While working with PnP (Patterns and Practices) PowerShell for Microsoft 365, I recently kept hitting an error about not being a Tenant Administrator.

I am using a Global Administrator account, so it should have the correct permissions. The command I tried to execute simply retrieves all SharePoint user profile properties for the specified user.

Get-PnPUserProfileProperty -Account $user.UserPrincipalName

The connection used for this command is using an Azure Active Directory Application (AzureAD) and a Certificate like this:

Connect-PnPOnline `
	-Tenant $Tenant `
	-Url $Url `
	-ClientId $ClientId `
	-CertificatePath $CertificatePath

My permissions are saved within the Aure Active Directory (AzureAD) application and not with the connection string. The base permissions needed for this connection to work were:

  • Microsoft.Graph – User.ReadWrite.All
  • SharePoint – User.Read.All

Every time I executed the PowerShell with these permissions, it failed. I had to modify the permissions as below and ensure that I granted admin consent for the permissions.

  • Microsoft.Graph – User.ReadWrite.All
  • SharePoint – User.Read.All
  • SharePoint – Sites.FullControl.All

With the permissions modified, the “Get-PnPUserProfileProperty” command executes as expected, returning the values I need for the rest of the PowerShell script.

The most important thing here is to spend time getting the permissions correct. Too many organizations elevate permissions to get around a problem instead of working out the exact permissions required for something to work. It would be best to always think of “Least Privilege” for account permissions of any type.