Comments (7)
I found that the customer had setup MFA via a conditional policy rather than directly against the user in the admin center. By removing the conditional access policy and setting MFA directly against the migration account, I was able to create an App password. Even though I didn't use the app password I found that I could just use the username/password in a stored credential, thus bypassing the -SPOManagementShell option. When using the -SPOManagementShell option, often the next line of code runs before the authentication prompt is complete.
from pnp-powershell.
This is admittedly a very basic suggestion, but are you a Term Store Administrator in the client tenant, at least for the Term Set you want to update? (This catches me me up all the time.)
from pnp-powershell.
The -SPOManagementShell does not have permission to the Term Store. It's expected, though still frustrating, that New-PnPTerm won't work if that's how you authenticate.
from pnp-powershell.
Yes I am a term store administrator. In my own tenant (which doesn't have ADFS or MFA) I can switch to the normal -UseWebLogin and update the term store. It is only because I have to use the -SPOManagementShell option in the other tenant that does have ADFS/MFA that I am testing in my own tenant. I did also try using AppId/Secrets but writing to the term store using that also does not work. At the moment my only work around is to effectively populate my own tenant term store, then use Sharegate to copy the terms across. It is interesting that Sharegate doesn't have an issue in that environment, which I suspect is because they are using old SharePoint api methods rather than MS Graph.
from pnp-powershell.
Have you tried using Initialize-PnPPowerShellAuthentication to create an app reg that has all the permissions you need? In this case it would look like Example 3 under help Initialize-PnPPowerShellAuthentication -Examples and add "TermStore.ReadWrite.All"
from pnp-powershell.
Hi Todd, no I haven't tried that.
In terms of -SPOManagementShell, I spoke to a tech support person at Microsoft and they the following:
I have tried to do some tests and could reproduce the issue when using -SPOManagementShell parameter.
Then I compared the authentication of these two method, found:
- When using -UseWebLogin: just like access SharePoint Online via browser directly, the subsequent requests sent by the PnP commands is under the current user context with the FedAuth cookie.
- When using -SPOManagementShell: it will use Access Token under App context and the permission scope doesn’t include Term Store related permission.
So, I think that’s why it will return 403 error when using -SPOManagementShell for authentication to manage term store.
from pnp-powershell.
Yeah, that's what I said in this reply.
from pnp-powershell.
Related Issues (20)
- [BUG] Set-PnPGroup -SetAssociatedGroup Owners: Access denied.
- Example 1 incorrect on Clear-PnPRecycleBinItem Microsoft Docs page HOT 1
- Get-PnPTerm unable to retrieve labels HOT 2
- [BUG]
- [BUG]? - Grant-PnPTenantServicePrincipalPermission timing out HOT 2
- [BUG] false error reported from Add-PnPFolder on large Library
- Connect-PnPOnline- with an option of -ClientId and -ClientSecreat connects successfully but then get unauthorized(401)) for subsequent request example Get-PNPList etc.
- Critical problem with Apply-PnPProvisioningTemplate cmdlet: personal view is created as public view in the destination site
- [BUG] - Move-PnPFolder : The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.
- [BUG] Get-PnPSite -Includes Usage Shows Zero for Bandwidth, Hits, Visits
- [BUG] "The user cannot create group sites in this tenant instance." HOT 3
- [BUG] ConvertTo-PnPClientSidePage fails at OfficeDevPnP.Core.Pages.ClientSidePage.AvailableClientSideComponents(String name) - A critical error occurred - transformation did not complete
- [BUG] Get-PnPTerm throws misleading error if term not found
- [BUG] Add-PnPWebhookSubscription. Body empty.
- [BUG]
- Get-PnPFolder : A parameter cannot be found that matches parameter name 'List'[BUG]
- [BUG] Search bar for List gets enabled while trying to hide suitebar search using "Set-PnPSearchSettings -SearchBoxInNavBar Hidden -Scope Web". Is there any way to hide search bar for list too.
- [BUG] GCC High client tokens Confidential Client is not supported in Cross Cloud request
- Set-PnPSite command reporting (401) Unauthorized Error, in environment where legacy authentication is blocked HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pnp-powershell.