Tag Archives: SPO

PNP Connect to SharePoint Online with 3 DEMOS – Classic, Certificate, and Runbook

Wanted to share step-by-step procedures for how to connect PNP.PowerShell console to SharePoint Online. Three major methods are outlined below, each slightly more advanced than the previous. Drop any questions or comments at bottom of post. Cheers.

VIDEO 1 – Client ID and Client Secret plain text

Demo how to connect with Client ID and Client Secret plain text running PNP.PowerShell.

Steps are included for

  1. Register application with SharePoint Online (SPO) by opening “appregnew.aspx”
  2. Grant permission with SharePoint Online (SPO) by opening “appinv.aspx”
  3. Connect-PNPOnline using Client ID and Client Secret plain text Cheers

CODE

# PNP Client Secret
# https://medium.com/ng-sp/sharepoint-add-in-permission-xml-cheat-sheet-64b87d8d7600
# https://www.koskila.net/fastest-way-to-verify-your-client-id-and-client-secret-are-valid-with-powershell/
<#
The app identifier has been successfully created.
Client Id:  	12306f98-2d2f-49b8-88b3-0eddd71ec25f
Client Secret:  OhYnQV2Hq888LoZOz7C8QSKr81VCNyOWQG9XEjQP111=
Title:  	PNP-PowerShell
App Domain:  	localhost
Redirect URI:  	https://localhost
#>
# Scope
$tenant = "spjeff"
$clientId = "1236f98-2d2f-49b8-88b3-0eddd71ec25f"
$clientSecret = "OhYnQV2Hq888LoZOz7C8QSKr81VCNyOWQG9XEjQP111="
# Connect
Connect-PnPOnline -Url "https://$tenant.sharepoint.com/" -ClientId $clientId -ClientSecret $clientSecret
Get-PnPWeb | Format-Table -AutoSize

VIDEO 2 – PFX Certificate running PNP.PowerShell locally

Demo how to connect with PFX Certificate running PNP.PowerShell locally given PFX input file.

Steps are included for

  1. Register Application with Azure AD
  2. Generate certificate (PFX and CER) with private key saved locally
  3. Connect-PNPOnline using local PFX input file and private key password

PNP-Register.ps1

# PNP Register
# https://pnp.github.io/powershell/articles/connecting.html
# https://pnp.github.io/powershell/articles/authentication.html
# https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/register-pnpazureadapp?view=sharepoint-ps
# https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
# https://mmsharepoint.wordpress.com/2018/12/19/modern-sharepoint-authentication-in-azure-automation-runbook-with-pnp-powershell/
# Scope
$tenant = "spjeff"
$clientFile = "PnP-PowerShell-$tenant.txt"
# Register
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
$reg = Register-PnPAzureADApp -ApplicationName "PnP-PowerShell-$tenant" -Tenant "$tenant.onmicrosoft.com" -CertificatePassword $password -Interactive
$reg."AzureAppId/ClientId" | Out-File $clientFile -Force

PNP-Connect.ps1

# PNP Connect
# https://pnp.github.io/powershell/articles/connecting.html
# https://pnp.github.io/powershell/articles/authentication.html
# https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/register-pnpazureadapp?view=sharepoint-ps
# https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
# https://mmsharepoint.wordpress.com/2018/12/19/modern-sharepoint-authentication-in-azure-automation-runbook-with-pnp-powershell/
# Scope
$tenant = "spjeff"
$clientFile = "PnP-PowerShell-$tenant.txt"
# Connect
$clientId = Get-Content $clientFile
$password = "password"
$secPassword = $password | ConvertTo-SecureString -AsPlainText -Force
Connect-PnPOnline -ClientId $clientId -Url "https://$tenant.sharepoint.com" -Tenant "$tenant.onmicrosoft.com" -CertificatePath '.\PnP-PowerShell-$tenant.pfx' -CertificatePassword $secPassword
Get-PnPTenantSite | Format-Table -AutoSize

VIDEO 3 – PFX Certificate in Azure Automation Runbook

Demo how to connect with PFX Certificate running PNP.PowerShell in Azure Automation Runbook given PFX input file.

Steps are included for

  1. Register Application with Azure AD
  2. Generate certificate (PFX and CER) with private key saved locally
  3. Upload PFX into Azure Automation with [Exportable=Yes] and password
  4. Runbook code to download PFX at runtime (Get-AutomationCertificate)
  5. Connect-PNPOnline using Azure temp PFX file and private key password

CODE

# PNP Connect
# https://pnp.github.io/powershell/articles/connecting.html
# https://pnp.github.io/powershell/articles/authentication.html
# https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/register-pnpazureadapp?view=sharepoint-ps
# https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
# https://mmsharepoint.wordpress.com/2018/12/19/modern-sharepoint-authentication-in-azure-automation-runbook-with-pnp-powershell/
# Scope
$tenant = "spjeff"
# Azure Certificate
$password = "password"
$secPassword = $password | ConvertTo-SecureString -AsPlainText -Force
$cert = Get-AutomationCertificate -Name 'PNP-PowerShell-$tenant'
$pfxCert = $cert.Export("pfx" , $password ) # 3=Pfx
$certPath = "PNP-PowerShell-$tenant.pfx"
Set-Content -Value $pfxCert -Path $certPath -Force -Encoding Byte 
# Connect
$clientId = Get-Content $clientFile
$password = "password"
$secPassword = $password | ConvertTo-SecureString -AsPlainText -Force
Connect-PnPOnline -ClientId $clientId -Url "https://$tenant.sharepoint.com" -Tenant "$tenant.onmicrosoft.com" -CertificatePath '.\PnP-PowerShell.pfx' -CertificatePassword $secPassword
# Display
Get-PnPTenantSite | Format-Table -AutoSize

VIDEO – Disable Legacy Auth & Connect PNP

Even with Legacy auth disabled, you can successfully run Connect-PNPOnline. Video demo shows changing SPO tenant security, then how to register new AppId for Connect-PNPOnline access to all site collections in tenant.   The “AppRegNew” and “AppInv” ASPX pages can be used to establish authentication channel for PowerShell work in PNP on Office 365 tenants where Legacy Auth is disabled. Cheers!  shades_smile

Video

Code

# Check SPO
Connect-SPOService "https://spjeff-admin.sharepoint.com"
Get-SPOTenant | Select *legacy* | ft
# 2) Disable Legacy
Set-SPOTenant -LegacyAuthProtocolsEnabled $false
Get-SPOTenant | Select *legacy* | ft
# 3) Register App
# https://spjeff-admin.sharepoint.com/_layouts/15/appregnew.aspx
# 4) Invite App
# https://spjeff-admin.sharepoint.com/_layouts/15/appinv.aspx
# 5) PNP Login
Connect-PNPOnline -AppId "e419e703-5293-402c-bb70-3aff593b850b" -AppSecret "secret-here"
$w = Get-PNPWeb
Get-PNPList -Web $w

References

-LegacyAuthProtocolsEnabled

By default this value is set to $True. Setting this parameter prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources. A value of True- Enables Office clients using non-modern authentication protocols (such as, Forms-Based Authentication (FBA) or Identity Client Runtime Library (IDCRL)) to access SharePoint resources. A value of False-Prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources. Note This may also prevent third-party apps from accessing SharePoint Online resources. Also, this will also block apps using the SharePointOnlineCredentials class to access SharePoint Online resources. For additional information about SharePointOnlineCredentials, see SharePointOnlineCredentials class.

Tenant Full Control


  

Site Collection


  

FIXED – 403 ExecuteQuery CSOM from a SharePoint Server

I came across this error when running CSOM requests to Office 365.   While troubleshooting the CSOM call worked beautifully from “powershell_ise” but not regular “powershell.”  Fiddler monitoring showed the cmdlet making HTTP traffic correctly with login handshake from ISE.    However, the regular “powershell” window did not attempt any login handshake.

Strange?   Definitely.

The root cause was “$profile” loading the Server Object Model (SOM) cmdlets before CSOM DLL were loaded.   Why would that matter?  How could it cause a CSOM issue?   There seems to be a DLL namespace overlap internally between these plugins (SOM, CSOM, SPO) so loading sequence matters.  A lot.

By proactively loading the CSOM DLL in $profile before SOM, everything worked correctly from both ISE and the regular PowerShell console.

Hope this helps!  shades_smile

 

Symptom

  1. Run CSOM request in PowerShell
  2. From a SharePoint Server on premise (2013 here)
  3. Which also has Microsoft SharePoint Online (SPO) cmdlets installed (https://www.microsoft.com/en-us/download/details.aspx?id=35588)
  4. See this error
  5. Exception calling “ExecuteQuery” with “0” argument(s):  “The remote server returned an error:  (403) Forbidden.

 

Screenshot

image

2016-08-07_11-33-34

Resolution

  1. Open PowerShell and type “notepad $profile”
  2. Ensure below code is present.
  3. NOTE – CSOM must load before SOM (Server Object Model) for requests to execute correctly.   Workaround for an internal Microsoft naming overlap.  Both are probably using the same object somewhere.  Loading CSOM first allows CSOM to reserve the namespace first.

 

Code [$profile]

#CSOM first
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
#SOM
Add-PSSnapIn Microsoft.SharePoint.PowerShell

 

 

Code [csom-only-test.ps1]

#dll
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
#scope
$url = "https://tenant.sharepoint.com/sites/team"
$user = "admin@tenant.onmicrosoft.com"
$pass = "password"
$secpw = $pass | ConvertTo-SecureString -AsPlainText -Force
#connect
$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($url)
$cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($user, $secpw)
$ctx.Credentials = $cred
#site
$site = $ctx.Site
$ctx.Load($site) 
#update
if (!$site.TrimAuditLog) {
    $site.TrimAuditLog = $true
    $site.AuditLogTrimmingRetention = 180
}
#save
$ctx.ExecuteQuery()
$ctx.Dispose()
Return to Top ▲Return to Top ▲