Share via

Connect-PnPOnline: Access denied/unauthorized operation

von Lachner, Matthias 0 Reputation points
2025-01-29T09:05:33.8533333+00:00

I am simply trying to manage an existing site by adding/removing folders and files, nothing special. I am new to the App Registration approach, but I read through lots of documentation and in the end I always see the requirement of having Sites.FullControl.All permissions to manage sites. Is that true?

What I'm trying to do:

  1. Connect to a site
  2. Create/Change/Delete Folders and/or files
  3. grant permissions to that folders

So, nothing special at all. My code looks like:

Connect-PnPOnline "https://TenantName.sharepoint.com/MySiteName" -ClientId "MyClientID" -Tenant TenantName.onmicrosoft.com -Thumbprint "CertThumbprint -verbose

Get-PnPSite

My Output is like

User's image

The assigned rights to my Application are:

User's image

I am working in a bigger enterprise, thats why the set of applied permissions is limited to the ones in the figure above. Full Control wont get an admin consent. My current User is not able to sign in with MFA, only with certificate. Some help or guidance would be appreciated.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,158 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,615 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,783 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Xyza Xue_MSFT 27,966 Reputation points Microsoft Vendor
    2025-01-30T02:26:47.2366667+00:00

    Hi @von Lachner, Matthias ,

    Thank you for posting in this community.

    To perform actions such as connecting to a site, creating/changing/deleting folders and files, and granting permissions, the Sites.FullControl.All permission is indeed required. This permission allows your application to have full control over all SharePoint sites and lists.

    In order to be able to access any target site, you'll need a tenant global admin or an application with Sites.FullControl.All application permission to grant explicit permissions for the selected target sites.

    User's image

    The issue you're facing with admin consent is common in large enterprises. Without admin consent, your app won't be able to obtain these higher-level permissions, especially the Sites.FullControl.All permission. If admin consent isn't available, you might need to work with your admin team to get this permission granted to your application.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.