When using Set-PnPUserProfileProperty in Azure Function with PowerShell and the permissions has been defined using the Application Permission. Once connected to the admin site url using clientid, tenant and cert and try to update the UserProfile Property, it throws error.
The User Profile Properties must have been updated.
2020-03-15T07:49:48.239 [Error] Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource.
at run.ps1: line 50
Attached the screenshot for the reference

Below are the permissions given for the application in Azure API Permissions

$tenant = $env:Tenant
$clientid = $env:ClientID
$thumbprint = $env:Thumbprint
# Connect to the root site collections using cert
Connect-PnPOnline -Url $targeturl -ClientId $clientid -Thumbprint $thumbprint -Tenant $tenant
Set-PnPUserProfileProperty -Account '[email protected]' -Property 'Title' -Value 'Title Value'
Used both the versions mentioned below. Both are throwing error
3.17.2001.2
3.19.2003.0
Followed the video by Paolo Pialorsi (PiaSys)
https://www.youtube.com/watch?v=plS_1BsQAto&list=PL-KKED6SsFo8TxDgQmvMO308p51AO1zln&index=2&t=0s
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Have exactly same issue.
Hi, Is there any update on this issue? Any solution?
Hi @sudharsank, I just run into a similar issue (403 Forbidden) when I was trying to update user profile pictures using the app identity via Azure Automation and in my case, it helped to switch to _SharePoint App-Only principal_ instead of _Azure AD application_.
As stated on docs page https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only:
User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal
Might this help in resolving your issue too?
@machv , using SharePoint App-Only permissions would create duplicated app records(instances) which would create additional security risk and more difficult maintenance of the solution.
Additionally, here is purpose of using this principal :):
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online
@Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.
But currently, this is the only way that I am aware of, how to resolve this.
What scope and permissions level do you use in your SP App only?
Alex | Sen
IT Consultant | Office 365 Expert
Mobile: +48 532 292 764
From: VladimÃr notifications@github.com
Sent: Tuesday, May 26, 2020 3:17:08 PM
To: pnp/PnP-PowerShell PnP-PowerShell@noreply.github.com
Cc: Alex Sen alex@sen.pm; Mention mention@noreply.github.com
Subject: Re: [pnp/PnP-PowerShell] Set-PnPUserProfileProperty with Application Permission in Azure Function (#2582)
@Forkethttps://github.com/Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.
But currently, this is the only way that I am aware of, how to resolve this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/pnp/PnP-PowerShell/issues/2582#issuecomment-633988213, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTMLOAJ3J27VB6D6R2DLKLRTOXMJANCNFSM4LNCBVMA.
I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.

In terms of permissions, it's full control on the UPS:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>
You may want/need full control at the tenancy level, in which case also add this:
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
Then to use this from PnP PowerShell, you can connect like this:
Connect-PnPOnline -Url https://[YOUR_TENANT_HERE]-admin.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"
Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:
$adminConection = Connect-PnPOnline -Url $adminUrl -ReturnConnection -AppId $appId -AppSecret $appSecret;
Set-PnPUserProfileProperty -Account $user -PropertyName $propertyName -Value $value -Connection $adminConection;
The only real gotchas when setting this up are:
Enjoy!
Joel Jeffery
w:joelblogs.co.uk
t:@joelblogs
Can confirm (SharePointPnPPowerShellOnline v3.26.2010), when I attempt to update User Profile properties :
Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Manage" />
Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
Success (together):
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
Most helpful comment
I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.
In terms of permissions, it's full control on the UPS:
You may want/need full control at the tenancy level, in which case also add this:
Then to use this from PnP PowerShell, you can connect like this:
Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:
The only real gotchas when setting this up are:
Enjoy!
Joel Jeffery
w:joelblogs.co.uk
t:@joelblogs