[BUG] Term Store PnP functions fail when using Connect-PnPOnline -SPOManagementShell about pnp-powershell HOT 7 OPEN

I found that the customer had setup MFA via a conditional policy rather than directly against the user in the admin center. By removing the conditional access policy and setting MFA directly against the migration account, I was able to create an App password. Even though I didn't use the app password I found that I could just use the username/password in a stored credential, thus bypassing the -SPOManagementShell option. When using the -SPOManagementShell option, often the next line of code runs before the authentication prompt is complete.

from pnp-powershell.

This is admittedly a very basic suggestion, but are you a Term Store Administrator in the client tenant, at least for the Term Set you want to update? (This catches me me up all the time.)

from pnp-powershell.

The -SPOManagementShell does not have permission to the Term Store. It's expected, though still frustrating, that New-PnPTerm won't work if that's how you authenticate.

from pnp-powershell.

Yes I am a term store administrator. In my own tenant (which doesn't have ADFS or MFA) I can switch to the normal -UseWebLogin and update the term store. It is only because I have to use the -SPOManagementShell option in the other tenant that does have ADFS/MFA that I am testing in my own tenant. I did also try using AppId/Secrets but writing to the term store using that also does not work. At the moment my only work around is to effectively populate my own tenant term store, then use Sharegate to copy the terms across. It is interesting that Sharegate doesn't have an issue in that environment, which I suspect is because they are using old SharePoint api methods rather than MS Graph.

from pnp-powershell.

Have you tried using Initialize-PnPPowerShellAuthentication to create an app reg that has all the permissions you need? In this case it would look like Example 3 under help Initialize-PnPPowerShellAuthentication -Examples and add "TermStore.ReadWrite.All"

from pnp-powershell.

Hi Todd, no I haven't tried that.
In terms of -SPOManagementShell, I spoke to a tech support person at Microsoft and they the following:

I have tried to do some tests and could reproduce the issue when using -SPOManagementShell parameter.
Then I compared the authentication of these two method, found:

• When using -UseWebLogin: just like access SharePoint Online via browser directly, the subsequent requests sent by the PnP commands is under the current user context with the FedAuth cookie.

• When using -SPOManagementShell: it will use Access Token under App context and the permission scope doesn’t include Term Store related permission.

So, I think that’s why it will return 403 error when using -SPOManagementShell for authentication to manage term store.

from pnp-powershell.

Yeah, that's what I said in this reply.

from pnp-powershell.