Authentication

Setting up Access

PnP PowerShell allows you to authenticate with credentials to your tenant. However, due to changes in the underlying SDKs we require you first to register a Azure AD Application which will allow you to authenticate.

The easiest way to do this by using a built-in cmdlet:

Register-PnPManagementShellAccess

You'll notice that the cmdlet is not called Register-PnPPowerShellAccess. This is because both PnP PowerShell and the CLI for Microsoft 365 make use of this Azure AD application.

Important

You need to run this cmdlet with an identity that has write access to the Azure AD. You are not creating a new application in the sense of something that runs in your Azure AD tenant. You're only adding a registration to your Azure AD, a so called 'consent' for people in your tenant to use that application. The access rights the application requires are delegate only, so you will always have to provide credentials or another way of identifying the user actually using that application.

During execution of the cmdlet you will be talked through the consent flow. This means that a browser window will open, you will be asked to authenticate, and you will be asked to consent to a number of permissions. After this permissions has been granted a new entry will show up if you navigate to Enterprise Applications in your Azure AD. If you want to revoke the consent you can simply remove the entry from the Enterprise Applications.

Setting up access to your own Azure AD App

PnP PowerShell has a cmdlet that allows you to register a new Azure AD App, and optionally generate the certificates for you to use to login with that app.

Register-PnPAzureADApp -ApplicationName PnPRocks -Tenant mytenant.onmicrosoft.com -OutPath c:\mycertificates -DeviceLogin

When you run the cmdlet above you will be asked to navigate to the shown url and enter the code shown. After that a new app will be registerd in the Azure AD (make sure you have the rights to do this), and a certificate will be generated and uploaded to that app. After this a URL will be shown which you have to navigate to to provide consent for this application. By default a limited set of permissions scopes is added, but you can provide the -Scopes parameter to provide your own permission scopes.

The cmdlet will save both the CER and PFX files to the specified location with the -Outpath parameter. The names of the files will be matching the -ApplicationName parameter, e.g. in the example above the files will be called PnPRocks.cer and PnPRocks.pfx. The output of the cmdlet will show the clientid. After all is set up and consent has been provided you can login using:

Connect-PnPOnline -Url "https://yourtenant.sharepoint.com" -ClientId [clientid] -Tenant [yourtenant.onmicrosoft.com] -CertificatePath certificate.pfx

Authenticating with Credentials

Enter

Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials (Get-Credential)

and you will be prompted for credentials.

Authenticating with pre-stored credentials using the Windows Credential Manager (Windows only)

Add-PnPStoredCredential -Name "yourlabel" -Username youruser@domain.com

You will be prompted to provide a password. After that you can login using:

Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials "yourlabel"

Authenticating with pre-stored credentials using the Secrets Management Module from Microsoft (Multi-Platform)

Install-Module -Name Microsoft.PowerShell.SecretManagement -AllowPrerelease
Install-Module -Name Microsoft.PowerShell.SecretStore -AllowPrerelease
Set-SecretStoreConfiguration
Set-Secret -Name "yourlabel" -Secret (Get-Credential)

This creates a new secret vault on your computer. You will be asked to provide a password to access the vault. If you access the vault you will be prompted for that password. In case you want to want to write automated scripts you will have to turn off this password prompt as follows:

Set-SecretStoreConfiguration -Authentication None

For more information about these cmdlets, check out the github repositories: https://github.com/powershell/secretmanagement and https://github.com/powershell/secretstore.

After you set up the vault and you added a credential

Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials (Get-Secret -Name "yourlabel")