[Bug] PnP Framework still using PnP Management Shell for authentication

[NishkalankBezawada]

Hello Team,

As we know that PnP Management Shell is getting deprecated on 9th September, Does it only affect the PnP PowerShell alone?
Have noticed in one of the Authentication methods,

var authManager = new PnP.Framework.AuthenticationManager(_Username, securePassword);

And this internally uses PnP Management Shell multi-tenant Azure AD application ID to authenticate.

##Findings

pnpframework/src/lib/PnP.Framework/AuthenticationManager.cs

Line 94 in e18fad1

public const string CLIENTID_PNPMANAGEMENTSHELL = "31359c7f-bd7e-475c-86db-fdb8c937548e";

Above line might be using PnP PowerShell Client ID,

pnpframework/src/lib/PnP.Framework/AuthenticationManager.cs

Line 389 in e18fad1

/// Creates a new instance of the Authentication Manager to acquire authenticated ClientContexts. It uses the PnP Management Shell multi-tenant Azure AD application ID to authenticate. By default tokens will be cached in memory.

Clearly says "Creates a new instance of the Authentication Manager to acquire authenticated ClientContexts. It uses the PnP Management Shell multi-tenant Azure AD application ID to authenticate. By default tokens will be cached in memory."

This was not addressed so far, does it mean that, this authentication methods should not be used anymore?

Thanks,
Nishkalank Bezawada

[siimav]

Can confirm, authentication is now broken with the following error:
Microsoft.Identity.Client.MsalServiceException: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory '[Redacted]'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

[pkbullock]

Hi, you will need to provide an alternative service principal since the app PnP Management Shell has been removed: https://pnp.github.io/powershell/articles/registerapplication.html

[Ramo-Y]

We had the same problem as @siimav mentioned and solved it as follows:

1. Create an app registration: https://pnp.github.io/powershell/articles/registerapplication.html
2. Use this constructor overload with the clientId
   var authManager = new AuthenticationManager(clientId, clientUser, secureStringPassword);

As the PnP Management Shell Client ID '31359c7f-bd7e-475c-86db-fdb8c937548e' has been removed, it should no longer be used and this approach wit the fallback should be changed.

[jmconnell2000]

We had the same problem as @siimav mentioned and solved it as follows:

1. Create an app registration: https://pnp.github.io/powershell/articles/registerapplication.html
2. Use this constructor overload with the clientId
   var authManager = new AuthenticationManager(clientId, clientUser, secureStringPassword);

As the PnP Management Shell Client ID '31359c7f-bd7e-475c-86db-fdb8c937548e' has been removed, it should no longer be used and this approach wit the fallback should be changed.

Did you grant SharePoint using Delegated or Application permissions? I followed the steps in the reference link for setting up the App Registration for Delegated but got this error message:

Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

[Ramo-Y]

I was not involved in the granting of the rights myself, but I know that the permissions are as follows:

At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

[jmconnell2000]

I was not involved in the granting of the rights myself, but I know that the permissions are as follows:

At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

Thanks! I assume you are using this code in background processes (like an Azure Function, etc). Based on the link you previously reference... This is all I have configured in my App Registration. Do I need some of the other items shown in your App Registration along with what is in the Red Box to make that AuthenticationManager method work?

[Ramo-Y]

You are welcome! Yes exactly, we have various Azure Functions in use that use the app registration. We have assigned all the permissions that are in the screenshot, including those outside the red box (I only have this screenshot and don't have access to it myself).

[LynxxHub]

I was not involved in the granting of the rights myself, but I know that the permissions are as follows:
At the beginning we had forgotten the upper red marked rights and had the following error message:

Connecting to https://tenant.sharepoint.com/sites/blabla . Getting site owners based on template type of the site . Exception ProvisionSiteExtensions: AADSTS65001: The user or administrator has not consented to use the application with ID 'UUID' named 'PnP PowerShell'. Send an interactive authorization request for this user and resource. Trace ID: 'TRACE_ID' Correlation ID: 'CORRELATION_ID' Timestamp: 2024-09-12 06:58:21Z .

Thanks! I assume you are using this code in background processes (like an Azure Function, etc). Based on the link you previously reference... This is all I have configured in my App Registration. Do I need some of the other items shown in your App Registration along with what is in the Red Box to make that AuthenticationManager method work?

Hi, I just had the same issue, make sure that this check is turned on:
-> App Registration -> Authentication:

[Ramo-Y]

The fallback was removed with this commit, can this issue be closed? It is currently on the dev branch, when will it be released?