[BUG] Sites.Selected permission in App Only context not working properly

[eprach]

Reporting an Issue or Missing Feature

I have an app registration with Sites.Selected permission for Graph and SharePoint Online

On a specific SharePoint site, I have assigned full control using the "Grant-PnPAzureADAppSitePermission" to my app registration.
Checking with Get-PnPAzureADServicePrincipalAssignedAppRole and Get-MgSitePermission, all good the permission is set.

Now I try to run the following commands, all of them result with "Attempted to perform an unauthorized operation":

• Invoke-PnPSiteTemplate
• Rename-PnPTenantSite
• New-PnPList
• Set-PnPList
• Set-PnPListPermission
• Add-PnPFolder

Expected behavior

Once connected with Connect-PnPOnline -Url "siteUrl" -ClientId xxxx -Tenant xxx.onmicrosoft.com -CertificatePath 'C:\TEMP\xxx.pfx'
The commands should work because my app registration has full control through the Sites.Selected.

Running my script with my App registration having "Sites.FullControl.All" on Graph and SharePoint Online works well so it is not an issue in my script.

Actual behavior

See description above

Steps to reproduce behavior

See description above

What is the version of the Cmdlet module you are running?

3.1.0

Which operating system/environment are you running PnP PowerShell on?

• [ X] Windows
• Linux
• MacOS
• Azure Cloud Shell
• [ X] Azure Functions
• Other : please specify

[reshmee011]

There's a related bug to it , #5139. I could reproduce it. I feel the issue is from Microsoft. @gautamdsheth , @NishkalankBezawada , any ideas how to deal with this issue.

[kachihro]

Need to provide access to the site - for the AppId
https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html

_Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

Grant the app access to a specific site

Grant-PnPAzureADAppSitePermission -AppId "YOUR-APP-ID" -DisplayName "Your App Name"
-Site "https://yourtenant.sharepoint.com/sites/yoursite" `
-Permissions Write # or Read, FullControl_

[eprach]

Hi @kachihro,
Thanks for your message but, as written in my description, all these steps have been already done (and it is not the first time I do this so I know the process for using Sites.Selected with App Only permissions quite well :) )

[reshmee011]

Is it an issue you started experiencing? There are a couple of issues related to it and as you mentioned the PnP cmdlets are doing the right thing, not sure how to escalate to Microsoft for them to confirm what's happening. They introduced list and item level selected permissions, not sure if it affected that functionality.

[eprach]

@reshmee011 beginning of last week it worked well but, since this week, it doesn't work anymore yes.

[reshmee011]

Thanks for sharing @eprach .Is it possible if you have postman to use the token generated using Get-PnPAccessToken -ResourceTypeName SharePoint (or Graph) and see any errors you are getting. Potentially you can use it as a medium to raise an incident with Microsoft as Ms won't support any PnP PowerShell related issues.

[eprach]

Just to confirm @reshmee011, I did a test this morning with postman and got an access denied when simply trying to create a new list with Graph in my site specified in the Sites.selected (full control).

I will create a ticket to MS and will let you know :)

[reshmee011]

Thanks so much , it will help many others facing the same issue.