[BUG] Connecting using Managed Identity in Azure Runbook with Sites.Selected results in "The Push Notifications feature is not activated on the site"

[yvesrosius]

Reporting an Issue

Expected behavior

After setting up a managed identity, linked to an Azure Runbook using "Sites.Selected" instead of "Sites.FullControl.All", the Runbook should be able to connect to the sites granted permissions.

The Runbook should be able to perform cmdlets:

• Get-PnPList
• Get-PnPSite
• ...

Actual behavior

Errors are thrown:

• The Push Notifications feature is not activated on the site "https://contoso.sharepoint.com/sites/somesite"
• Get-PnPList: The remote server returned an error: (401) Unauthorized.

Steps to reproduce behavior

1. Create Automation Account (+ Runbook)
2. Enable system-assigned managed identity
3. Add-PnPAzureADServicePrincipalAppRole -Principal "mymanagedidentity" -AppRole "Sites.Selected" -BuiltInType SharePointOnline
4. Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions FullControl -Site https://contoso.sharepoint.com/sites/somesite

What is the version of the Cmdlet module you are running?

2.5.0

Which operating system/environment are you running PnP PowerShell on?

• Azure Automation Account (Azure Runbook) using Runtime Environment PowerShell 7.2

[yvesrosius]

Just made some progress..

https://www.blimped.nl/running-application-with-limited-sharepoint-permissions/

This article mentions 2 steps to grant permissions to the application.

Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/project-x" -Interactive

$permission = Grant-PnPAzureADAppSitePermission -AppId "ce6bb9a7-c909-4538-b9dd-930724d7259d" -DisplayName "TestApp" -Permissions Write 

Set-PnPAzureADAppSitePermission -PermissionId $permission.Id -Permissions FullControl

Could you please update the documentation on this PnP article using Sites.Selected?

Other people are also running into this issue, as seen in #3219