Breaking changes in PnP Management Shell registration

There’s some breaking changes coming to PnP PowerShell. See this blog post for more details. I chanced upon it from YouTube.

It doesn’t affect anyone using their own Entra ID App Registration for connecting to PnP PowerShell – which is what you’d be doing for automations etc. But if you are not, then chances are the first time you (or someone in your organization) used PnP PowerShell they would have run the following cmdlet:

This creates an Enterprise Application in your tenant called “PnP Management Shell”.

The corresponding App Registration for this is in Microsoft’s tenant actually, so this is a multi-tenant application. You can see this in “Single sign-on” section of that Enterprise Application too.

For security reasons, Microsoft is removing this on September 9th. So anyone using this default App Registration can no longer sign in to PnP PowerShell after that date. They announced this last week (21st Aug) and it will be deleted a little more than a week from today. Not much time to be honest!

The solution is to create your own App Registration for PnP PowerShell. As per the docs you run:

I did that and it creates a new App Registration for you and brings up a window to do the admin consent. A word of warning though, if creating App Registrations is disabled for your organization the person running this cmdlet should have the Application Admin atleast (or maybe Cloud Application Admin role – I didn’t test with that).

Do the consent.

This is what the output looks like.

I went to the App Registration that gets created and did an admin consent for the organization.

And that’s it.

As a best practice I also went to the Enterprise Application of this App Registration and under Properties set it as Assignment Required.

Then, under “Users and groups” I added a bunch of groups containing IT folks.

That’s all! Now anyone using Connect-PnPOnline should use the modified variant shown in the output above.

As an aside, I also tried the Register-PnPEntraIDApp cmdlet because I was curious what permissions it adds. This too is mentioned in the docs.

The App Registration it creates has the following permissions:

That’s a lot of Application permissions I think! Usually when someone in our firm needs an App Registration for SharePoint access I use the Sites.Selected permission and that’s all we grant. Plus, some User and Groups Read permissions maybe – not an application level Group.ReadWrite.All and User.ReadWrite.All. That’s nuts!