Setting up Access
PnP PowerShell allows you to authenticate with credentials to your tenant. However, due to changes in the underlying SDKs we require you first to register a Azure AD Application which will allow you to authenticate.
The easiest way to do this by using a built-in cmdlet:
You'll notice that the cmdlet is not called
Register-PnPPowerShellAccess. This is because both PnP PowerShell and the CLI for Microsoft 365 make use of this Azure AD application.
You need to run this cmdlet with an identity that has write access to the Azure AD. You are not creating a new application in the sense of something that runs in your Azure AD tenant. You're only adding a registration to your Azure AD, a so called 'consent' for people in your tenant to use that application. The access rights the application requires are delegate only, so you will always have to provide credentials or another way of identifying the user actually using that application.
During execution of the cmdlet you will be talked through the consent flow. This means that a browser window will open, you will be asked to authenticate, and you will be asked to consent to a number of permissions. After this permissions has been granted a new entry will show up if you navigate to
Enterprise Applications in your Azure AD. If you want to revoke the consent you can simply remove the entry from the Enterprise Applications.
Setting up access to your own Azure AD App
PnP PowerShell has a cmdlet that allows you to register a new Azure AD App, and optionally generate the certificates for you to use to login with that app.
Register-PnPAzureADApp -ApplicationName PnPRocks -Tenant mytenant.onmicrosoft.com -OutPath c:\mycertificates -DeviceLogin
When you run the cmdlet above you will be asked to navigate to the shown url and enter the code shown. After that a new app will be registerd in the Azure AD (make sure you have the rights to do this), and a certificate will be generated and uploaded to that app. After this a URL will be shown which you have to navigate to to provide consent for this application. By default a limited set of permissions scopes is added, but you can provide the -Scopes parameter to provide your own permission scopes.
The cmdlet will save both the CER and PFX files to the specified location with the -Outpath parameter. The names of the files will be matching the -ApplicationName parameter, e.g. in the example above the files will be called PnPRocks.cer and PnPRocks.pfx. The output of the cmdlet will show the clientid. After all is set up and consent has been provided you can login using:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com" -ClientId [clientid] -Tenant [yourtenant.onmicrosoft.com] -CertificatePath certificate.pfx
Authenticating with Credentials
Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials (Get-Credential)
and you will be prompted for credentials.
Authenticating with pre-stored credentials using the Windows Credential Manager (Windows only)
Add-PnPStoredCredential -Name "yourlabel" -Username firstname.lastname@example.org
You will be prompted to provide a password. After that you can login using:
Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials "yourlabel"
Authenticating with pre-stored credentials using the Secrets Management Module from Microsoft (Multi-Platform)
Install-Module -Name Microsoft.PowerShell.SecretManagement -AllowPrerelease Install-Module -Name Microsoft.PowerShell.SecretStore -AllowPrerelease Set-SecretStoreConfiguration Set-Secret -Name "yourlabel" -Secret (Get-Credential)
This creates a new secret vault on your computer. You will be asked to provide a password to access the vault. If you access the vault you will be prompted for that password. In case you want to want to write automated scripts you will have to turn off this password prompt as follows:
Set-SecretStoreConfiguration -Authentication None
After you set up the vault and you added a credential
Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials (Get-Secret -Name "yourlabel")