Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] PnP Framework still using PnP Management Shell for authentication #1059

Open
NishkalankBezawada opened this issue Sep 6, 2024 · 8 comments
Open

[Bug] PnP Framework still using PnP Management Shell for authentication #1059

NishkalankBezawada opened this issue Sep 6, 2024 · 8 comments

Comments

@NishkalankBezawada
Copy link

NishkalankBezawada commented Sep 6, 2024
edited
Loading

Hello Team,

As we know that PnP Management Shell is getting deprecated on 9th September, Does it only affect the PnP PowerShell alone?
Have noticed in one of the Authentication methods,

var authManager = new PnP.Framework.AuthenticationManager(_Username, securePassword);

And this internally uses PnP Management Shell multi-tenant Azure AD application ID to authenticate.

image

##Findings

pnpframework/src/lib/PnP.Framework/AuthenticationManager.cs

Line 94 in e18fad1

public const string CLIENTID_PNPMANAGEMENTSHELL = "31359c7f-bd7e-475c-86db-fdb8c937548e";

Above line might be using PnP PowerShell Client ID,

pnpframework/src/lib/PnP.Framework/AuthenticationManager.cs

Line 389 in e18fad1

/// Creates a new instance of the Authentication Manager to acquire authenticated ClientContexts. It uses the PnP Management Shell multi-tenant Azure AD application ID to authenticate. By default tokens will be cached in memory.

Clearly says "Creates a new instance of the Authentication Manager to acquire authenticated ClientContexts. It uses the PnP Management Shell multi-tenant Azure AD application ID to authenticate. By default tokens will be cached in memory."

This was not addressed so far, does it mean that, this authentication methods should not be used anymore?

Thanks,
Nishkalank Bezawada
@NishkalankBezawada NishkalankBezawada changed the title [Bug] Deprecated PnP Powershell client id used in PnP Framework [Bug] PnP Framework still using PnP Management Shell for authentication Sep 6, 2024
@siimav
Copy link

siimav commented Sep 10, 2024

Can confirm, authentication is now broken with the following error:
Microsoft.Identity.Client.MsalServiceException: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory '[Redacted]'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

@pkbullock
Copy link
Collaborator

Hi, you will need to provide an alternative service principal since the app PnP Management Shell has been removed: https://pnp.github.io/powershell/articles/registerapplication.html

@Ramo-Y
Copy link

Ramo-Y commented Sep 11, 2024

We had the same problem as @siimav mentioned and solved it as follows:

  1. Create an app registration: https://pnp.github.io/powershell/articles/registerapplication.html
  2. Use this constructor overload with the clientId
    var authManager = new AuthenticationManager(clientId, clientUser, secureStringPassword);

As the PnP Management Shell Client ID '31359c7f-bd7e-475c-86db-fdb8c937548e' has been removed, it should no longer be used and this approach wit the fallback should be changed.

@jmconnell2000
Copy link

We had the same problem as @siimav mentioned and solved it as follows:

  1. Create an app registration: https://pnp.github.io/powershell/articles/registerapplication.html
  2. Use this constructor overload with the clientId
    var authManager = new AuthenticationManager(clientId, clientUser, secureStringPassword);

As the PnP Management Shell Client ID '31359c7f-bd7e-475c-86db-fdb8c937548e' has been removed, it should no longer be used and this approach wit the fallback should be changed.

Did you grant SharePoint using Delegated or Application permissions? I followed the steps in the reference link for setting up the App Registration for Delegated but got this error message:

Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

@Ramo-Y
Copy link

Ramo-Y commented Sep 16, 2024

I was not involved in the granting of the rights myself, but I know that the permissions are as follows:
image

At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

@jmconnell2000
Copy link

I was not involved in the granting of the rights myself, but I know that the permissions are as follows: image

At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

Thanks! I assume you are using this code in background processes (like an Azure Function, etc). Based on the link you previously reference... This is all I have configured in my App Registration. Do I need some of the other items shown in your App Registration along with what is in the Red Box to make that AuthenticationManager method work?
image

@Ramo-Y
Copy link

Ramo-Y commented Sep 16, 2024

You are welcome! Yes exactly, we have various Azure Functions in use that use the app registration. We have assigned all the permissions that are in the screenshot, including those outside the red box (I only have this screenshot and don't have access to it myself).

@LynxxHub
Copy link

I was not involved in the granting of the rights myself, but I know that the permissions are as follows: image
At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

Thanks! I assume you are using this code in background processes (like an Azure Function, etc). Based on the link you previously reference... This is all I have configured in my App Registration. Do I need some of the other items shown in your App Registration along with what is in the Red Box to make that AuthenticationManager method work? image

Hi, I just had the same issue, make sure that this check is turned on:
-> App Registration -> Authentication:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@siimav @pkbullock @jmconnell2000 @Ramo-Y @NishkalankBezawada @LynxxHub