Cannot contact site at the specified URL https://xxx.genericURL.com/sites/O-XSOBusinessTechnology-CD-HM. The app principal does not exist

Clint Schauff 21 Reputation points
2020-11-18T21:17:30.423+00:00

Hello all,

I am attempting to connect to a company Sharepoint Online site using Powershell 4.0 on Windows Server 2012 R2 and Connect-PnpOnline.

My INFOSEC folks have created a clientID and clientSecret in Azure KeyVault and I am authenticating using the following:

Connect-PnPOnline -Url $SiteURL -ClientSecret $appSecret -ClientId $appID;

Once I authenticate, I am attempting to list all the folders and subfolders in the site using the following code:

**Import-Module "C:\Program Files (x86)\SharePointPnPPowerShellOnline\Modules\SharePointPnPPowerShellOnline\SharePointPnPPowerShellOnline.psd1" -DisableNameChecking

Loop through to get all the folders and subfolders

Function GetFolders($folderUrl)
{
write-host "test"
$folderColl=Get-PnPFolderItem -FolderSiteRelativeUrl $folderUrl -ItemType Folder
# Loop through the folders
foreach($folder in $folderColl)
{
$newFolderURL= $folderUrl+"/"+$folder.Name
write-host -ForegroundColor Green $folder.Name " - " $newFolderURL
# Call the function to get the folders inside folder
GetFolders($newFolderURL)
}
}

Function to Get all documents Libraries in a SharePoint Online Site Collection

Function Get-GetLibraryName($SiteURL)
{

    #Setup the context  
   $ctx = Get-PnPContext;  
   $DocLibName = "Shared Documents";  
   Invoke-PnPQuery;  
   GetFolders($DocLibName);

}
$SiteURL = "https://xxx.genericURL.com/sites/O-XSOBusinessTechnology-CD-HM"
$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
$appSecret = "xxxxx~--xxxxxxxx-xxx-xxx_xxxxxxxxx";
write-host "appSecret" $appSecret
write-host $SiteURL
write-host $appID
Connect-PnPOnline -Url $SiteURL -ClientSecret $appSecret -ClientId $appID;

Call the function to get all document libraries in a site collection

GetLibraryName $SiteURL;**

I don't get any errors, so I think it authenticates, but I get the following error when it attempts to loop through and list the folders:

Get-PnPFolderItem : Cannot contact site at the specified URL https://xxx.genericURL.com/sites/O-xxxBusinessTechnology-CD-HM. The app principal does not exist.
At C:\scripts\powershell\QA\getLibraryNames.ps1:9 char:17

If I instead use

Connect-PnPOnline -Url $SiteURL -UseWebLogin;

...and log in manually with the same credentials represented by the ClientID and ClientSecret, it works as expected:

Results:

40875-image.png

Any thoughts? I'd appreciate any help you can provide, I've been beating my head against the wall on this for a while!

Thanks, Clint

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,628 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,364 questions
0 comments
Accepted answer
  1. JoyZ 18,041 Reputation points
    2020-11-19T11:04:03.467+00:00

    Hi @Clint Schauff ,

    I could reproduce your issue when I use Azure AD App-Only, I will contiune to investigate this issue and update the post if I have any results.

    As a workaround, I suggest you use SharePoint App-Only which works well in my end to access SharePoint using an application context: 

    Connect-PnPOnline -Url https://contoso.sharepoint.com/sites/demo -AppId [Your Client ID] -AppSecret "[Your Client Secret]"

    Detailed steps in the following article for your reference:

    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

    -----------------------------------------Update---------------------------------------------------------

    Hi @Clint Schauff ,

    Per my research, currently other options are blocked by SharePoint Online and will result in an Access Denied message.

    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#can-i-use-other-means-besides-certificates-for-realizing-app-only-access-for-my-azure-ad-app

    We suggest yout switched to a certificate based method of authenticating for Azure AD app.

    More information:

    https://github.com/OfficeDev/microsoft-teams-apps-requestateam/issues/16

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. HM 1 Reputation point
    2022-11-23T12:38:31.077+00:00

    Hey community,
    I'd like to check with you, what I would call a hybrid approach:

    • What I dislike about the SharePoint app only is the missing visibility and manageability within the Azure Portal, e.g. creation of a new client secret must be done by PS
    • What I dislike about the Azure AD App only is the must to go with certificate files, but not with client secret

    So what I just tried

    • Create an Azure AD App
    • Create Client Secret within Azure Portal for the App
    • Switch to the SharePoint site, I want to provide permission
    • Go directly with "/_layouts/15/appinv.aspx"
    • Put in the Azure AD App ID
    • Domain: localhost, Redirect https://localhost, Permission XML as needed
    • Confirm that I trust this app

    Connecting then against the site with PnP and given Azure App ID & Secret looks successful

    Any thoughts on that?

    0 comments