Getting Started with PnP PowerShell: Modern Authentication and Multi-Tenant Setup
Introduction
PnP PowerShell authentication for Microsoft 365 has evolved significantly over the years. The multi-tenant app registration approach was decommissioned for security reasons, requiring each tenant to set up its own app registration. Fortunately, the PnP team has simplified this process with automated cmdlets that streamline app registration and authentication setup.
This guide covers modern PnP PowerShell authentication methods, including interactive login setup, multi-tenant management, and certificate-based authentication.
The Evolution of PnP PowerShell Authentication
Before: Multi-Tenant App Registration
- Single shared app registration across all tenants
- Simplified initial setup but created security concerns
- Decommissioned for enhanced security
Now: Tenant-Specific App Registrations
- Each tenant needs to create and maintain its own app registration(s)
- Enhanced security and control
- Automated setup through PnP cmdlets
Method 1: Interactive Login Setup
Step 1: Create App Registration Automatically
The Register-PnPEntraIDAppForInteractiveLogin cmdlet automatically creates an app registration with default permissions:
Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP.PowerShell" -Tenant "https://contoso.sharepoint.com"
This command:
- ✅ Creates a new Entra ID app registration
- ✅ Configures default SharePoint permissions
- ✅ Returns the Client ID for future use
- ✅ Sets up redirect URIs automatically
Step 2: Consent to Permissions
When prompted, admin consent is required for the permissions:
Important: Ensure you have Global Administrator or Application Administrator rights to provide consent.
Step 3: Store App ID for Seamless Authentication
Use Set-PnPManagedAppId to store the Client ID locally, avoiding manual specification:
Set-PnPManagedAppId -Url "https://contoso.sharepoint.com" -AppId "d96c0a07-770d-46f4-bb38-a54084254bf7"
This stores the App ID in:
- Windows: Windows Credential Manager
- macOS: Keychain
- Linux: Encrypted local storage
Method 2: Multi-Tenant Authentication Management
Challenge: Different App IDs per Tenant
Each tenant requires its own app registration, creating complexity for administrators managing multiple tenants.
Solution: Managed App ID Storage
Store different Client IDs for each tenant using Set-PnPManagedAppId:
# Tenant 1
Set-PnPManagedAppId -Url "https://contoso.sharepoint.com" -AppId "d96c0a07-770d-46f4-bb38-a54084254bf7"
# Tenant 2
Set-PnPManagedAppId -Url "https://fabrikam.sharepoint.com" -AppId "a8bc1234-5678-9def-ghij-klmnopqr5678"
# Tenant 3
Set-PnPManagedAppId -Url "https://adventure-works.sharepoint.com" -AppId "f1e2d3c4-b5a6-9870-1234-567890abcdef"
Seamless Multi-Tenant Connection
Once configured, connect to any tenant without specifying Client IDs:
# Connect to different tenants seamlessly
Connect-PnPOnline -Url "https://contoso.sharepoint.com" -Interactive
Connect-PnPOnline -Url "https://fabrikam.sharepoint.com" -Interactive
Connect-PnPOnline -Url "https://adventure-works.sharepoint.com" -Interactive
Method 3: Certificate-Based Authentication
For unattended scripts and enhanced security, certificate-based authentication is essential.
Step 1: Create Self-Signed Certificate
Generate a self-signed certificate using PnP PowerShell:
# Create certificate with secure password prompt
$certPassword = Read-Host -Prompt "Enter certificate password" -AsSecureString
New-PnPAzureCertificate -OutPfx "pnp.pfx" -OutCert "pnp.cer" -CertificatePassword $certPassword
This generates:
- pnp.pfx: Private key file (keep secure)
- pnp.cer: Public certificate (upload to app registration)
Step 2: Upload Certificate to App Registration
- Navigate to your app registration in Entra ID
- Go to Certificates & secrets
- Upload the pnp.cer file
Step 3: Connect Using Certificate
# Certificate-based connection
Connect-PnPOnline -Url "https://contoso-admin.sharepoint.com" `
-CertificatePath "C:\Certificates\pnp.pfx" `
-CertificatePassword $certPassword `
-ClientId "f7fd5547-3751-4da4-89f8-25ebe1f6add1" `
-Tenant "contoso.onmicrosoft.com"
Note: Unlike interactive authentication, certificate-based authentication requires the Client ID to be specified explicitly.
Authentication Method Comparison
| Method | Use Case | Client ID Required | Unattended Scripts | Multi-Tenant Support |
|---|---|---|---|---|
| Interactive Login | Development, Testing | ❌ (if saved within credentials manager) | ❌ | ✅ |
| Certificate-based | Production, Automation | ✅ Always required | ✅ | ✅ |
| Managed Identity | Azure environments | ❌ | ✅ | ❌ |
References
Register-PnPEntraIDAppForInteractiveLogin Set-PnPManagedAppId New-PnPAzureCertificate Creating a PnP.PowerShell App Registration with PowerShell