Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Creating a PnP.PowerShell App Registration with PowerShell
August 22
Creating a PnP.PowerShell App Registration with PowerShell

The PnP team recently announced they were making changes to how the PnP.PowerShell and M365 CLI authenticate. The short story is that if you want to use the PnP.PowerShell module or the M365 CLI after September 9th, 2024, you’ll need to create your own Application Registration, also known as an App Reg. I know, I know, that sounds confusing and scary. Fortunately there’s nothing to it. I’ve got all the steps for you to follow along. You’ll be ready to go in no time.

If you’re reading this, I assume you already have the PnP.PowerShell module installed. Good, because you’ll need that. The steps I’m going to show you will probably work with any version 2.0.0 or later, but I recommend updating to at least 2.9.0, which is the latest version as of this blog post. It’s got some extra sauce in it to make this go more smoothly.

After you’ve got the PnP.PowerShell module installed, open up PowerShell. This module has supported using custom app regs for a while, so all of the plumbing is already there. We need to run the Register-PnPAzureADApp cmdlet (also aliases as Register-EntraIDApp, they’re the same thing) to create our own App Reg. Example #1 from the help is what I use. Here’s what it looks like:

Register-PnPAzureADApp -ApplicationName PnP.PowerShell -Tenant 1kgvf.onmicrosoft.com -Store CurrentUser –Interactive

The name of the App Reg we’re creating is “PnP.PowerShell.” My tenant is 1kgvf, but of course you’ll use your own. It’s going to create a certificate for us (we won’t need it) and store it in the CurrentUser Certificate Store. And finally, since I’m using MFA, like every good user does, I use the –Interactive switch to do browser based authentication. You’ll have to log in as a Global Admin, or a user the Global Admin has given permission to create App Regs to.

image

After I log in Azure gets to work doing what it does. Since I didn’t pass any scopes to Register-PnPAzureADApp it uses its default set. You’ll get prompted to authenticate a second time then asked to consent to them.

image

We’ll talk more about that in a bit.

Once it’s done, you’ll get a screen like this:

image

Here is where you’ll get the Client ID (also called AppID and AzureAppID, it’s all the same) you’ll need when you connect. In my example that’s 001ed5a0-be10-4bc3-a40c-a1cad0c987b7. You can also get that ID number by going into the Azure Portal and looking at the Enterprise applications.

image

Find your App Reg and click it.

image

Then you can copy it to your clipboard.

Now that you have your ClientID, let’s use that to connect to Microsoft 365. In my case I would use this connect statement:

Connect-PnPOnline -Url https://1kgvf.sharepoint.com/ -Interactive -ClientId 001ed5a0-be10-4bc3-a40c-a1cad0c987b7

Of course you’ll use your own tenant name and the ClientID that you created. The one I created isn’t visible to your tenant.

You’ll get prompted for a username and password, and hopefully some MFA. Then you’ll be connected to M365. Here’s how it all looks:

image

As you can see, I’m connected and a quick function check looks like everything is working fine. Success!!! Well, sort of…

We talked before about scopes, and how the Register-AzureADApp cmdlet used its default scopes since I didn’t specify any. Those scopes covered SharePoint, and Users, but not much else. For instance, if I try to get a list of the Teams in my tenant, I’m met with an authentication screen. After I authenticate (with a Global Admin) I get a page wanting more permission:

image

Now it wants access to Read all groups, and more User permissions. I clicked Consent and then Accept. It returned my Teams to me.

image

This adds some complication. If the user you normally use PnP.PowerShell with is a GA, then you’re golden. Every time you stumble onto something you can’t do, it’ll prompt you and you’ll consent. If you have a separate GA user, or someone else is doing the GA stuff for you, you’ll have to go into the Azure Portal and add the additional Scopes in there. That sounds like something that would fit really well in another blog post. Smile 

There’s another gotcha. By default, when Register-PnPAzureADApp creates the App Reg, it only gives the user that created it permission to use it. If anyone else needs to use it you’ll need to go into the Azure Portal, open the App Reg, go to the Users and Groups blade, and add the additional users. That won’t give them any additional permissions anywhere in M365, it simply gives them permission to use this App Reg when using PnP.PowerShell.

I mentioned at the top that version 2.9.0 had some extra sauce to help with this. It can get a bit tedious adding the –ClientID SomeUglyGUID part every time you connect. This is particularly painful if you’ve got scripts and the like with connect statements that don’t have the -ClientID parameter. In 2.9.0 and later Connect-PnPOnline supports an environment variable ENTRAID_APP_ID. If no –ClientID is specified, and that variable has a value, Connect-PnPOnline will use that. Here’s what it looks like:

image

That variable value will go away when you close PowerShell. If you put the $env:ENTRAID_APP_ID = "001ed5a0-be10-4bc3-a40c-a1cad0c987b7" line in your PowerShell profile it will get populated every time you open PowerShell. If you’re a local admin on your machine you can also set a persistent environment variable in an admin prompt with this line:

[System.Environment]::SetEnvironmentVariable('ENTRAID_APP_ID', '001ed5a0-be10-4bc3-a40c-a1cad0c987b7', 'User')

Or you can set it in the Control Panel. Again, you’ll want to use your Client ID, not mine.

I hope that helps. If you have any questions, leave me a comment.

tk

ShortURL: https://www.toddklindt.com/PoshMakeAppReg

Comments

Will this change affect app registrations created in the past?

Thank you for sharing this Todd.
I have a question for you.
I created a Microsoft Entra ID  app registration three years ago that we are using it for running automated scripts. FYI, this app registration is created with a single tenant configurations and working fine.
I’m, however, not sure if this app registration will continue to work after September 9th. From a session where Vessa has few days ago, I thought he said only registrations configured with multi tenant that might stop working.
Would you mind shading some  light on this?

Sincerely

 on 8/27/2024 8:43 PM

I've the same question as the previouus person's comment

We created the single tenant app back in 2021 and the runbook is using pnp powershell v1.2 and Powershell 5.1
 on 9/4/2024 6:37 AM

Just check the sign-in logs

In my experience other custom app registrations will continue working. It only affects connections using the -Interactive or -Credentials parameters. To be sure, best check the sign-in logs of the Enterprise Application "PnP Office 365 Management Shell".
 on 9/6/2024 5:13 AM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 SysKit