[BUG] Get-PnPGroup and Get-PnPGroupMember in Azure Automation runbook with System-Assigned Managed Identity throw a Not Authorized error

[dgwebb]

I have an Azure automation runbook using a system-assigned Managed Identity.

When the runbook executes a Get-PnPGroup or Get-PnPGroupMember cmdlet, a "401 unauthorized" error is returned.

BTW, the same issue occurs with Get-PnPSiteCollectionAdmin.

Expected behavior

"Get-PnPGroup" returns a list of the SharePoint groups in the connected site collection.
"Get-PnPGroupMember -Group XXX" returns a list of the members in SharePoint group XXX.

Actual behavior

Response received:
{"odata.error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"}}}

Steps to reproduce behavior

1. Create an Azure automation account.
2. Create a system-assigned managed identity.
3. Grant the following permissions to the managed identity:

Sites.Read.All (SharePointOnline)
User.Read.All (Graph)
Group.Read.All (Graph)
GroupMember.Read.All (Graph)

4. Create a runbook (runtime environment PowerShell 7.2)
5. Enter the following runbook script:

$siteUrl = "... url here ..."
Connect-PnPOnline $siteUrl -ManagedIdentity
$groups = Get-PnPGroup # Error will occur on this statement

What is the version of the Cmdlet module you are running

2.12.0

Which operating system/environment are you running PnP PowerShell on?

• Windows
• Linux
• MacOS
• Azure Cloud Shell
• Azure Functions
• Other : Azure Automation runbook

[gautamdsheth]

This is a server side error due to insufficient permissions, moving it to discussion.
Would recommend changing permissions to Sites.FullCntrol (SharePoint) or Sites.Manage (SharePoint) and check

[dgwebb]

Hi Gautam - thanks for the response! I can confirm that changing the permission level to Sites.FullControl.All does resolve the issue and the group membership can be read.