Problems with managed identity and sharepoint

Azahara Cruz 20 Reputation points
2024-06-07T07:22:08.2966667+00:00

I have an azure function that creates sites in sharepoint.

The problem is that after giving Sites.FullControl.All permissions under Microsoft Graph on the Managed Identity that the Azure function authenticates with, it creates the site correctly but when it goes to add the newly created site to the Sites.Selected application record it fails authentication:

Instruction:

Grant-PnPAzureADAppSitePermission -AppId $envAppIdProvisioning -DisplayName $envAppNameNameProvisioning -Site $paramUrlSite -Permissions FullControl

Error message:

{“error”:{“code”: “AccessDenied”, “message”: “Either scp or roles claim need to be present in the token. “,”innerError“:{”date“:”2024-06-05T06:53:07“,”request-id“:”43e0cf99-c8b5-4cda-b783-de3fd1a241c8“,”client-request-id“:”43e0cf99-c8b5-4cda-b783-de3fd1a241c8"}}}

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,150 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,783 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,272 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,353 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 36,141 Reputation points Microsoft Employee
    2024-06-10T23:58:58.2033333+00:00

    Hi @Azahara Cruz ,

    Those are two different permissions. The AllSites.FullControl is delegated, running under the user context. The Sites.FullControl.All is an application type (app only) permission, that allows the app to access the resource without a user. I think you also need to include:

    SharePointOnlineScope = "AllSites.FullControl"
    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest