If you have used the Access Control System (ACS) and using its APP ID and APP Secret in the PnP.PowerShell module it may not work.
The Connect-PnPOnline will work fine but when I try to get any command to make it work you will get the following (401) Unauthorized error. I have given Full Control for the Site Collection.
PS C:\WINDOWS\system32> Get-PnPList -Connection $conn1 Get-PnPList : The remote server returned an error: (401) Unauthorized. At line:1 char:1 + Get-PnPList -Connection $conn1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : WriteError: (:) [Get-PnPList], WebException + FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Lists.GetList PS C:\WINDOWS\system32>
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl"/> </AppPermissionRequests>
So, what is going on?
The answer lies in the tenant-wide flag “DisableCustomAppAuthentication”. This is because ACS is retired, and it should not be used for the new application. It is still supported for backward compatibility, but it is recommended use the “Sites.Selected” permission.
Set-SPOTenant -DisableCustomAppAuthentication $false
After disabling the above flag the PnP command works.
You can fix the ACS mechanism for your app temporarily, but it is “highly” recommended that you migrate the code to the new Authentication on the Azure AD.
Please see the following article for the “Sites.Selected” permission.