[ENHANCEMENT] - `Grant-PnPAzureADAppSitePermission` doesn't work with multi-geo

[bnalley]

Reporting an Issue or Missing Feature

Grant-PnPAzureADAppSitePermission doesn't work with multi-geo. Non default geos produce an error and can't grant sites.selected permissions to sites outside default geo.

Expected behavior

Please describe what output you expect to see from the PnP PowerShell Cmdlets
Expect permission to be set with this result:
#Works with default GEO
commands
Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site -Permissions Write
PS C:\Scripts\AzureAppScripts> Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site -Permissions Write

Result
Id : aTowaS50fG1zLnNwLmV4dHwyOTcwMjJiYy0wOWNmLTRiZTQtYThlZi00ZWM4ZmM1MDhmNDBANDQ1M2UwNDAtNzRhOS00MGIzLTkwMDAtNTYwNjliNGFiMzA5
Roles : {write}
Apps : {BrittneyTest, 297022bc-09cf-4be4-a8ef-4ec8fc508f40}

Actual behavior

Please describe what you see instead. Please provide samples of output or screenshots.
Result:
Grant-PnPAzureADAppSitePermission : {"error":{"code":"itemNotFound","message":"Item not
found","innerError":{"date":"2023-02-10T13:33:20","request-id":"cab7bc77-2cf7-4656-acd8-70823f920c4f","client-request-id":"cab7bc77-2cf7-4656-acd8-70823f920c4f"}}}
At line:1 char:1

• Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname ...

•   + CategoryInfo          : InvalidOperation: (:) [Grant-PnPAzureADAppSitePermission], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Apps.GrantPnPAzureADAppSitePermission
  
  

Steps to reproduce behavior

Please include complete script or code samples in-line or linked from gists
#my graph api app
$appid = "297022bc-09cf-4be4-a8ef-4ec8fc508f40"
$appname = "BrittneyTest"
$site = "https://bcgdev01.sharepoint.com/sites/BNTest"
$site1 = "https://bcgdev01asp.sharepoint.com/sites/bntest"
$site2 = "https://bcgdev01eur.sharepoint.com/sites/BrittneyTest"

#tenant urls
$devtenant = "https://bcgdev01-admin.sharepoint.com/" #default geo
$devEmea = "https://bcgdev01eur-admin.sharepoint.com/" #asp geo
$devAsiaP = "https://bcgdev01asp-admin.sharepoint.com/" #eur geo

Connect-PnPOnline -Url $devAsiaP -Interactive
#Works with default GEO
Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site -Permissions Write
#Doesn't work with other GEOS in tenant
#ASP geo
Connect-PnPOnline -Url $devAsiaP -Interactive
Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site1 -Permissions Write
#EUR geo
Connect-PnPOnline -Url $devEmea-Interactive
Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site2 -Permissions Write
Result for ASP and EUR
Grant-PnPAzureADAppSitePermission : {"error":{"code":"itemNotFound","message":"Item not
found","innerError":{"date":"2023-02-10T13:33:20","request-id":"cab7bc77-2cf7-4656-acd8-70823f920c4f","client-request-id":"cab7bc77-2cf7-4656-acd8-70823f920c4f"}}}
At line:1 char:1

• Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname ...

•   + CategoryInfo          : InvalidOperation: (:) [Grant-PnPAzureADAppSitePermission], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Apps.GrantPnPAzureADAppSitePermission
  
  

What is the version of the Cmdlet module you are running? 1.12.0

(you can retrieve this by executing Get-Module -Name "PnP.PowerShell" -ListAvailable)

Which operating system/environment are you running PnP PowerShell on?

- [ ] Windows

[bnalley]

Thanks Verica and Gautam. Any ideas if and when you will work on this as an enhancement?

[KoenZomers]

There's a blogpost from someone that ran into the same issue with PnP PowerShell:
https://rakhesh.com/azure/grant-pnpazureadappsitepermission-item-not-found/

Interestingly enough, as he writes, it seems to be an issue on the Microsoft Graph side of the story. I don't have access to multi-geo myself unfortunately. Could you try and see if his approach would work with PnP Powershell as well if you would first run this:

Invoke-PnPGraphMethod https://graph.microsoft.com/v1.0/sites/<siteid where you try to set permissions>/lists

And then run your usual:

Grant-PnPAzureADAppSitePermission -AppId $appid -DisplayName $appname -Site $site -Permissions Write

You can get the siteid by running i.e.

(Get-PnPSite -Includes Id).Id

Please share your findings.

[reusto]

I'm encountering the same issue and as @KoenZomers already mentioned it seems to be an issue with Graph, as I have the same issue when directly invoking the graph endpoint.

The workaround that helps me is to first requesting the site via graph like this:

Invoke-PnPGraphMethod https://graph.microsoft.com/v1.0/sites/<siteid>

and afterwards it's all working fine.

[reusto]

Btw. while invoking the permission endpoint with the site ID to reference to the site, only works after once getting the site.

Invoke-PnPGraphmethod "/sites/<siteId>";
Invoke-PnPGraphMethod "/sites/<siteId>/permissions";

Invoking the permissions endpoint while referencing the site by its URL, works fine from the start.

Invoke-PnPGraphMethod "/sites/<uriHost>:<uriLocalPath>:/permissions";

Therefor seems to be an issue only when referencing to the site with the id in the URL.

[gautamdsheth]

@reusto - is it safe to say that this is a Graph issue ? Would it be possible to fix it in our cmdlet ? Curious to know your thoughts :)

[reusto]

@gautamdsheth I'm pretty sure that the error lies with the Graph API.

We can't fix it in the cmdlet, but we can implement a workaround by requesting the page first everytime via the "/sites/<siteId>" route.

[christopheLDCL]

@KoenZomers adding Invoke-PnPGraphMethod https://graph.microsoft.com/v1.0/sites/ works like nicely in multigeo.
thank you @reusto for the tip: (Get-PnPSite -Includes Id).Id

I put a link to a script as example with all the command if anyone interested.
[https://gist.github.com/christopheLDCL/3acae4a190c40ad5cb994804eeadf8de]