[BUG] Term Store PnP functions fail when using Connect-PnPOnline -SPOManagementShell

[acou1304]

I have a client environment that is using ADFS and MFA. In my own dev tenant I have neither, but for testing purposes I used Connect-PnPOnline -Url -ClearTokenCache -SPOManagementShell (note that when using -WebLogin option in the customer's tenant you just get a blank popup screen).

When using that authentication option, although Get-PnPTerm works, New-PnPTerm does not and results in Access denied.

If I switch to using the -WebLogin option in my tenant, the above command works fine (but unfortunately as I stated above, this option does not work in my client's ADFS/MFA environment).

I need a way to reliably script against the term store. I am using version 3.25.2009.1 of SharePointPnPPowerShellOnline (I had to uninstall the latest and install this version because of #2983).

1. Is the issue related to the cmdlet itself, its parameters, the syntax, or do you suspect it is the code of the cmdlet that is causing the issue? Then please continue reporting the issue in this repo.
   I suspect the code of the cmdlet.

2. If you think that the functionality might be related to the underlying libraries that the cmdlet is calling (We realize that might be difficult to determine), please first double check the code of the cmdlet, which can be found here: https://github.com/pnp/PnP-PowerShell/tree/master/Commands. If related to the cmdlet, continue reporting the issue here, otherwise report the issue at https://github.com/pnp/PnP-Sites-Core/issues
   I assume the issue has something to do with the underlying authentication code.

Reporting an Issue or Missing Feature

New-PnPTerm failing with Access Denied when using Connect-PnPOnline -SPOManagementShell

Expected behavior

New-PnPTerm should work.

Actual behavior

New-PnPTerm : Access denied. You do not have permission to perform this action or access this resource.
At line:1 char:1

• New-PnPTerm -TermGroup "Fileshare Metadata" -TermSet "Topic" -Lcid 1 ...

•   + CategoryInfo          : WriteError: (:) [New-PnPTerm], ServerUnauthorizedAccessException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Taxonomy.NewTerm
  
  

Steps to reproduce behavior

Login to any tenant using the SPOManagementShell option, then try to create a term using Add-PnPTerm.

Which version of the PnP-PowerShell Cmdlets are you using?

• PnP PowerShell for SharePoint 2013
• PnP PowerShell for SharePoint 2016
• PnP PowerShell for SharePoint 2019
• [ X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name sharepointpnppowershell* -ListAvailable)
3.25.2009.1

How did you install the PnP-PowerShell Cmdlets?

• MSI Installed downloaded from GitHub
• [ X] Installed through the PowerShell Gallery with Install-Module
• Other means

[sympmarc]

This is admittedly a very basic suggestion, but are you a Term Store Administrator in the client tenant, at least for the Term Set you want to update? (This catches me me up all the time.)

[ToddKlindt]

The -SPOManagementShell does not have permission to the Term Store. It's expected, though still frustrating, that New-PnPTerm won't work if that's how you authenticate.

[acou1304]

Yes I am a term store administrator. In my own tenant (which doesn't have ADFS or MFA) I can switch to the normal -UseWebLogin and update the term store. It is only because I have to use the -SPOManagementShell option in the other tenant that does have ADFS/MFA that I am testing in my own tenant. I did also try using AppId/Secrets but writing to the term store using that also does not work. At the moment my only work around is to effectively populate my own tenant term store, then use Sharegate to copy the terms across. It is interesting that Sharegate doesn't have an issue in that environment, which I suspect is because they are using old SharePoint api methods rather than MS Graph.

[ToddKlindt]

Have you tried using Initialize-PnPPowerShellAuthentication to create an app reg that has all the permissions you need? In this case it would look like Example 3 under help Initialize-PnPPowerShellAuthentication -Examples and add "TermStore.ReadWrite.All"

[acou1304]

Hi Todd, no I haven't tried that.
In terms of -SPOManagementShell, I spoke to a tech support person at Microsoft and they the following:

I have tried to do some tests and could reproduce the issue when using -SPOManagementShell parameter.
Then I compared the authentication of these two method, found:

• When using -UseWebLogin: just like access SharePoint Online via browser directly, the subsequent requests sent by the PnP commands is under the current user context with the FedAuth cookie.

• When using -SPOManagementShell: it will use Access Token under App context and the permission scope doesn’t include Term Store related permission.

So, I think that’s why it will return 403 error when using -SPOManagementShell for authentication to manage term store.

[ToddKlindt]

Yeah, that's what I said in this reply.

[acou1304]

I found that the customer had setup MFA via a conditional policy rather than directly against the user in the admin center. By removing the conditional access policy and setting MFA directly against the migration account, I was able to create an App password. Even though I didn't use the app password I found that I could just use the username/password in a stored credential, thus bypassing the -SPOManagementShell option. When using the -SPOManagementShell option, often the next line of code runs before the authentication prompt is complete.