Skip to main content

New-PnPTenantSite: The remote server returned an error: (401) Unauthorized.

New-PnPTenantSite: The remote server returned an error: (401) Unauthorized.

Recently I was working on automate SharePoint site provisioning PnP script. We wanted to schedule this script to auto trigger on hourly basis, so we scheduled the script.

As the script was to be scheduled one, we started creating SharePoint Apps to manage authentication.

Register SharePoint Add-ins

  1. Go to <site collection url>/_layouts/15/AppRegNew.aspx by using a web browser.

AppRegNew page form

The form on the App Reg New page with boxes for client ID, client secret, title, app domain, and redirect URL. Buttons named "generate" are beside the first two. In the corner are Create and Cancel buttons.

Enter values for the follow form fields:
  • Add-in ID. Also known as client ID; a GUID that can be generated (when you select Generate) or pasted into AppRegNew.aspx. The value must be unique for each add-in and must be lowercase.

    •  

  • Add-in Secret. Also known as the client secret, an opaque string. It is generated on the AppRegNew.aspx page by using the Generate button.
  • Title: A user-friendly title: for example, Contoso photo printing add-in. Users are prompted to grant or deny the add-in permissions that the add-in is requesting. This title appears as the name of the add-in on the consent prompt.
  • Add-in Domain: The host name of the remote component of the SharePoint Add-in. If the remote application isn't using port 443, the add-in domain must also include the port number. The add-in domain must match the URL bindings you use for your web application. 
  • Redirect URI: The endpoint in your remote application or service to which ACS sends an authentication code. Strictly speaking, SharePoint Add-ins don't use this value. The redirect URI is required for web applications that are launched outside f SharePoint and that use the Authentication Code flow to get authorized access to SharePoint data.

 

Select Create on the form. The page reloads and shows a confirmation of the values that you entered. Make a record of these values in a form that is easy to copy and paste.

Setting up an app-only principal with tenant permissions

 

Next step is granting permissions to the newly created principal. Since we're granting tenant scoped permissions this granting can only be done via the appinv.aspx page on the tenant administration site. You can reach this site via https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx. Once the page is loaded add your client id and look up the created principal:

Grant permissions to new principal

To grant permissions, you'll need to provide the permission XML that describes the needed permissions. Since this application needs to be able to access all sites + also uses search with app-only it needs below permissions:

<AppPermissionRequests AllowAppOnlyPolicy="true">

  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

</AppPermissionRequests>

 

When you click on Create, you'll be presented with a permission consent dialog. Press Trust It to grant the permissions:

using appregnew.aspx

With the preparation work done let's continue to the next chapter showing how you can use the created app principal via its client id and secret combination.

While we try to connect using 

Connect-PnPOnline -Url <URL> -ClientId <ClientID> -ClientSecret <ClientSecret>

I started facing New-PnPTenantSite: The remote server returned an error: (401) Unauthorized error for all new SharePoint Tenants.

This is weird and after a lot of research I got to know that we need to DisableCustomAppAuthentication

To DisableCustomAppAuthentication we need to use PowerShell. Below is the set of commands we need to execute.

Connect-SPOService 

Set-SPOTenant -DisableCustomAppAuthentication $false 

 

Happy development.

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Identity client runtime library (IDCRL) did not get a response from the login server.

Recently I was doing some testing with a background PowerShell and encountered a weird error. “Identity client runtime library (IDCRL) did not get a response from the login server”. The error that you might encounter while working with PowerShell. This error is very misleading when it comes to identifying what could go wrong. After doing quite a good amount of research below are the probable causes for the error. Invalid Credentials MFA (Multi-Factor Authentication) Manage security defaults. Solutions Invalid Credentials Check if your credentials are wrong. Especially if you are using variables. MFA (Multi-Factor Authentication) Check if MFA is enabled on the account which you are using. These only affect you badly if you are developing PowerShell for a background Job. Go to Microsoft 365 admin center Users -> Active users -> Select the user -> Manage multifactor authentication -> Select the user -> Disable multi-factor authentication. M
1 comment
Read more

Business Data Connectivity

I came to a requirement wherein I was supposed to get data from an 3 rd party portal using API’s and then bring them to SharePoint server. The first approach that I finalized was just to make BDC solution that will get data from 3 rd party portal and will deploy it to SharePoint. How to Create BDC solution in SharePoint? I found below link that is having really great description about hot to create and deploy the BDC solution to SharePoint. http://www.c-sharpcorner.com/uploadfile/hung123/creating-business-data-connectivity-service-using-visual-studio-2010/ After creating an POC I came to know that BDC model cannot be deployed on Multi tenant farm. So what can be done next? After some amount of googling I came to know that we can create BDC solution using WCF services also. So I created a WCF service solution that acted as a wrapper that used to fetch data from the portal. We can them publish that service to IIS or Server and use the service referen
2 comments
Read more