Cli-microsoft365: spo login results with AADSTS900941 Need admin approval
When trying to log in with "spo login" I am getting the following error on https://microsoft.com/devicelogin
AADSTS900941: An administrator of $CUSTOMER has set a policy that prevents you from granting
PnP Office 365 Management Shell the permissions it is requesting.
Contact an administrator of $CUSTOMER who can grant permissions to this application
on your behalf.
Is there any wayto run the cli with somewhat limited rights?
saper
All 6 comments
Yes, you can. To do this, you would create a custom Azure AD application with the desired permissions and have the CLI use it instead of the standard one. You can find more information about this at https://pnp.github.io/office365-cli/concepts/authorization-tokens/#azure-ad-application-used-by-the-office-365-cli
waldekmastykarz
on 23 Jan 2019
Dzi臋kuj臋 bardzo! I don't have any serious Azure/Office365/whatever foo to understand what I need to do now to get this working and I hope I have enough permissions to create such an app. (I was hoping to be able to easily upload and download files to Sharepoint).
But I understand that the CLI is using the default app anyway, so it has its own collection of server-side grants.
saper
on 24 Jan 2019
Alternatively you could use the AAD app used by PowerShell: 9bc3ab49-b65d-410a-85ad-de819febfddc. That way you wouldn't need to create a new AAD app yourself.
waldekmastykarz
on 24 Jan 2019
Thank you, that worked very well!
saper
on 24 Jan 2019
Trying to access a guest account with this resulted in AADSTS50001 error. A "proper" tenant account worked. Go figure.
saper
on 24 Jan 2019
Thanks for sharing. I'm sure it will help others as well 馃憤
waldekmastykarz
on 26 Jan 2019
Related issues
thomyg
路
3Comments
OodapowUiPath
路
3Comments
andrewconnell
路
3Comments
aakashbhardwaj619
路
3Comments
VelinGeorgiev
路
3Comments