This is a fantastic video for setting up the App. I was able to setup the app using the MS docs and information but watching this video helped me understand it even better.
The Register-PnPEntraIDAppForInteractiveLogin does *not* generate a certificate, however, the cmdlet that I talk about during the time you specified, is Register-PnPEntraIDApp which *does* generate a certificate. Register-PnPEntraIDApp is basically there for you to help you to set up a Entra ID App registration that you can use for unattended (certificate based) logins. Register-PnPEntraIDAppForInteractiveLogin is there to set up a registration for you to use with interactive login (e.g. username/password with multi-factor in place).
I am trying to understand the purpose of the -SharePointApplicationPermissions and -GraphApplicationPermissions parameters in the Register-PnPEntraIDAppForInteractiveLogin command. If the sole purpose of using the app is for interactive login (i.e., user context with user permissions), why are these parameters needed? And I would like to know if using the -GraphDelegatePermissions and -SharePointDelegatePermissions parameters with the required permissions will help exclude the default 4 delegated permissions (AllSites.FullControl, Group.ReadWrite.All, User.ReadWrite.All, TermStore.ReadWrite.All) that are automatically added when provisioning the app.
You will still need admin permissions to create the app before the consent. It is possible, manually, to create the app in Entra ID, set the permissions from there, and provide consent. So it's something a GA can do without needing to run cmdlets. They can then provide you with the ID of app to use for authentication
@@ErwinvanHunen after we register our app, during authentication i receive " AADSTS500113: No reply address is registered for the application." error. what do i miss?
Hello, Thank you for the video. I am working on a GCC High environment and above registration (unattended ) doesn’t work. It’s unable to get the token using -Interactive method. Any suggestions?
As I don't have access to a GCC high environment (I'm located in Sweden) it will be a bit of a challenge to figure out where this potentially goes wrong. But I will contact people on the other side of the ocean at MS and check if they can help me debug this issue. You should however be able to manually register the application in your Entra ID, with the right permissions, add localhost as the redirect URL for the app (that is required for interactive login) and then use the ID of that app to authenticate.
@@vivekm75murali Were you able to manually register the application? I'm able to create the registration fine, but when I try to connect using powershell, its unable to reach the registered application and suggests I may be using the wrong tenant....
Thats great and all but we were using credential manager with a service account where we specified which sites it had access too But the permissions your showing are tenant wide, whether its right or read or full control. We would rather have site by site access, how can we achieve this
Please use the GitHub discussions for any questions with the PnP PowerShell crew - they are happy to help for sure - github.com/pnp/powershell/discussions. Required permissions are always 100% dependent on what you are trying achieve. You can grant also site specific permissions in SharePoint Online, but it all depends on your exact objectives and which APIs you are planning to us, so please provide that detail also in the discussion.
After trying to run the Register-PnPEntraIDApp, I get the 'is not recognized as the name of a cmdlet, function...' error... What is required to run this?
Please use the GitHub repository as the primary location to ask the questions - please see following issue for guidance - github.com/pnp/powershell/issues/4250 Most likely you are running older version of the PnP PowerShell and update is required.
This is a fantastic video for setting up the App. I was able to setup the app using the MS docs and information but watching this video helped me understand it even better.
Great to hear! 🧡
Thanks, very useful as in few minutes I managed to create the app registration and to connect!
Glad it helped!
Thanks for your explanations. How can be possible register an app granting full control only for a specified site collection?
The provided information is not accurate and the command (Register-PnPEntraIDAppForInteractiveLogin) does not generating any certificate! (min 7:48)
The Register-PnPEntraIDAppForInteractiveLogin does *not* generate a certificate, however, the cmdlet that I talk about during the time you specified, is Register-PnPEntraIDApp which *does* generate a certificate.
Register-PnPEntraIDApp is basically there for you to help you to set up a Entra ID App registration that you can use for unattended (certificate based) logins. Register-PnPEntraIDAppForInteractiveLogin is there to set up a registration for you to use with interactive login (e.g. username/password with multi-factor in place).
As non-admin, can we register Entra App and add permissions manually in UI and then ask GA to consent instead of using cmdlet?
I am trying to understand the purpose of the -SharePointApplicationPermissions and -GraphApplicationPermissions parameters in the Register-PnPEntraIDAppForInteractiveLogin command. If the sole purpose of using the app is for interactive login (i.e., user context with user permissions), why are these parameters needed?
And I would like to know if using the -GraphDelegatePermissions and -SharePointDelegatePermissions parameters with the required permissions will help exclude the default 4 delegated permissions (AllSites.FullControl, Group.ReadWrite.All, User.ReadWrite.All, TermStore.ReadWrite.All) that are automatically added when provisioning the app.
With out secret or certificate can we conenct to SharePoint using app registration?
Hello, Thanks Erwin and wonder if non-admin can register Entra App and add permissions manually and ask GA consent once this app is created.
You will still need admin permissions to create the app before the consent. It is possible, manually, to create the app in Entra ID, set the permissions from there, and provide consent. So it's something a GA can do without needing to run cmdlets. They can then provide you with the ID of app to use for authentication
@@ErwinvanHunen after we register our app, during authentication i receive " AADSTS500113: No reply address is registered for the application." error. what do i miss?
Hello, Thank you for the video. I am working on a GCC High environment and above registration (unattended ) doesn’t work. It’s unable to get the token using -Interactive method. Any suggestions?
As I don't have access to a GCC high environment (I'm located in Sweden) it will be a bit of a challenge to figure out where this potentially goes wrong. But I will contact people on the other side of the ocean at MS and check if they can help me debug this issue. You should however be able to manually register the application in your Entra ID, with the right permissions, add localhost as the redirect URL for the app (that is required for interactive login) and then use the ID of that app to authenticate.
@@ErwinvanHunen - Thank you! I will try to manually register n check.
@@vivekm75murali Were you able to manually register the application? I'm able to create the registration fine, but when I try to connect using powershell, its unable to reach the registered application and suggests I may be using the wrong tenant....
Jeez ended up here after all my scripts stopped working while I was off sick. My admins are going crazy.
This whole breaking change sucks
Thats great and all but we were using credential manager with a service account where we specified which sites it had access too
But the permissions your showing are tenant wide, whether its right or read or full control. We would rather have site by site access, how can we achieve this
Please use the GitHub discussions for any questions with the PnP PowerShell crew - they are happy to help for sure - github.com/pnp/powershell/discussions. Required permissions are always 100% dependent on what you are trying achieve. You can grant also site specific permissions in SharePoint Online, but it all depends on your exact objectives and which APIs you are planning to us, so please provide that detail also in the discussion.
Thanks Erwin and no wonder why you are called father of PnP Powershell but you rarely say it in your introduction :)
After trying to run the Register-PnPEntraIDApp, I get the 'is not recognized as the name of a cmdlet, function...' error... What is required to run this?
Please use the GitHub repository as the primary location to ask the questions - please see following issue for guidance - github.com/pnp/powershell/issues/4250
Most likely you are running older version of the PnP PowerShell and update is required.
**swallows loudly**