PnP PowerShell Custom Environment Support

[BernieEllis]

Is your feature request related to a problem? Please describe.
Yes, customers in Microsoft national clouds other than Azure Government/GCC High/DoD need to be able to register and leverage PnP PowerShell for various Microsoft 365 automation scenarios. Some initial work was done last year Connect-PnPOnline Environment Discovery to establish some limited PnP PowerShell, but there are still gaps remaining that limit setup and automation for new customers, such as:

Cmdlet Environment Support

1. Register-PnPManagementShellAccess
2. Register-PnPAzureADApp

Managed Identity Environment Support
Secure credential management is important in these environments. Connect-PnP Online has Managed Identity support, but unclear if it supports custom Microsoft Graph/Entra ID endpoints successfully leverage Managed Identity in these cloud environments.

Describe the solution you'd like
Customers in these environments should be able to follow the Connecting with PnP PowerShell instructions to use Register-ManagementShellAccess and/or Register-PnPAzureADApp cmdlets then authenticate in the same manner as with other cloud environments.

Connect-PnPOnline should work in these environments with the -ManagedIdentity parameter specified as documented at Connect-PnPOnline.

Describe alternatives you've considered
I cannot think of alternatives. We've looked at Microsoft Graph PowerShell, but it does not contain all the functionality that PnP PowerShell offers.

Additional context
No additional context.

[gautamdsheth]

@BernieEllis - I think it should work if you first do Connect-PnPOnline with -AzureEnvironment Custom and specify the MicrosoftGraphEndPoint and AzureADLoginEndPoint params. Can you check that and let us know ?

[BernieEllis]

@gautamdsheth - I get the following error when trying that syntax:

Connect-PnPOnline: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory.

Are you expecting that cmdlet to register the app if it's not already present?

[gautamdsheth]

@BernieEllis - PnP Management Shell is a multi-tenant app which requests a lot of permissions for different sources, maybe some of them are not available in these environments ? Am checking the code for PnP Management Shell and can see some improvements , will try them

What happens when you try to create a new Entra ID app using Register-PnPAzureADApp ? Should work I believe.

[BernieEllis]

@gautamdsheth - Seems 31359c7f-bd7e-475c-86db-fdb8c937548e is the Microsoft first party appID for PnP Management Shell. I will inquire separately about why this isn't published in this environment.

Register-PnPAzureADApp doesn't work because I can't specify the environment as Custom and pass in the AzureADLoginEndPoint and MicrosoftGraphEndpoint parameters. These parameters were added to the Connect-PnPOnline cmdlet last year.

[gautamdsheth]

Have added support for custom environment in both cmdlets, can you please try with the latest nightly builds ? I think Register-PnPAzureADApp cmdlet should work , not sure about Register-PnPManagementShellAccess though.

You need to set the environment variables first for this, we use the same thing in Connect-PnPOnline as well:

$ENV:MicrosoftGraphEndPoint = "https://your-graph-url"
$ENV:AzureADLoginEndPoint = "https://your-azure-ad-url"

[BernieEllis]

Thanks @gautamdsheth . Register-PnPAzureADApp indeed worked with the environment variables set.

Out of curiosity, why not parameterize the two endpoints to the Register-PnPAzrueADApp cmdlet itself vs specifying via environment variable?

Register-PnPManagementShellAccess failed with the same error before.

Separately, it appears I cannot specify -AzureEnvironment (Custom environment or otherwise) when specifying -ManagedIdentity. I receive the error "Connect-PnPOnline: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided."

[jakeatsb]

Register-PnPAzureADApp appears to prompt properly for the credentials within GCCH but never prompts to approve permissions causing the App to never be generated. Is this a bug or can someone confirm this is working with another tenant?

[gautamdsheth]

hi @BernieEllis , sorry for taking this much time.
We have made the necessary changes to make it easier to use Connect-PnPOnline with Managed identity as you suggested.
The changes have also been done in the Register-PnPAzureADApp cmdlet as well by making it easier to pass custom endpoints via parameters.

Register-PnPManagementShellAccess cmdlet will stop working from 9th September , you can read more about that here: https://pnp.github.io/blog/post/changes-pnp-management-shell-registration/