[BUG] Add-PnPTeamsChannel returning Insufficient privileges when using -ManagedIdentity

[dappleby300]

Reporting an Issue or Missing Feature

When using the PNP module within an Azure function managed indentity (Connect-PnPOnline -ManagedIdentity -Url:'Contoso.microsoft.com'), the command Add-PnPTeamsChannel returns: Insufficient privileges to complete the operation.

This works fine under other connection methods but seems to fail when using -ManagedIdentity

The managed identity has been granted permissions:

Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Channel.Create" -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Group.ReadWrite.all" -BuiltInType MicrosoftGraph

Expected behavior

Add-PnPTeamsChannel should complete succesfully if the require permissions are granted

Actual behavior

It failes with error: "Insufficient privileges to complete the operation."

The verbose output is:

2024-06-05T04:48:47.237 [Trace] VERBOSE: Acquiring token for resource graph.microsoft.com using Managed Identity
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using scope https://graph.microsoft.com/ for managed identity token coming from the cmdlet permission attribute
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using identity endpoint: http://127.0.0.1:41131/msi/token/
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using identity header: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-06-05T04:48:47.237 [Trace] VERBOSE: Using the system assigned managed identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Sending token request to http://127.0.0.1:41131/msi/token/?resource=https://graph.microsoft.com/&api-version=2019-08-01
2024-06-05T04:48:47.238 [Trace] VERBOSE: Acquiring token for resource graph.microsoft.com using Managed Identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using scope https://graph.microsoft.com/ for managed identity token coming from the cmdlet permission attribute
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using identity endpoint: http://127.0.0.1:41131/msi/token/
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using identity header: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2024-06-05T04:48:47.238 [Trace] VERBOSE: Using the system assigned managed identity
2024-06-05T04:48:47.238 [Trace] VERBOSE: Sending token request to http://127.0.0.1:41131/msi/token/?resource=https://graph.microsoft.com/&api-version=2019-08-01

Steps to reproduce behavior

Create an azure powershell function following this: https://pnp.github.io/powershell/articles/azurefunctions.html

Grant the following permissions to the managed identity:

Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Channel.Create" -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal "XXXXXXXXXXXXXX" -AppRole "Group.ReadWrite.all" -BuiltInType MicrosoftGraph

Run the following code in an azure powershell function:

Connect-PnPOnline -ManagedIdentity -Url:'contoso.microsoft.com
Add-PnPTeamsChannel -Team:'XXXXXXX-XXXX-XXX-XXXXXXX' -DisplayName:'Test Channel' -ChannelType Private -OwnerUPN:'exampleuser@contoso.microsoft.com' -Verbose

What is the version of the Cmdlet module you are running?

2.4.0

Which operating system/environment are you running PnP PowerShell on?

• Windows
• Linux
• MacOS
• Azure Cloud Shell
• [ X ] Azure Functions
• Other : please specify