Pnp-powershell: Set-PnPUserProfileProperty with Application Permission in Azure Function

Created on 17 Mar 2020  Â·  9Comments  Â·  Source: pnp/PnP-PowerShell

Issue

When using Set-PnPUserProfileProperty in Azure Function with PowerShell and the permissions has been defined using the Application Permission. Once connected to the admin site url using clientid, tenant and cert and try to update the UserProfile Property, it throws error.

Expected behavior

The User Profile Properties must have been updated.

Actual behavior

2020-03-15T07:49:48.239 [Error] Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource.
at run.ps1: line 50

  • Set-PnPUserProfileProperty
  • __________________________

    • CategoryInfo : WriteError: (:) [Set-PnPUserProfileProperty], ServerUnauthorizedAccessException

    • FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.UserProfiles.SetUserProfileProperty

      2020-03-15T07:49:48.411 [Error] Set-PnPUserProfileProperty : Access denied. You do not have permission to perform this action or access this resource.

Attached the screenshot for the reference
PnP PS Issue

Below are the permissions given for the application in Azure API Permissions
Permission List

Steps to reproduce behavior

$tenant = $env:Tenant
$clientid = $env:ClientID
$thumbprint = $env:Thumbprint
# Connect to the root site collections using cert
Connect-PnPOnline -Url $targeturl -ClientId $clientid -Thumbprint $thumbprint -Tenant $tenant
Set-PnPUserProfileProperty -Account '[email protected]' -Property 'Title' -Value 'Title Value'

Which version of the PnP-PowerShell Cmdlets are you using?

  • [ ] PnP PowerShell for SharePoint 2013
  • [ ] PnP PowerShell for SharePoint 2016
  • [x] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

Used both the versions mentioned below. Both are throwing error
3.17.2001.2
3.19.2003.0

How did you install the PnP-PowerShell Cmdlets?

  • [ ] MSI Installed downloaded from GitHub
  • [ ] Installed through the PowerShell Gallery with Install-Module
  • [x] Other means

Followed the video by Paolo Pialorsi (PiaSys)
https://www.youtube.com/watch?v=plS_1BsQAto&list=PL-KKED6SsFo8TxDgQmvMO308p51AO1zln&index=2&t=0s

Needs

Most helpful comment

I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.

image

In terms of permissions, it's full control on the UPS:

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>

You may want/need full control at the tenancy level, in which case also add this:

<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

Then to use this from PnP PowerShell, you can connect like this:

Connect-PnPOnline -Url https://[YOUR_TENANT_HERE]-admin.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"

Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:

$adminConection = Connect-PnPOnline -Url $adminUrl -ReturnConnection -AppId $appId -AppSecret $appSecret;
Set-PnPUserProfileProperty -Account $user -PropertyName $propertyName -Value $value -Connection $adminConection;

The only real gotchas when setting this up are:

  • Use the https://[YOUR_TENANT_HERE]-admin.sharepoint.com URLs to create and approve these, and also when connecting with Connect-PnPOnline
  • Admin Site URL: "https://[YOUR_TENANT_HERE]-admin.sharepoint.com"
  • App Reg Page: https://[YOUR_TENANT_HERE]-admin.sharepoint.com/_layouts/15/appregnew.aspx
  • App Permissions Page: https://[YOUR_TENANT_HERE]-admin.sharepoint.com/_layouts/15/appinv.aspx

Enjoy!

Joel Jeffery
w:joelblogs.co.uk
t:@joelblogs

All 9 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

Have exactly same issue.

Hi, Is there any update on this issue? Any solution?

Hi @sudharsank, I just run into a similar issue (403 Forbidden) when I was trying to update user profile pictures using the app identity via Azure Automation and in my case, it helped to switch to _SharePoint App-Only principal_ instead of _Azure AD application_.

As stated on docs page https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only:

User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal

Might this help in resolving your issue too?

@machv , using SharePoint App-Only permissions would create duplicated app records(instances) which would create additional security risk and more difficult maintenance of the solution.
Additionally, here is purpose of using this principal :):

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online

@Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.

But currently, this is the only way that I am aware of, how to resolve this.

What scope and permissions level do you use in your SP App only?

Alex | Sen
IT Consultant | Office 365 Expert
Mobile: +48 532 292 764


From: Vladimír notifications@github.com
Sent: Tuesday, May 26, 2020 3:17:08 PM
To: pnp/PnP-PowerShell PnP-PowerShell@noreply.github.com
Cc: Alex Sen alex@sen.pm; Mention mention@noreply.github.com
Subject: Re: [pnp/PnP-PowerShell] Set-PnPUserProfileProperty with Application Permission in Azure Function (#2582)

@Forkethttps://github.com/Forket I am aware of this and I fully agree that it would be great if Azure AD would have the same feature set as SharePoint App-Only model.

But currently, this is the only way that I am aware of, how to resolve this.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/pnp/PnP-PowerShell/issues/2582#issuecomment-633988213, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTMLOAJ3J27VB6D6R2DLKLRTOXMJANCNFSM4LNCBVMA.

I confirm that SP App ID / App Secret combo works with writing the User Profile Service. The docs say it won't work. It does, however.

image

In terms of permissions, it's full control on the UPS:

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>

You may want/need full control at the tenancy level, in which case also add this:

<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

Then to use this from PnP PowerShell, you can connect like this:

Connect-PnPOnline -Url https://[YOUR_TENANT_HERE]-admin.sharepoint.com -AppId "[Your Client ID]" -AppSecret "[Your Client Secret]"

Here's an actual working code snippet that will set an arbitrary User Profile property to a value for a specified user, presuming you have the variables set like me:

$adminConection = Connect-PnPOnline -Url $adminUrl -ReturnConnection -AppId $appId -AppSecret $appSecret;
Set-PnPUserProfileProperty -Account $user -PropertyName $propertyName -Value $value -Connection $adminConection;

The only real gotchas when setting this up are:

  • Use the https://[YOUR_TENANT_HERE]-admin.sharepoint.com URLs to create and approve these, and also when connecting with Connect-PnPOnline
  • Admin Site URL: "https://[YOUR_TENANT_HERE]-admin.sharepoint.com"
  • App Reg Page: https://[YOUR_TENANT_HERE]-admin.sharepoint.com/_layouts/15/appregnew.aspx
  • App Permissions Page: https://[YOUR_TENANT_HERE]-admin.sharepoint.com/_layouts/15/appinv.aspx

Enjoy!

Joel Jeffery
w:joelblogs.co.uk
t:@joelblogs

Can confirm (SharePointPnPPowerShellOnline v3.26.2010), when I attempt to update User Profile properties :

Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Manage" />

Fail: <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />

Success (together):
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

Was this page helpful?
0 / 5 - 0 ratings