-
Notifications
You must be signed in to change notification settings - Fork 662
[BUG] Term Store PnP functions fail when using Connect-PnPOnline -SPOManagementShell #3020
Comments
This is admittedly a very basic suggestion, but are you a Term Store Administrator in the client tenant, at least for the Term Set you want to update? (This catches me me up all the time.) |
The -SPOManagementShell does not have permission to the Term Store. It's expected, though still frustrating, that New-PnPTerm won't work if that's how you authenticate. |
Yes I am a term store administrator. In my own tenant (which doesn't have ADFS or MFA) I can switch to the normal -UseWebLogin and update the term store. It is only because I have to use the -SPOManagementShell option in the other tenant that does have ADFS/MFA that I am testing in my own tenant. I did also try using AppId/Secrets but writing to the term store using that also does not work. At the moment my only work around is to effectively populate my own tenant term store, then use Sharegate to copy the terms across. It is interesting that Sharegate doesn't have an issue in that environment, which I suspect is because they are using old SharePoint api methods rather than MS Graph. |
Have you tried using Initialize-PnPPowerShellAuthentication to create an app reg that has all the permissions you need? In this case it would look like Example 3 under help Initialize-PnPPowerShellAuthentication -Examples and add "TermStore.ReadWrite.All" |
Hi Todd, no I haven't tried that. I have tried to do some tests and could reproduce the issue when using -SPOManagementShell parameter.
So, I think that’s why it will return 403 error when using -SPOManagementShell for authentication to manage term store. |
Yeah, that's what I said in this reply. |
I found that the customer had setup MFA via a conditional policy rather than directly against the user in the admin center. By removing the conditional access policy and setting MFA directly against the migration account, I was able to create an App password. Even though I didn't use the app password I found that I could just use the username/password in a stored credential, thus bypassing the -SPOManagementShell option. When using the -SPOManagementShell option, often the next line of code runs before the authentication prompt is complete. |
I have a client environment that is using ADFS and MFA. In my own dev tenant I have neither, but for testing purposes I used Connect-PnPOnline -Url -ClearTokenCache -SPOManagementShell (note that when using -WebLogin option in the customer's tenant you just get a blank popup screen).
When using that authentication option, although Get-PnPTerm works, New-PnPTerm does not and results in Access denied.
If I switch to using the -WebLogin option in my tenant, the above command works fine (but unfortunately as I stated above, this option does not work in my client's ADFS/MFA environment).
I need a way to reliably script against the term store. I am using version 3.25.2009.1 of SharePointPnPPowerShellOnline (I had to uninstall the latest and install this version because of #2983).
Is the issue related to the cmdlet itself, its parameters, the syntax, or do you suspect it is the code of the cmdlet that is causing the issue? Then please continue reporting the issue in this repo.
I suspect the code of the cmdlet.
If you think that the functionality might be related to the underlying libraries that the cmdlet is calling (We realize that might be difficult to determine), please first double check the code of the cmdlet, which can be found here: https://github.com/pnp/PnP-PowerShell/tree/master/Commands. If related to the cmdlet, continue reporting the issue here, otherwise report the issue at https://github.com/pnp/PnP-Sites-Core/issues
I assume the issue has something to do with the underlying authentication code.
Reporting an Issue or Missing Feature
New-PnPTerm failing with Access Denied when using Connect-PnPOnline -SPOManagementShell
Expected behavior
New-PnPTerm should work.
Actual behavior
New-PnPTerm : Access denied. You do not have permission to perform this action or access this resource.
At line:1 char:1
Steps to reproduce behavior
Login to any tenant using the SPOManagementShell option, then try to create a term using Add-PnPTerm.
Which version of the PnP-PowerShell Cmdlets are you using?
What is the version of the Cmdlet module you are running?
(you can retrieve this by executing
Get-Module -Name sharepointpnppowershell* -ListAvailable
)3.25.2009.1
How did you install the PnP-PowerShell Cmdlets?
The text was updated successfully, but these errors were encountered: