Which permissions do Azure AD Apps need to get SPO admin rights?

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/277534

Question

I want to automate SharePoint admin tasks with Azure Automation. I don't want to use user/password but Service Principle. (We have MFA enforced.)

I set up a new "Azure Automation" account, including an "Azure Run As" account. I added PnP modules. I assigned the following rights via https://mytenant-admin.sharepoint.com/_layouts/15/AppInv.aspx

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/Tenant" Right="Manage"/>
</AppPermissionRequests>

In my scripts now I can Connect-PnPOnline or do some random other stuff, but whenever I want to do privileged things, like Get-PnPTenantSite I'm running into errors:

Get-PnPTenantSite : Current user is not a tenant administrator.
At line:5 char:1
+ Get-PnPTenantSite
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Get-PnPTenantSite], ServerException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.GetTenantSite

How do I give the scripts in Azure Automation full SPO admin rights?

Was it helpful?

Solution

Here is a good cheat sheet for app permissions. To grant full access (tenant admin) you would use the following:

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
 </AppPermissionRequests>
Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top