When installing using PnP PowerShell using the Scope connection, it’s required to connect with an account with some additional permissions and often, we just take the easy route, give or ask Global Admin. With that role, I will be able to do anything with the scopes, but in some organizations granting this type of permissions can take some time or even not be approved.
Let’s use the following command to connect with Scopes on PnP Powershell for all these examples:
Connect-PnPOnline -Scopes "Group.Read.All","User.ReadBasic.All"
So when regular request the PnP Powershell to connect with the scopes, will be presented with the following screen. This will block the code that he was trying to run. So here starts the flow to request the global account.
But you can give this particular user, an Azure Active Directory role that will allow granting this required permissions and with that run the PowerShell with success.
- Go to https://admin.microsoft.com/
- Click on User and then Active User
- Select the User that you want to give this permission by clicking on the name
- Click on the option Manage Role
- Select the option Admin center access
- Under the Show all option by category, go to Identity and select Application admin
- Now Save the changes
After this, if you run the same command, this user will be able to authorize the required permission on your tenant and connect with the required scopes.
Requesting only this permission to the organization will probably be easier to get granted and more compliment with the requirements that you may need to do whatever you’re trying to accomplish using PnP PowerShell. This sample is valid for any solution that requires these types of authorization on your organization.