On August 21, 2024 Vesa Juvonen, Principal Product Manager at Microsoft announced on behalf of the PnP PowerShell and CLI for Microsoft 365 groups that the “PnP Management Shell” multi-tenant app registration would be deleted on September 8, 2024. This means that on that day, every script that uses the recommended “Interactive” login to connect to SharePoint or to Microsoft Graph will stop working.
This has a major impact on most people using PnP PowerShell scripts. The interactive login method is often the default method used, since it supports a lot of authentication methods including most forms of Multi-Factor Authentication (MFA), and it does not require tenant-specific parameters in the script. This allows PowerShell scripts to be signed for extra security.
Why is it called a multi-tenant app registration? This is because the maximum permissions that can be used by scripts that use Interactive connections to SharePoint are set in an AzureAD/EntraID app that is maintained by Microsoft Patterns and Practices (PnP) group in their tenant and is made available to be used by any tenant. The actual permissions are limited to the lower of those permissions and the permissions of the user that is logging in to SharePoint.
Until September 8, any tenant that wanted to use the “Interactive” login would have needed to invoke the “Register-PnPManagementShellAccess” command, once only, in order to have access to this “PnP Management Shell” app registration from within this tenant. Consenting to this could only be done by Azure AD administrators or Global administrators. After September 8, that consent within your tenant disappears because the original app registration itself will disappear, along with all its permissions. Anyone trying to use a script with Interactive login will fail, since the authentication relies on that app registration.
What is the alternative?
What is the alternative?
The alternative, according to Microsoft, is to create your own single-tenant app registration in your own tenant’s EntraID, and use a different form of Interactive login. A command to create such a single-tenant app registration is being prepared by the PnP group, but at the time of writing three days before the deadline, it has not yet been released as part of PnP PowerShell
Register-PnPEntraIDAppForInteractiveLogin
With time running out, PointFire is releasing its own script, which uses existing PnP commands to register an app called “PointFire PnP login” in your own tenant. It also stores the app ID in an environment variable named ENTRAID_CLIENT_ID that is used by all scripts that use the “Interactive” parameter, overriding the “PnP Management Shell” app registration that would normally be used. This way, existing scripts will not have to be modified. The new script is called “UserAuthentication.ps1” and will be included in all upcoming releases of PointFire 365 and PointFire Translator, but you can also request it directly from PointFire support.