Description
Connected via app-only/certificate as per documentation.
Application registration in AAD has the SharePoint permission Sites.FullControl.All
Running commands spo app * or spo orgassetslibrary * fail. "Error: Request failed with status code 403"
Diagnosis
Using the --debug flag, the commands are making a request to "https://graph.microsoft.com/v1.0/sites/root?$select=webUrl"
That call is failing because it requires the Sites scope for Microsoft Graph. (Not SharePoint Online.)
Expected result
The primary issue, IMO, is that the error was not directly related to the user's intent. I'm running a command to list items in tenant app catalog and get a 403. But the app does have permission to the app catalog, just not to Microsoft Graph. The error is tangential to the intent, making resolution a bit difficult.
Not sure if the error message should indicate the error happened during tenant discovery or if the documentation should suggest always including Microsoft Graph scopes. 🤷♀️
Description
Connected via app-only/certificate as per documentation.
Application registration in AAD has the SharePoint permission Sites.FullControl.All
Running commands
spo app *orspo orgassetslibrary *fail. "Error: Request failed with status code 403"Diagnosis
Using the --debug flag, the commands are making a request to
"https://graph.microsoft.com/v1.0/sites/root?$select=webUrl"That call is failing because it requires the Sites scope for Microsoft Graph. (Not SharePoint Online.)
Expected result
The primary issue, IMO, is that the error was not directly related to the user's intent. I'm running a command to list items in tenant app catalog and get a 403. But the app does have permission to the app catalog, just not to Microsoft Graph. The error is tangential to the intent, making resolution a bit difficult.
Not sure if the error message should indicate the error happened during tenant discovery or if the documentation should suggest always including Microsoft Graph scopes. 🤷♀️