Need Assistance to grant an Azure Service Principal permission to a Specific M365 SharePoint Site in our tenant

[Smileyville]

Hello. I had originally opened tickets with Microsoft support from Azure & M365 pointed me to this area instead of providing assistance so hope you can help.

We have created an Azure Service Principal and are planning to use the SP to connect to a specific M365 SharePoint site within our tenant.

We have followed the documentation that MS provides, https://learn.microsoft.com/en-us/powershell/module/sharepoint-server/set-spappprincipalpermission?view=sharepoint-server-ps and https://learn.microsoft.com/en-us/answers/questions/2116616/service-principal-access-to-sharepoint-online

The syntax however does not work properly and get errors indicating that that the Syntax is incorrect, not recognizing Get-SPSite, Get AppPrincipalPermission, etc. I have verified that the SPO modules are all installed.

One of the techs had me generate the SP from the SharePoint side, https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs which worked fine. However; once again, trying to connect via the SP provides errors indicating the syntax is not correct.

Please provide any assistance you can in the appropriate syntax via PowerShell to map the SP and SharePoint site regardless if created from SharePoint Online into Azure or starting in Azure and trying to grant permission to SharePoint online site.

Thanks in advance.

[Adam-it]

@Smileyville I think you might be mixing the PowerShell modules you want to use, or you are using and that could explain why you get syntax error as from what I understand you are trying to use SP (SharePoint Server PowerShell dedicated for OnPrem versions) cmdlets together with SPO (SharePoint Online Management Shell which is supposed to be used with SharePoint Online only).

At the beginning you mention using Set-SPAppPrincipalPermission.
This command is part of SharePoint Server PowerShell Snapin. This is a build in PowerShell Snapin which is preinstalled on the server on which you have some version of SharePoint on-prem installed (2016, 2019 or SE). In this case you may use those commands only on the SP server and using either SharePoint Management Shell which is a PowerShell terminal with the SharePoint Server Snapin already preloaded or you may use it in a regular Windows PowerShell also on server but then you will need to load this snapin your own using Add-PSSnapin Microsoft.SharePoint.PowerShell. All command that are [Verb]-SP{Command} are cmldets that are SharePoint Server

Then you reference this guide which actually is using SharePoint Online Management Shell. This is something totally different and this is a PowerShell module you may use on your local machine (outside of any SharePoint Server) to manage SharePoint Online. Aim of this module is to manage SharePoint Online not on Prem. You also may use this module only in windows PowerShell (the old blue terminal) not PowerShell 5 or 7 or higher versions. All command that are [Verb]-SPO{Command} are cmldets that are SharePoint Online Management Shell

Both of the above you may use only in windows PowerShell (old powershell) and the SharePoint Server should rather be used only within SharePoint Management Shell which is only present on SharePoint server machine.

what I think you are doing wrong is you are importing the SharePoint Online Management Shell and trying to use Set-SPAppPrincipalPermission which is a SharePoint Server PowerShell command. I hope my observation and comment will help you solve your problem and push you forward 👍

additional info (just to bring more clarity

You may also stumble upon a 3rd option which is PnP PowerShell. This is a modern and community driven PowerShell module also to manage SharePoint Online only. This may be used in modern PowerShell like v7 and its commands are [Verb]-PnP{Command}

and then last but not least (best option IMO 😜) you may find CLI for Microsoft 365 which is CLI tool you may run in any shell (not only PowerShell) and on any kind of machine (Windows, Mac, Linux etc.) that allows you to manage Microsoft 365 (and SharePoint Online along as well). It has totally different way of specifying commands and is totally different tech than the above.

Happy Coding!

[Smileyville]

Hello. Thank you for your response, you are probably right on mixing the syntax for the different modules. I am definitely just wanting to do this from the SharePoint Online perspective as that is where the site is in SharePoint Online (M365) and Azure where the Service Principal is. I do think the PowerShell version is an issue. I get errors when trying either flavor. I will try your last suggestion of the CLI and see if it gets me past the hurdle. I appreciate your help.

[Adam-it]

To use SPO management shell you need to use windows powershell,
Just hit start and write windows powershell and hit enter.
After that you need to install the module running

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

if you had already installed it the past you may first check if you have it running

Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Then either in your script or in the terminal just import the module using

Import-Module Microsoft.Online.SharePoint.PowerShell

to login just run (with your SPO admin URL of course 😉)

Connect-SPOService -Url https://tenanttocheck-admin.sharepoint.com/

and that's it. It just works

TBH I am not sure if SPO allows to sign as an app for script cases. I never used it this way

[Smileyville]

I appreciate you hanging in there with me.

Interesting, My version

Name Version

---

Microsoft.Online.SharePoint.PowerShell 16.0.25912.12000
Microsoft.Online.SharePoint.PowerShell 16.0.23109.0

PS C:\Program Files\PowerShell\7> Connect-SPOService -URL https://Mytenant-admin.sharepoint.com/
Connect-SPOService: No valid OAuth 2.0 authentication session exists

[Smileyville]

Tried the same commands on a different system,

Microsoft.Online.SharePoint.PowerShell 16.0.25912.12000
Microsoft.Online.SharePoint.PowerShell 16.0.25814.12000

Powershell version 5.1.19041.5737 where I am able to connect to the Tenant Admin Site. So versions are definitely part of this.

I did try before within this other system (VM) to connect and got the syntax errors for the Grant access. So tried again, I am able to connect to tenant admin but fail with the following

$appId = "your-app-id"
$siteUrl = "https://[your-site-url]"
$permission = "Read"
$app = Get-SPOAppPrincipal -Site $siteUrl -AppId $appId
Set-SPOAppPrincipalPermission -Site $siteUrl -AppPrincipal $app -Scope Site -Right $permission

Result:
_et-SPOAppPrincipal : The term 'Get-SPOAppPrincipal' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:10

• $app = Get-SPOAppPrincipal -Site $siteUrl -AppId $appId

•      ~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-SPOAppPrincipal:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException_

[Adam-it]

first of all I see you have multiple versions of Microsoft.Online.SharePoint.PowerShell module. Try to uninstall all of them and install only single latest version. In future if you already have the SPO management shell module installed you should update it using Update-Module instead of installing a newer version.

as for the message you get it is correct. If you check the list of cmdlets there is no Get-SPOAppPrincipal command in SPO management shell.
why are you looking for an app principals? those were deprecated in SPO some time ago with the deprication of Add-in model for SharePoint Online
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-ins-and-azure-acs-retirements-faq#when-i-use-appregnewaspx-the-created-acs-principals-show-up-in-entra

Currently you should only based on modifying Application Registrations which you setup in Entra ID which I though you mentioned in the initial post in this discussion 🤔. If you wish to modify you app reg to update it's permissions like add additional scope or remove then unfortunately SPO management shell will not help you with that 🫤 as it only allows to manage SharePoint Online and your app reg is part of Entra Id. In that case you will need to use either PnP PowerShell or CLI for Microsoft 365 or Azure CLI

[Smileyville]

Following your recommendation to install the M365 shell, https://pnp.github.io/cli-microsoft365/, I am going to sound like a newbie but how exactly? Via PowerShell or Command Line they don't recognize the cmdlet, etc.

[Adam-it]

by 'M365 shell' you mean CLI for Microsoft 365, right? No need to apologize. everybody starts at some point.
To use CLI for Microsoft 365 you need to have Node.js installed v22 since CLI is a npm package.
After you have Node.js installed you may instal CLI for Microsoft 365 running

npm i -g @pnp/cli-microsoft365

Once you have it you need to create an app req on your tenant which CLI will use to authenticate towards your tenant. We made this quite easy sing the m365 setup command.
Also here you may find a recording how to setup CLI with the app at the very start (I did this recording sometime ago) -> https://www.youtube.com/watch?v=XFG8gVGvXpA

After you have CLI app req on your tenant you may sign in to your tenant using CLI in multiple ways, as an user for executing commands from any shell or as an app (for example the app reg you created) to run in scheduled scripts
the m365 login command docs has many examples how to go about each possible sign in option

[Smileyville]

Trying the syntax here, https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spoapplicationpermission?view=sharepoint-ps, Maybe we are not approaching correctly. Ultimately, Databricks is the one using the Service Principal to connect to SharePoint Online. So the developer trying to accomplish this is simply trying to call the Service Principal's information that was input into the Keyvault to connect to the SharePoint site to retrieve data. This is a sample of their code which they are using in a Databricks notebook to connect, which may help in getting us setup the next steps - as currently this always fails with a token access error which seems to imply the permission is not applied which circles back to what I'm trying to do with the syntax errors.

import msal
import requests

# Define your app registration details
client_id =  dbutils.secrets.get(scope = "key-vault", key = "Databricks-toSP-Test-client-id")
client_secret =  dbutils.secrets.get(scope = "key-vault", key = "Databricks-toSP-Test-secret")
tenant_id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

# Get an authentication token using MSAL
authority = f"https://login.microsoftonline.com/{tenant_id}"
scope = ["https://graph.microsoft.com/.default"]

# Build the app object
app = msal.ConfidentialClientApplication(
    client_id, 
    authority=authority, 
    client_credential=client_secret
)

# Get token
token_response = app.acquire_token_for_client(scopes=scope)
access_token = token_response['access_token']

# Prepare headers for SharePoint API request
headers = {
    'Authorization': f'Bearer {access_token}',
    'Accept': 'application/json'
}

# Define the SharePoint URL (replace this with your SharePoint site and list)
#sharepoint_site_url = 'https://site.sharepoint.com/sites/SiteItself/Lists/Data/AllItems.aspx'
sharepoint_site_url = 'https://site.sharepoint.com/sites/SiteItself/Lists/Data/AllItems.aspx'

# Get the data (this could be list items, files, etc. based on the API used)
response = requests.get(sharepoint_site_url, headers=headers)

if response.status_code == 200:
    data = response.json()  # or handle raw file data
    print(data)
else:
    print("Error:", response.status_code, response.text)

Thanks for your help.

[Adam-it]

hmmm. ok thanks for the additional context. I am not sure how Databricks Workspace works but Service Princiapls in SPO and everything connected to ACS model was deprecated in December 2024 so this path of managing and handling permissions is a no go in SharePoint Online/Microsoft 365 world

What you only may do now which is a lot better is creating Application Registrations (app reg) in Entra ID and using either some CLI or Entra ID portal provide the (depending on how it will be used) needed Delegated or Applciation scopes. For your case most probably and Sites.ReadAll will be enough and even most probably too much but you may start with that. Then you may use Sites.Selected permission to trim this to a single SharePoint Site. Your Team should use this app reg cliend Id an tenant Id to perform auth towards your tenant and retrieve the data from this SharePoint Site. From the code you provided above I see they will need a client secret to perform sign in which you may generate using Entra ID in the app reg settings page as well.

So to sum up, I believe what you need is to:

1. Create an app reg in Entra ID
2. in the API permissions section of your app reg - Add the Sites.ReadAll (for start) application permission to it and do admin consent
3. in the Certificate & secrets section of your app reg - generate a new secret for your app
4. send over to the dev team the client ID, tenant ID (those you may find from the overview page) and the secret.

All of this you may do from the Entra ID UI (the web page) and you don't require to use any CLI or PowerShell module for that.
If you do want to use some CLI then (as mentioned in some other response) SPO management shell will not help you here as it is only to manage SharePoint Online and not Entra ID. You may use either CLI for Microsoft 365 or PnP PowerShell (both allow to manage Microsoft 365 not just SharePoint Online) or Azure CLI

[Adam-it]

Also I noticed just now in the code you shared above the add the msgraph default scope so most probably you will also need to add MSGraph Sites.Read.All permission as well to your app reg

[Smileyville]

Thanks, saw that as well. Good to know some of this is deprecated as I suspected, so with that we may need to look another way to authenticate as we have already applied the permissions.

So, I truly appreciate all your help. I'm starting to think I am digging into the wrong place, maybe my ultimate goal belongs in a Databricks Group?

[Adam-it]

and what error are you getting? is it when you try to auth or retrieve data from the SharePoint Site?

[Smileyville]

Good morning. Right now we cannot Authenticate and get the Getting : Error: 401 401 UNAUTHORIZED within Databricks or Error acquiring token: unauthorized_client AADSTS700016: . Ultimately we want the data, but we can't get connected thus far.