PnP PowerShell: Connect-PnPOnline using ClientID and ClientSecret

Requirement: Connect to SharePoint Online using PnP PowerShell Connect-PnPOnline with AppID and AppSecret

I have a PnP PowerShell script scheduled in the Windows Task scheduler that runs every 5 minutes. I need the script to connect to SharePoint Online unattended. Although I can store user names and passwords in the script, I don’t want to do that as passwords are regularly changed as per the security policy.

How to Connect to SharePoint Online using PnP PowerShell AppID and AppSecret?

The App method of authenticating allows us to run scripts without prompting username and password. Here are the steps to create a new app in SharePoint Online:

Step 1: Register a SharePoint App Principal

Register a new app in the app registry. Say you need to connect to the SharePoint Online site “https://tenant.sharepoint.com/sites/marketing”, Navigate to the URL: https://tenant.sharepoint.com/Sites/Marketing/_layouts/15/AppRegNew.aspx, and register a new app principal. Here is how to generate client id and client secret in SharePoint Online:

  1. Click on the “Generate” button for both the “Client Id” and “Client Secret” fields. 
  2. Provide a name to the principal. I’ve entered “Task Scheduler Script”
  3. For domain and redirect URL, use “localhost” and “https://localhost” as the redirect URL.
  4. Copy Client ID and Client Secret fields and click on the “Create” button to register app principal. You should get a confirmation message, “The app identifier has been successfully created.”
    connect-pnponline appid appsecret
You can register an App ID with never expiring app secret in Azure AD! Here is how: How to Register a Never Expiring App ID Secret with Azure AD?

Step 2: Assign Permission to the App Principal

Once the app principal is registered, the next step is to grant permission to the app principal on SharePoint Online. We can scope it to the tenant, site collection, or web levels. Let’s grant this app principal “Full Access” rights on the site collection.

  1. Navigate to https://tenant.sharepoint.com/sites/marketing/_layouts/15/appinv.aspx
  2. In the “App Id” field, enter the “Client Id” you copied in the previous step and click on the “Lookup” button. This loads “Title”, “App Domain” and “Redirect URL” values matching the entered App Id that we created and allows us to set the app’s permissions. In the “Permission Request XML:”, Enter the following and click on the “Create” button: <AppPermissionRequests AllowAppOnlyPolicy=”true”><AppPermissionRequest Scope=”http://sharepoint/content/sitecollection” Right=”FullControl” /></AppPermissionRequests> Similarly, to grant tenant-level permissions, use: 1<AppPermissionRequests AllowAppOnlyPolicy=”true”><AppPermissionRequest Scope=”http://sharepoint/content/tenant” Right=”FullControl” /> </AppPermissionRequests> How to Connect to SharePoint Online using Connect-PnPOnline AppID and AppSecret
  3. Click on the “Trust it” button to grant the app permission to access the SharePoint site collection with full access rights.
    Connect to SharePoint Online using PnP PowerShell AppID and AppSecret

Here I’ve configured “Full Control” in this site collection. You can also use: Read-Only, Write, Full Control on Lists, Webs, Site collections, or even tenant. Refer https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

Connect to SharePoint Online using Connect-PnPOnline ClientId and ClientSecret

Now, you can connect to SharePoint Online with AppId and AppSecret (technically from any application!)

#Site collection URL
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/"

#Connect to SharePoint Online with ClientId and ClientSecret
Connect-PnPOnline -Url $SiteURL -ClientId "3c85uc19-f1b9-41ba-8c16-c3281x09b82" -ClientSecret "1KLekxb775bhs/C3*aqqWE6Gs13u4="

Get-PnPContext

In case you get the “Connect-PnPOnline : Token request failed.” error, check your AppId and AppSecret. Or it may be expired, and by default, its expiration date is one year! You can register an AppID from the Azure AD management portal’s App registration section and set the duration to “Never Expire”. And then Grant access to that AppId from SharePoint.

If you get “Exception has been thrown by the target of an invocation.” that simply means either your Client ID or Client secret is wrong or not granted permissions.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

20 thoughts on “PnP PowerShell: Connect-PnPOnline using ClientID and ClientSecret

  • For Scope, use “http://…” (as in image) instead of “https://…” (as in code snippet). Otherwise the app won’t have full control.

    Reply
  • I see the following error after following these steps:

    The remote server returned an error: (401) Unauthorized.

    Reply
    • Make sure DisableCustomAppAuthentication is set to False.

      Set-SPOTenant -DisableCustomAppAuthentication $false

      Reply
  • Hi.
    I am not able to get List Items if I use client ID and secret.

    Here is my Xml

    I am able to get all list names but as I soon as I try to get items of list, no result will be shown.

    Any Idea?

    Regards Umer

    Reply
  • Change it to ClientId and ClientSecret

    Reply
  • other than using app password, can you use app id or secret id using CSOM?

    Reply
  • Hi,

    When I try to connect I get following issue:

    Connect-PnPOnline : A parameter cannot be found that matches parameter name ‘AppId’.

    Reply
  • Thank you Salaudeen, very useful!

    Reply
  • How secure is this?

    Reply
  • I am getting Token Request failed issue.

    Reply
  • Hello after following above steps are you able to do Get-PnPList ?? I am still getting 401- Unauthorized.. Shouldn’t that is the whole purpose of doing above exercise.. can you pls. check at your end and confirm..

    ThankS!

    Reply
  • Hey,

    it was necessary for the second part to https://crescent-ADMIN.sharepoint.com/ in order to not have an access denied with SPO.

    Reply
    • Yes! If you are granting tenant level access, It should be the SharePoint Admin center URL you have to visit and create the App ID and grant permission!

      Reply
  • Is it safe to store the client ID and client secret in the file as plain text? Just curious.

    Reply
    • My question was poorly worded. What’s the next step to using the secret securely?

      Reply
    • Either using a credential manager (PNP has one I think, just unsure whether it can store app-regs). Then there is the possibility using environment Variables.

      Reply
  • as you have mentioned the Apps can be created using the azure portal. However, I am not able to authenticate using that app id and secret

    Reply
  • Very useful ! works perfectly, thanks

    Reply

Leave a Reply

Your email address will not be published.