Requirement: Connect to SharePoint Online using PnP PowerShell Connect-PnPOnline with AppID and AppSecret.
How to Connect to SharePoint Online using PnP PowerShell AppID and AppSecret?
PnP PowerShell is a PowerShell module that provides a set of cmdlets for working with SharePoint and SharePoint Online. I have a PnP PowerShell script scheduled in the Windows Task scheduler that runs every 5 minutes. I need the script to connect to SharePoint Online unattended. Although I can store user names and passwords in the script, I don’t want to do that as passwords are regularly changed as per the security policy.
The App method of authenticating allows us to run scripts without prompting username and password. Here are the steps to create a new app in SharePoint Online:
Step 1: Register a SharePoint Client ID
Register a new app in the app registry. Say you need to connect to the SharePoint Online site “https://tenant.sharepoint.com/sites/marketing”, Navigate to the URL: https://tenant.sharepoint.com/Sites/Marketing/_layouts/15/AppRegNew.aspx, and register a new app principal. Here is how to generate a client id and client secret in SharePoint Online:
- Click on the “Generate” button for both the “Client Id” and “Client Secret” fields.
- Provide a name to the principal. I’ve entered “Task Scheduler Script”
- For domain and redirect URL, use “localhost” and “https://localhost” as the redirect URL.
- Copy the Client ID and Client Secret fields and click on the “Create” button to register the app principal. You should get a confirmation message, “The app identifier has been successfully created.”
Step 2: Assign Permission to the App Principal
Once the app principal is registered, the next step is to grant permission to the app principal on SharePoint Online. We can scope it to the tenant, site collection, or web levels. Let’s grant this app principal “Full Access” rights on the site collection.
- Navigate to https://tenant.sharepoint.com/sites/marketing/_layouts/15/appinv.aspx
- In the “App Id” field, enter the “Client Id” you copied in the previous step and click on the “Lookup” button. This loads “Title”, “App Domain” and “Redirect URL” values matching the entered App Id that we created and allows us to set the app’s permissions. In the “Permission Request XML:”, Enter the following and click on the “Create” button:
- <AppPermissionRequests AllowAppOnlyPolicy=”true”><AppPermissionRequest Scope=”http://sharepoint/content/sitecollection” Right=”FullControl” /></AppPermissionRequests>
- Similarly, to grant tenant-level permissions, use the following:
<AppPermissionRequests AllowAppOnlyPolicy=”true”><AppPermissionRequest Scope=”http://sharepoint/content/tenant” Right=”FullControl” /> </AppPermissionRequests>
- Click on the “Trust it” button to grant the app permission to access the SharePoint site collection with full access rights.
Here I’ve configured “Full Control” in this site collection. You can also use: Read-Only, Write, Full Control on Lists, Webs, Site collections, or even tenant. Refer https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint
Connect to SharePoint Online using Connect-PnPOnline ClientId and ClientSecret
Now, you can connect to SharePoint Online with AppId and AppSecret (technically from any application!)
#Site collection URL $SiteURL = "https://crescent.sharepoint.com/sites/marketing/" #Connect to SharePoint Online with ClientId and ClientSecret Connect-PnPOnline -Url $SiteURL -ClientId "3c85uc19-f1b9-41ba-8c16-c3281x09b82" -ClientSecret "1KLekxb775bhs/C3*aqqWE6Gs13u4=" Get-PnPContext
In case you get the “Connect-PnPOnline : Token request failed.” error, check your AppId and AppSecret are correct. Or it may be expired, and by default, its expiration date is one year! You can register an AppID from the Azure AD management portal’s App registration section and set the duration to “Never Expire”. And then Grant access to that AppId from SharePoint.
If you get “Exception has been thrown by the target of an invocation.” that simply means either your Client ID or Client secret is wrong or not granted permissions.
In conclusion, connecting to a SharePoint site using a Client ID and Client Secret is a secure and efficient way to authenticate PowerShell scripts. By registering a client ID, creating a client secret, and granting permissions, you can use the Connect-PnPOnline cmdlet to connect to a SharePoint site and perform various operations using PnP PowerShell. It’s important to keep the client secret secure and make sure to test the connection before using it in the production environment.