Cli-microsoft365: [v2.0.0] o365 spo app add results in Error: [object Object] when logged in with certificate

Thank you for reporting the issue and sorry that you're running into a problem @NickSevens. Could you please run the command with --debug to see if you can get more information about what is failing exactly? Are you using .pem or .pfx? Which OS are you running the CLI on?

Hi @waldekmastykarz thanks for the follow-up.
I'm using .pem (since that was required apparently 👍)
This is the output from the --debug. Hope it helps.

No SPO URL available. Retrieving from MS Graph...
Existing access token eyJ0eXAiOiJKV1QiLCJub25jZSI6IlhLL....... still valid. Returning...
REQUEST { headers:
   { 'user-agent': 'NONISV|SharePointPnP|Office365CLI/2.0.0',
     accept: 'application/json;odata.metadata=none',
     authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IlhLL.......' },
  gzip: true,
  url: 'https://graph.microsoft.com/v1.0/sites/root?$select=webUrl',
  json: true,
  method: 'GET',
  callback: [Function: RP$callback],
  transform: undefined,
  simple: true,
  resolveWithFullResponse: false,
  transform2xxOnly: false }
REQUEST make request https://graph.microsoft.com/v1.0/sites/root?$select=webUrl
REQUEST onRequestResponse https://graph.microsoft.com/v1.0/sites/root?$select=webUrl 403 { 'cache-control': 'private',
  'transfer-encoding': 'chunked',
  'content-type': 'application/json',
  'request-id': 'c33f1776-c8e1-4450-a47d-226e7e79fcd3',
  'client-request-id': 'c33f1776-c8e1-4450-a47d-226e7e79fcd3',
  'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceC","Ring":"3","ScaleUnit":"002","RoleInstance":"AGSFE_IN_21","ADSiteName":"NEU"}}',
  duration: '20.9415',
  'strict-transport-security': 'max-age=31536000',
  date: 'Tue, 03 Sep 2019 18:29:37 GMT',
  connection: 'close' }
REQUEST reading response's body
REQUEST finish init function https://graph.microsoft.com/v1.0/sites/root?$select=webUrl
REQUEST response end https://graph.microsoft.com/v1.0/sites/root?$select=webUrl 403 { 'cache-control': 'private',
  'transfer-encoding': 'chunked',
  'content-type': 'application/json',
  'request-id': 'c33f1776-c8e1-4450-a47d-226e7e79fcd3',
  'client-request-id': 'c33f1776-c8e1-4450-a47d-226e7e79fcd3',
  'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceC","Ring":"3","ScaleUnit":"002","RoleInstance":"AGSFE_IN_21","ADSiteName":"NEU"}}',
  duration: '20.9415',
  'strict-transport-security': 'max-age=31536000',
  date: 'Tue, 03 Sep 2019 18:29:37 GMT',
  connection: 'close' }
REQUEST end event https://graph.microsoft.com/v1.0/sites/root?$select=webUrl
REQUEST has body https://graph.microsoft.com/v1.0/sites/root?$select=webUrl 256
REQUEST emitting complete https://graph.microsoft.com/v1.0/sites/root?$select=webUrl
Error: [object Object]

Seems to me you are having authorization issues
REQUEST onRequestResponse https://graph.microsoft.com/v1.0/sites/root?$select=webUrl 403
That 403 at the end is, I suppose, the HTTP status code which indicates "forbidden". In other words, the application doesn't have any permissions to retrieve that resource.

I don't think this will be an issue with the O365 CLI application, however, improving the output from
Error: [object Object]
to something like
You don't have permissions to perform the requested action
would seem more user friendly.

Can you check the permissions of your app registration?
I think for the action above you need at least 'Microsoft Graph - Sites.ReadAll'

@stijnbrouwers indeed didn't have that permission.
Strange though that the same command worked with v1?

@NickSevens we've changed the authentication mechanism.

Before granting your app more permissions can you please execute
o365 spo set --url https://contoso.sharepoint.com where URL is the root site colleciton for your SharePoint Online tenant.
Please test again your command once that is set up and let me know if you still experience the same issue.

Here is more info here: https://pnp.github.io/office365-cli/cmd/spo/set/

ah yes, I see...

Since v2 it is changed to automatically retrieve that url, hence the call to
https://graph.microsoft.com/v1.0/sites/root
which didn't occur in v1.

That's why it used to work in v1 and doesn't for v2, am I correct @VelinGeorgiev ?

Yes, that is correct. Previously o365 spo login was not using Graph. Now since we have single login we use the Graph to resolve the resources including the root site url. There is an option to set the root site url manually by calling o365 spo set --url https://contoso.sharepoint.com so the CLI will use it instead having to call the MS Graph.

Makes sense :)
But, why exactly is the root site url needed in this case?

@NickSevens , the root site is needed to resolve the tenant app catalog url in your particular case because we have to call rootsite/_api/appcatalog.

Have you tried to execute:
o365 spo set --url https://contoso.sharepoint.com where URL is the root site collection of your SharePoint Online tenant.

Once that is setup, you should be able to run app add as normal.

Just granted the application permissions as well, so it'll probably work like that as well.
Thanks for the help guys.

You are welcome @NickSevens ! Thanks for the heads up @stijnbrouwers !

@VelinGeorgiev no problem!
I was thinking to create a ticket (enhancement) where the 403 message is caught and decent output is provided to prevent the
Error: [object Object]
message which could lead to confusion and possibly more tickets like this to be created...

Seems like a good idea?

Yes @stijnbrouwers . Please do create an issue so we make it useful for the user.