Pnp-powershell: Add-PnpFile - Access denied

Created on 22 Dec 2017  Â·  23Comments  Â·  Source: pnp/PnP-PowerShell

Reporting an Issue or Missing Feature

Issue

Expected behavior

Add-PnpFile should successfully upload file to the specified folder

Actual behavior

Add-PnPFile : Access denied. You do not have permission to perform this action or access this resource.

Do note that I am able to upload files without issues with the same credential when doing it via a web browser.

Steps to reproduce behavior

$SPOCredential = Get-Credential
Connect-PnPOnline -Url $SharepointSiteUrl -Credentials $SPOCredential
$SharepointSiteUrl = 'https://tenant123.sharepoint.com/sites/Site1'
$DestinationFolderRelativePath = 'Shared Documents'
$XlsxPath = 'C:\temp\Report.xlsx'
Add-PnPFile -Path $XlsxPath -Folder $DestinationFolderRelativePath

Which version of the PnP-PowerShell Cmdlets are you using?

  • [ ] PnP PowerShell for SharePoint 2013
  • [ ] PnP PowerShell for SharePoint 2016
  • [X ] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

2.21.1712.2

How did you install the PnP-PowerShell Cmdlets?

  • [ ] MSI Installed downloaded from GitHub
  • [ X] Installed through the PowerShell Gallery with Install-Module
  • [ ] Other means

Most helpful comment

If anyone else finds this issue, this is by design and the resolution is the following:

Connect-SPOService -Url https://-admin.sharepoint.com/
Set-SPOSite -Identity https://.sharepoint.com/sites/ -DenyAddAndCustomizePages $false

All 23 comments

Are you a SharePoint Online global administrator in your tenant? Connect-PnPOnline is an alias for Connect-SPOnline, which in turn relies on Connect-SPOService to make the connection. You might be able to perform uploads through the UI successfully, but not via shell unless you are an admin.

Also, do you have two-factor authentication? If so... try creating a non two-factor account, giving it upload permission through the UI, then use that account with the Get-Credential... better yet, add it to the Credential Manager as a Generic Window Credential, and call the name with Connect-PnPOnline cmd.

No, no two-factor authentication is used.
The user is a Sharepoint Online global administrator in the tenant ("Sharepoint administrator" is checked under Roles for the user in the Office 365 Admin portal).

It turns out that the Sharepoint site we are trying to upload content to is not a "regular" Sharepoint site, as it is created as part of an Office 365 Group. Thus, it does not show in https://company-admin.sharepoint.com.

Not sure if this might be the problem, however, connecting to the site using Connect-PnPOnline works fine.

This is expected behavior. In order to upload a file the user needs to have the following access right:

image

By default, only Group owners have this, as members are have 'Edit' permissions which does not include this access right. If you set the correct permissions, it works.

@wobba Awesome, thanks!

If anyone else finds this issue, this is by design and the resolution is the following:

Connect-SPOService -Url https://-admin.sharepoint.com/
Set-SPOSite -Identity https://.sharepoint.com/sites/ -DenyAddAndCustomizePages $false

Hi,

I'm getting access denied error when I try to upload the file using Sharepoint add in app ID and secret ID (has full control over the site collection).
Connect-PnpOnline -Url $siteurl -appId $id -appsecret $sid
Add-PnPFile -Path $path -Folder $folderpath

"Add-PnPFile : Access denied. You do not have permission to perform this action or access this resource."

I'm using below PnP version
3.4.1812.2 SharePointPnPPowerShellOnline

It would be very great if you could give some suggestions to resolve the error.

If you try to upload an aspx file, you need to disable scripting on the site for modern sites. Is this the case? As the previous comment also states.

No. I'm trying to automate the uploading the documents to SPO classic site library using Share
point add in client ID and secret .. has anyone tested file upload with appid and app secret... why is not working..

On Mon 24 Dec, 2018, 8:50 PM Mikael Svenson, notifications@github.com
wrote:

If you try to upload an aspx file, you need to disable scripting on the
site for modern sites. Is this the case?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/SharePoint/PnP-PowerShell/issues/1307#issuecomment-449745742,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AYbV5o2ZmUF21b6urgFQVTkSO8Oj1uyKks5u8PCvgaJpZM4RK7fQ
.

@vishwasdm Tested just now with an app which has full permissions, and had no issue uploading a docx file. If this is still an issue, create a new issue for it with exact steps and include your app permission manifest.

I have the same issue.
DenyAddAndCustomizePages is disabled and I have full control on the library and access to the rest of the site.
When i'm a SiteCollection Admin it works but I shouldn't have to be.
The weird thing is that I can add files via the GUI just fine.

Able to upload the file via web browser but getting ServerUnauthorizedAccessException when using SharePointPnPPowerShellOnline - 3.6.1902.2 in Powershell.

@stpfarms Equivalent Command for Set-SPOSite i.e. Set-PnPSite is not working for me. Also, installed the Microsoft.Online.SharePoint.PowerShell and used below:
<#Fetch credentials from local windows credential manager#>
$SpCredential = Get-StoredCredential -Target "SharepointUploadUser"
Connect-SPOService -url https://mycompany-admin.sharepoint.com/sites/mysubsite/ -Credential $SpCredential
Set-SPOSite -Identity https://mycompany-admin.sharepoint.com/sites/ -DenyAddAndCustomizePages $false

But getting Unauth. I don't know if the sub-sites can be added via this.
Can someone please help how to set DenyAddAndCustomizePages.
Also, @wobba how to navigate to permissions screen, can't find in Sharepoint Online.

@RSwarnkar Can you outline your scenario? What are you trying to upload to where? Also, it's better to log a new issue instead of commenting on a closed one. Permissions for a site in modern is available from cog wheel, site permissions, advanced link.

I am getting access denied error when I try to upload .aspx page file to site pages library on modern site. Is there a way I can copy modern page in the same library using CSOM?

@wobba any thoughts on workarounds you might recommend for site provisioning scenarios for modern Team Sites (w/ O365 Groups)?

For instance, I'm extending SharePoint Site Designs via an Azure Function and am using app permissions (appId and secret) to authenticate within the Azure Function and execute PnP PowerShell. If possible, I'd prefer to not store user credentials in this Azure Function and have to execute something like the following to make this work:

Connect-SPOService -Url https://-admin.sharepoint.com/
Set-SPOSite -Identity https://.sharepoint.com/sites/ -DenyAddAndCustomizePages $false

However, without this being executed, I can't add files to the site as the SharePoint app (i.e. Add-PnPFile). This is needed for things like provisioning header images on custom site pages.

Thanks!
Patrick

@patrickabel We use app-only (with certificate which is needed for SharePoint API) and CSOM azure functions via custom connector in Flow. Take a look at https://github.com/Puzzlepart/ProvisioningFunctions for what functions we have etc. Basically we allow scripting on the side, upload files/pages via PnP templates, and disallow scripting again.

By connecting PnP with a certificate you can do the same - and I'll be reworking the docs and functionality around this pretty soon.

@wobba thanks man, I'll give this a look!

@patrickabel I also updated the cert adal connection sample today https://github.com/SharePoint/PnP-PowerShell/blob/dev/Samples/SharePoint.ConnectUsingAppPermissions/ReadMe.md

This will make it's way into release in June.

add-pnpfile works for an owner of the site. Even though the owner's permission of 'Add and Customize pages' is denied.

add_file_ok

Another user who is not an owner of the site, but who has identical permissions on the document library, got permission denied when using add-pnpfile.

add_file_not_ok

So exactly what permission is needed for using add-pnpfile on a particular document library?

If a user has normal edit right, you can upload. Add Items should be the one. Add and Customize Pages is about uploading/creating classic .aspx pages manually or via SharePoint Designer - and it applies to some other settings as well.

I tested copying a test file 'test.txt' to a document library by:
`Connect-PnPOnline -Url 'the_sharepoint_url'

Add-PnPFile -Path test.txt -Folder 'the_document_library'`

Only if the user is an owner of the site, the 'add-pnpfile' line can go through. If the user is not an owner of the site, even if the user has the same permission level as the owner (as shown in my previous comment), 'add-pnpfile' will get permission denied.

I have the same issue. The same app credential can upload via the "long" way. Here is an example in PowerShell.

This fails:
Add-PnPFile -Path "C:\MyFiles\TheFile.txt" -folder "myLibrary"

This works:

Load web to get server URL

$ctx = Get-PnPContext
$ctx.load($ctx.web);$ctx.executequery()

Find the correct list

$lists = $ctx.web.lists;$ctx.load($lists);$ctx.executequery();$myList = $lists | Where-Object{$_.Title -match 'myLibrary'}

File creation information

$newFile = new-object Microsoft.SharePoint.Client.fileCreationInformation
$newFile.Url = $ctx.web.url + "/myLibrary/TheFile.txt"
$newFile.Content = [System.IO.File]::ReadAllBytes("C:\MyFiles\TheFile.txt")

Upload file

$addFile = $myList.RootFolder.Files.Add($newFile)
$ctx.load($addFile);$ctx.executequery()

@ChrisGz95 I think it's fixed by https://github.com/pnp/PnP-PowerShell/pull/2583. Also, it looks like the PR will be in production soon.

Was this page helpful?
0 / 5 - 0 ratings