect-PnPOnline -Url https://<yoursite>.sharepoint.com/ -Interactive

You will be presented with a User login screen, which you can then proceed to login (an admin account is needed) and will be met with a laundry list of permissions that would be granted if approved. The volume of this list may be alarming for most administrators:

full blanket permissions – Image from techpress.net

Even though these are ‘delegated’ permissions for the app, allowing all of these permissions didn’t sit well. We decided to shorten the list to only granting the Write access for SharePoint. What we found that worked for us was to craft a custom weblink, which specified the exact permission we wanted. To build this link we used the following:

https://login.microsoftonline.com/organizations/v2.0/adminconsent? [Client ID] = &scope= [Microsoft resource scope] / [rights]

For our purpose, we want to grant the ‘AllSites.Write’ consent for SharePoint Online ( https://microsoft.sharepoint-df.com ), so we craft the link as follows:

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=31359c7f-bd7e-475c-86db-fdb8c937548e&scope=https://microsoft.sharepoint-df.com/AllSites.Write

It is important to note that when using this link, ensure that you or the administrator is logged into azure in the same web session so that it will redirect using your tenant id. If it works you will be presented with a much smaller menu prompt:

simplified consent form

Once you have accepted this permission, you can then head over to the Azure Active Directory Admin Center > Enterprise Applications > PnP Management Shell > Permissions, and you should see that SharePoint Online has been granted Admin consent:

Now when testing Connect-PnPOnline in PowerShell, you should be able to connect to your SharePoint collection and upload files (Add-PnPFile) successfully:

Connecting to SharePoint with PnPOnline
Successful upload to SharePoint with Add-PnPFile

There we go! I hope this was helpful. Our holdup was finding the correct Scope for Sharepoint to use in our custome HTML link. There are alot of other great ways to accomplish this but this is what worked out for us. If you have any questions about this, leave a comment below! Thanks

Tags :  , , , , ,