Using Managed Identity with PnP PowerShell instead of SharePoint App-Only Principal

2 minute read

Using Managed Identity with PnP PowerShell instead of SharePoint App-Only Principal

Introduction

SharePoint App-Only is one of the older models of setting up app-principals which works well for SharePoint Online as well as on-premises. This model is getting deprecated and should not be used in future implementations.

In this article, we will explore using managed identities with PnP PowerShell for any SharePoint related operations.

Grant access with SharePoint App-Only

In this model, we usually had the app registration done by creating an app at https://tenant.sharepoint.com/_layouts/15/appregnew.aspx and providing the needed permission. In most cases, FullControl permission on the tenant, I have seen. 😊

Please refer to Granting access using SharePoint App-Only for revisiting the concept.

Using Managed Identity in Azure Function with PnP PowerShell

Create Function app

Let us start with creating an Azure function.

From the Azure portal, create a Function app as follows:

In the Function app, let us create an HTTP trigger-based function with an Authorization level as a Function to perform SharePoint related operations.

Add PnP PowerShell module to Azure function app

Add the PnP PowerShell module to the Azure function app by following the below steps:

  1. In the function app, from the left navigation under Functions, click App files.
  2. Select the requirements.psd1 from the dropdown menu.
  3. Add PnP.PowerShell module.

Create system assigned managed identity for Azure function app

Follow the below steps to create system assigned managed identity for the Azure function app:

  1. In the Azure function app, from the left menu under Settings, click Identity.
  2. Under the system assigned tab, make sure the status is turned On.

Assign permissions to the managed identity

We will use a managed identity in Azure to allow your Azure Function to connect to Microsoft Graph and SharePoint Online using PnP PowerShell.

To create a SharePoint site, we will need to set up below permissions:

Permission Purpose
Sites.FullControl.All Create SharePoint site
Directory.ReadWrite.All Create Group connected SharePoint site (e.g., Team site)

Run the below cmdlets on PowerShell v7 to assign permissions to the managed identity.

Add-PnPAzureADServicePrincipalAppRole -Principal "2db56a6c-9e95-4a2a-991b-b688bd11df4b" -AppRole "Directory.ReadWrite.All" -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal "2db56a6c-9e95-4a2a-991b-b688bd11df4b" -AppRole "Sites.FullControl.All" -BuiltInType SharePointOnline

The permissions can be seen from the corresponding Enterprise Application.

Azure function to create the SharePoint site

Use the below PnP PowerShell code to create the SharePoint site.

using namespace System.Net

param($Request, $TriggerMetadata)

Connect-PnPOnline contoso.sharepoint.com -ManagedIdentity
Write-Host "Connected"

# Create communication site
New-PnPSite -Type CommunicationSite -Title "Contoso Communications" -Url "https://contoso.sharepoint.com/sites/contoso-communications" -Owner "admin@tenant.onmicrosoft.com"

# Create group connected team site
New-PnPSite -Type TeamSite -Title "Team Contoso" -Alias "ContosoTeam"

Disconnect-PnPOnline

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
})

Summary

SharePoint App-Only model of setting up app-principals is getting deprecated and should not be used in future implementations. Instead, use managed identities with PnP PowerShell for any SharePoint related operations.

References

Leave a comment