Creating App Registrations for PnP PowerShell

Introduction

In my previous article (Getting Started with Modern PnP PowerShell for SharePoint Online), we introduced how to use PowerShell to connect to and update data in SharePoint Online. In this article we will explain how to create the Microsoft Entra ID (formerly called Azure AD) App Registration necessary to authenticate to SharePoint Online.

Some of you will find online references to an authentication approach which uses a simple interactive login which prompts for your username and password. As of September 9, 2024, this method has been disabled by Microsoft and using PnP PowerShell to connect to SharePoint Online now requires creating an Entra ID App Registration. The previously available method using Connect-PnPOnline -Interactive without an App Registration, will now return the error “Specified method is not supported”.

In fact, PnP PowerShell always needed an App Registration. However, to make PowerShell authentication easier, the PnP PowerShell team previously maintained a default multi-tenant App Registration known as the "PnP Management Shell", identified by the App ID 31359c7f-bd7e-475c-86db-fdb8c937548e, which allowed users to connect to Microsoft 365 services using PnP PowerShell without needing to create their own App Registration. The PnP PowerShell team deprecated this default App Registration due to security concerns and to encourage better permission management. Now, each organization must manage their own App Registration, which is better for application security.

What is an App Registration?

An App Registration in Entra ID is at the core of the Microsoft 365 API security model to prevent hackers from building rogue applications to connect to your data. Remember that all of the APIs that developers connect to in custom applications or through automation like PowerShell are public and can be accessed by anyone in the world. While additional controls such as Conditional Access Policies and Tenant Restrictions are useful for limiting access, not all organisations take the time to set them up. The App Registration creates a unique object in M365 that a developer must know details about in order to authenticate through an application.

An additional benefit of the App Registration is that it creates an authentication method that it acts similarly to a service account without requiring a username and password. Traditionally, we would create a user account in an environment, such as a database server, and then give the credentials to a developer who would encrypt them into a file and then use them for authentication whenever the application connected to the environment. This always created problems if the password expired, or the account was locked or deleted. It also created a risk that the credentials, if found out, could be used by a user to simply log onto the system and access data directly. An App Registration is not a user account and can’t be used by a non-developer to authenticate. Also, because the App Registration is not a service account, it is not subject to Multi-Factor Authentication (MFA) so it can be used by unattended applications and batch jobs.

As a result, App Registrations are ideal for:

• Background services

• Automation scripts

• CI/CD pipelines

• Scheduled jobs

There are two methods for creating App Registrations depending on whether you want to use it interactively in PowerShell, where you are running it yourself and can enter your credentials, or you want to use it in an unattended script. By default, all users have permission to run this cmdlet to create a new App Registration.

Creating an App Registration for Interactive Use

Once you have PnP PowerShell installed, you can use the following PnP cmdlet to create the App Registration:

Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "Custom App" -Tenant [yourtenant].onmicrosoft.com -Interactive

The command will first prompt you for your login credentials which do not need any admin rights to create the app. However, if you are not an admin, it will prompt a second time for admin credentials to consent to permissions applied in Entra ID. If you aren’t an admin, the consent will fail but it will still create the App Registration and show you the Client ID. The Client ID is the key parameter used in the Connect-PnPOnline command.

The next step is for an Entra ID admin to consent to the permissions requested by doing the following:

1.       Browse to https://entra.microsoft.com

2.       Expand Applications and click App Registrations

3.       In the list, click the App Registration you created

4.       Under Manage, select API permissions.

5.       Click Grant admin consent for < tenant name >, then click Yes.

6.       Click Refresh, then verify that Granted for < tenant name > appears under Status for the permission.

As shown in Figure 2, the default permissions include full control over all of the content and Graph features that are likely needed. The actual permissions required depend on the command you plan to run in PnP PowerShell and can be adjusted in the App Registration page in Entra.

You can now connect to SharePoint using the Client ID value.

$siteUrl = "https://[yourtenant].sharepoint.com/sites/[yoursite] "

$clientID = "App Registration ID"

Connect-PnPOnline -Url $siteUrl -Interactive -ClientId $clientID

Creating an App Registration for Unattended Use

While the above approach is good enough for every day administrative scripts and ad-hoc updates it still requires a user to authenticate every time they connect. For unattended execution, we need to provide the App Registration with credentials that allow it to authenticate without user interaction.

This is done by provisioning a Certificate in the App Registration that our script can reference as a credential to use the Application permissions and run unattended. This creates a more secure and scalable authentication method by using a self-signed or trusted PKI certificate.

To start, we create a new certificate using PowerShell. Note, you need to start PowerShell using Run as administrator in order to allow it to write to the file system.

New-PnPAzureCertificate `

  -CommonName "PnP Demo Cert" `

  -OutPfx "C:\scripts\pnpdemo.pfx" `

  -OutCert "C:\scripts\pnpdemo.cer" `

  -CertificatePassword (ConvertTo-SecureString "SecretP@ssword1" -AsPlainText –Force)

Next, upload the certificate into your App Registration, created using the previously outlined steps.

1.       Browse to https://entra.microsoft.com

2.       Expand Applications and click App Registrations

3.       In the list, click the App Registration you created

4.       Click Certificates & secrets, then click Certificates

5.       Upload the .cer file (this is your public key file)

Next we need to grant the App Registration the required permissions. When using the interactive approach, the script uses Delegated permissions, but for unattended execution, we need to provide it with Application permissions. Delegated permissions act on behalf of a signed-in user, and requires that the user have the correct permissions, while Application permissions operate as the app itself.

1. Browse to https://entra.microsoft.com

2. Expand Applications and click App Registrations

3. In the list, click the App Registration you created

4. Click API permissions then click Add permission.

5. Select SharePoint in the screen as shown in Figure 4

6. Select Application permission and select the permission needed as shown in Figure 5.

7. Click Add Permission

8. In the API permissions screen click the Grant admin consent for [tenant]

With permissions and certificate in place we can now connect using the certificate. We will modify our Connect-PnPOnline cmdlet to add the Tenant, CertificatePath, and CertificatePassword parameters and remove the Interactive parameter.

$siteUrl = "https://[yourtenant].sharepoint.com/sites/[yoursite]"

$clientID = "App Registration ID"

$tenant = "[yourtenant].onmicrosoft.com"

$certPath = "C:\scripts\pnpdemo.pfx"

$securePassword = "SecretP@ssword1"

Connect-PnPOnline `

    -Url $siteUrl `

    -ClientId $clientId `

    -Tenant $tenant `

    -CertificatePath $certPath `

    -CertificatePassword (ConvertTo-SecureString -AsPlainText $securePassword -Force)

Conclusion

App Registrations in Microsoft Entra ID enable secure, scalable, and automated access to SharePoint Online from PowerShell. Use client ID-based authentication for testing or low-risk scenarios. For secure and reliable automation in production, I recommend certificate-based authentication.