While working with PnP (Patterns and Practices) PowerShell for Microsoft 365, I recently kept hitting an error about not being a Tenant Administrator.
I am using a Global Administrator account, so it should have the correct permissions. The command I tried to execute simply retrieves all SharePoint user profile properties for the specified user.
Get-PnPUserProfileProperty -Account $user.UserPrincipalName
The connection used for this command is using an Azure Active Directory Application (AzureAD) and a Certificate like this:
Connect-PnPOnline `
-Tenant $Tenant `
-Url $Url `
-ClientId $ClientId `
-CertificatePath $CertificatePath
My permissions are saved within the Aure Active Directory (AzureAD) application and not with the connection string. The base permissions needed for this connection to work were:
- Microsoft.Graph – User.ReadWrite.All
- SharePoint – User.Read.All
Every time I executed the PowerShell with these permissions, it failed. I had to modify the permissions as below and ensure that I granted admin consent for the permissions.
- Microsoft.Graph – User.ReadWrite.All
- SharePoint – User.Read.All
- SharePoint – Sites.FullControl.All
With the permissions modified, the “Get-PnPUserProfileProperty” command executes as expected, returning the values I need for the rest of the PowerShell script.
The most important thing here is to spend time getting the permissions correct. Too many organizations elevate permissions to get around a problem instead of working out the exact permissions required for something to work. It would be best to always think of “Least Privilege” for account permissions of any type.