[BUG] Access Denied from a Azure Function App by Managed Identity

[khha]

Expected behavior

I expect that the script upload a file into a SharePoint library

Actual behavior

I got an access denied:

2025-03-28T16:03:40Z [Information] INFORMATION: Site statistics Report Generated Successfully C:\home\data\M365StatisticsReport-28-03-2025-04-03-17.csv
2025-03-28T16:03:40Z [Information] OUTPUT: Save file on C:\home\data\M365StatisticsReport-28-03-2025-04-03-17.csv
2025-03-28T16:03:40Z [Information] OUTPUT: Connect to site: https://myCompany.sharepoint.com/teams/biinput
2025-03-28T16:03:40Z [Information] OUTPUT: Site title: BI Input
2025-03-28T16:03:42Z [Error] ERROR: Toegang geweigerd. (this is in dutch Access denied)

Exception :
Type : System.Management.Automation.PSInvalidOperationException
ErrorRecord :
Exception :
Type : System.Management.Automation.ParentContainsErrorRecordException
Message : Toegang geweigerd. (this is in dutch Access denied)
HResult : -2146233087
CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
FullyQualifiedErrorId : InvalidOperation
TargetSite :
Name : ProcessRecord
DeclaringType : [PnP.PowerShell.Commands.Base.PnPConnectedCmdlet]
MemberType : Method
Module : PnP.PowerShell.dll
Message : Toegang geweigerd. (this is in dutch Access denied)
Source : PnP.PowerShell
HResult : -2146233079
StackTrace :
at PnP.PowerShell.Commands.Base.PnPConnectedCmdlet.ProcessRecord() in c:\build\src\Commands\Base\PnPConnectedCmdlet.cs:line 101
at System.Management.Automation.CommandProcessor.ProcessRecord()
CategoryInfo : InvalidOperation: (:) [Add-PnPFile], PSInvalidOperationException
FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.AddFile
InvocationInfo :
MyCommand : Add-PnPFile
ScriptLineNumber : 75
OffsetInLine : 1
HistoryId : 1
ScriptName : C:\home\site\wwwroot\GetM365StatisticsReport\run.ps1
Line : Add-PnPFile -Path "C:\home\data\M365StatisticsReport-18-03-2025-08-00-53.csv" -Folder "$($destinationLibrary)" | Out-Null

Statement        : Add-PnPFile -Path "C:\home\data\M365StatisticsReport-18-03-2025-08-00-53.csv" -Folder "$($destinationLibrary)"
PositionMessage  : At C:\home\site\wwwroot\GetM365StatisticsReport\run.ps1:75 char:1
                   + Add-PnPFile -Path "C:\home\data\M365StatisticsReport-18-03-2025-08-00 …
                   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot     : C:\home\site\wwwroot\GetM365StatisticsReport
PSCommandPath    : C:\home\site\wwwroot\GetM365StatisticsReport\run.ps1
InvocationName   : Add-PnPFile
CommandOrigin    : Internal

ScriptStackTrace : at , C:\home\site\wwwroot\GetM365StatisticsReport\run.ps1: line 75

Steps to reproduce behavior

Create an Azure Function app with language PowerShell Core. Enable managed identity. Give the managed identity full control permissions on SharePoint Online. Create a new function where you try to upload a file into a SharePoint library.

What is the version of the Cmdlet module you are running?

2.12.0

Which operating system/environment are you running PnP PowerShell on?

• [ X] Azure Functions

[KoenZomers]

This should work and I've had this working before. It feels like its most likely an issue with the permission you have assigned. Could it be that you have assigned it delegated permissions instead of application permissions? Or Graph permissions instead of SharePoint permissions? Did you assign Sites.FullControl.All or Sites.Selected?

[khha]

@KoenZomers I use application permissions Sites.FullControl.All (from SharePoint online, not MS Graph).

I implemented this multiple times and it was working. Now it is not working on a specific site/library. I expect with the API permissions Sites.FullControl.All that I should have access to all sites and libraries.