Authentication change in PowerShell to connect to SharePoint site

In SharePoint, at times doing changes or updates can become cumbersome through UI. Microsoft has provided flexible way to encounter this challenge through PowerShell module “SharePoint Online Management Shell”. This module is not deprecated, however new “PNP PowerShell” module has all standalone modules packaged in one single PowerShell module to import for administrative tasks.

Connect-PNPOnline is command used to connect to SharePoint site online/On-premises. this blog leans more towards SharePoint Online.

Refer following PNP documentation for the command.

PNP - Connect-PnPOnline

Below command is not supported anymore, this was handy for a scheduled script using service principal name (SPN).

Connect-PnPOnline -Url "https://contoso.sharepoint.com" -Credentials (Get-Credential)

Following command is also not supported with App registration in Entra ID. As this uses legacy ACS authentication

Connect-PnPOnline -Url $siteurl -ClientId 344b8aab-389c-4e4a-8fa1-4c1ae2c0a60d -ClientSecret $clientSecret

As part of this evolution of Microsoft 365 solutions we will be retiring the use of Azure ACS (Access Control Services) for SharePoint Online auth needs and believe Microsoft 365 customers will be better served by modern auth offered via Microsoft Entra ID. ACS will stop working for new tenants as of November 1st, 2024 and it will stop working for existing tenants and will be fully retired as of April 2nd, 2026. This applies to all environments including Government Clouds and Department of Defense.

ACS retirement announcement

Interactive command is also not supported and fails with following error.

Connect-PnPOnline -Url $siteurl -Interactive

AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory 'Scientific Games, LLC'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

So, recommended path is to register app in Entra ID with required Graph API access to specific site collection.

Give app access on a specific SharePoint site using Azure AD API permission:

You can achieve this in two steps:

1. Set up API Permission from App registration

2. Grant app access to the specified site collection

   In azure AD, select your app registration. Then go to API permissions, click on add a permission. As we will using this application to connect to SharePoint site collection, we need to provide the app access to site collection.

   

   Don’t give sites.Fullcontrol.All, this gives app full control to all SharePoint sites, which does not imply with principle of least privilege.

   Provide admin consent to the permission.

Now, it’s time to provide permission level access and specific site collection.

$appId = "c54611f1-d8X0-4bef-9921-3000fa89b061" 
$siteCollUrl = "https://sitecollectionURL" $appDisplayName = "YourAppName"
write-host "Connecting to your site."
Connect-PnPOnline -Url $siteCollUrl -Interactive
write-host "Granting app $appDisplayName access" 
#Granting app Write permission to the site collection. 
$appPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $appId 
Set-PnPAzureADAppSitePermission -Site $siteCollUrl -PermissionId $(($appPermissionId).Id) -Permissions "FullControl"

while executing Get-PnPAzureADAppSitePermission , there will be an error saying

“but giving this error "Grant-PnPAzureADAppSitePermission: AADSTS65002: Consent between first party application '9bc3ab49-b65d-410a-85ad-de819febfddc' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 9f0541a0-3e3a-4586-b289-39c61bda8b00 Correlation ID: 2beb91c8-d096-43cd-9e8c-961a4197bab4 Timestamp: 2025-07-28 15:53:11Z"

What it means:

The app you're using (9bc3ab49-b65d-410a-85ad-de819febfddc = PnP Management Shell) is a first-party Microsoft app.

It's trying to request access to another first-party app (00000003-0000-0000-c000-000000000000 = Microsoft Graph).

Microsoft doesn't allow first-party apps to consent to other first-party resources unless it's preauthorized.

This is by design: tenant admins can't grant permissions between Microsoft's own apps unless Microsoft explicitly allows it.

Steps to resolve: Register Parent App to provide access to previous app for a selected site collection

Register an Azure AD App in Azure Portal:

Add API Permissions:

Microsoft Graph → Sites.Read All or Sites.FullControl.All

Grant admin consent.

Create and upload a certificate to the app.

$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" `
    -Subject "CN=PnP PowerShell App Only Cert" `
    -KeyExportPolicy Exportable `
    -KeySpec Signature `
    -NotAfter (Get-Date).AddYears(2) `
    -KeyLength 2048

$pwd = ConvertTo-SecureString -String "P@ssw0rd!" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath "C:\PnPCert.pfx" -Password $pwd
Export-Certificate -Cert $cert -FilePath "C:\PnPCert.cer"

You’ll use PnPCert.pfx to authenticate. You’ll upload PnPCert.cer to Azure. Upload the certificate to Azure AD App: Go to your app → Certificates & secrets

Click Upload certificate

Select PnPCert.cer → Click Add

Assign GraphAPI permissions:

In your app → API Permissions → Add the following:

For Microsoft Graph:

• Application permissions:

  Sites.Read.All

  Sites.FullControl.All (if needed)

• For SharePoint:

  Application permissions:

  Sites.FullControl.All

Click Add permissions.

Then click "Grant admin consent" for your tenant.

Now, connect to site collection using the parent app client ID,

$certPassword = ConvertTo-SecureString -String "P@ssw0rd!" -AsPlainText -Force

Connect-PnPOnline `
  -Url "https://sitecollectionURL" `
  -ClientId "<your-client-id>" `
  -Tenant "<yourtenant>.onmicrosoft.com" `
  -CertificatePath "C:\PnPCert.pfx" `
  -CertificatePassword $certPassword

Assign Full control Site Collection permission to the initial app you registered in Azure to connect to site collection.

Grant-PnPAzureADAppSitePermission `
  -AppId "<target-app-id>" `
  -DisplayName "MyTargetApp" `
  -Permissions FullControl

Create certificate for initial app (same process as we did for root app).

Create and upload a certificate to the app.

$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" `
    -Subject "CN=PnP PowerShell App Only Cert" `
    -KeyExportPolicy Exportable `
    -KeySpec Signature `
    -NotAfter (Get-Date).AddYears(2) `
    -KeyLength 2048

$pwd = ConvertTo-SecureString -String "P@ssw0rd!" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath "C:\PnPCert.pfx" -Password $pwd
Export-Certificate -Cert $cert -FilePath "C:\PnPCert.cer"

You’ll use PnPCert.pfx to authenticate. You’ll upload PnPCert.cer to Azure. Upload the certificate to Azure AD App: Go to your app → Certificates & secrets

Click Upload certificate

Select PnPCert.cer → Click Add

Now use above app to connect to SharePoint site using below command.

Connect-PnPOnline -Url "https://sitecollectionURL" -ClientId 6c5c98c7-e05a-4a0f-bcfa-0cfc65aa1f28 -Tenant 'contoso.onmicrosoft.com' -Thumbprint 34CFAA860E5FB8C44335A38A097C1E41EEA206AA

You can get thumbprint from .cert file used for above app using below commands.

# Replace with your actual path
$certPath = "C:\Path\To\YourCertificate.cer"

# Load the certificate from file
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($certPath)

# Display the thumbprint (removes whitespace just in case)
$thumbprint = $cert.Thumbprint -replace '\s',''
Write-Output "Thumbprint: $thumbprint"

Conclusion: App-Only authentication is the only way to connect to SharePoint site.

Comment for any clarifications or issues. Happy to help !!