Apply-PnPTenantTemplate : Insufficient privileges to complete the operation about modernization HOT 35 CLOSED

Hi @jathorpe,

Can you share the output of Get-PnPException after you've received the error?

In general SharePoint Tenant admin should be sufficient to install the solution. Do note that you need to have a tenant app catalog already setup. Can you open the SP admin center, click on "Apps" and then on "App Catalog". If you end up on the "App Catalog Site" then this is done, if not you'll be asked to setup the app catalog.

Before retrying ensure you've fully deleted the old site:

• Delete https://yourtenant.sharepoint.com/sites/modernizationcenter from the UI
• Use PnP PowerShell and call Clear-PnPTenantRecycleBinItem -Url https://yourtenant.sharepoint.com/sites/modernizationcenter to clear the site from the recycle bin
• Also please do a git pull (or download via zip) as I've just updated the .pnp file to include a newer version that also works on sub sites

Let me know how it goes.

from modernization.

I followed the steps you outlined and verified the App Catalog. I download the updated pnp files and when I ran the commands I got the same error as before.

I checked the App Catalog and both sharepointpnp-pagetransformation-central and sharepointpnp-pagetransformation-client were added to the App Catalog

The modernizationcenter was not created. It may not make a difference but one thing I noticed is that in our environment the default location for Communication sites is the "teams" managed path and not the "sites" managed path.

from modernization.

@jansenbe ,
Here is the exception I am getting. I am a SharePoint Administrator for the tenant but not a Global Admin. I am running SharePointPnPPowerShellOnline 3.4.1812.2

Apply-PnPTenantTemplate : Insufficient privileges to complete the operation.
At line:9 char:1

• Apply-PnPTenantTemplate -Path .\modernization.pnp -Parameters @{"Azur ...

•   + CategoryInfo          : WriteError: (:) [Apply-PnPTenantTemplate], ServerException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate
  

from modernization.

Hey @jathorpe ,

Thanks for the testing and feedback, really appreciated!

I've logged a bug to add support for other site collection url's besides /sites/modernizationcenter (see #19) and will add this the beta release. In the meanwhile I would ask you if you can temporarily configure /sites instead of /teams and then try the installation again. If that's not an option, then I understand. You'll then have to wait for the beta version slated before January ends.

from modernization.

@jathorpe

Did check the needed changes to support any site collection url...and this appeared to be minimal and I already implemented it. Can you check the updated deployment guide and take note of the "Notes" that describe what's needed to deploy in a different site collection. Essentially it comes down to specifying an extra parameter in the Apply-PnPTenantTemplate cmdlet run.

from modernization.

@jansenbe ,
I downloaded the latest version of the code and ran the PowerShell with the new parameter and it still failed.

Apply-PnPTenantTemplate -Path .\modernization.pnp -Parameters @{"CenterUrl"="/teams/modernizationcenter";"AzureAppID"="removed";"AzureFunction"="removed"}

Apply-PnPTenantTemplate : Insufficient privileges to complete the operation.
At line:6 char:1

• Apply-PnPTenantTemplate -Path .\modernization.pnp -Parameters @{"Cent ...

•   + CategoryInfo          : WriteError: (:) [Apply-PnPTenantTemplate], ServerException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate
  
  

from modernization.

@jathorpe

So clearly something goes wrong before or with the site collection creation step.

Test 1: Can you go the API management page in the modern SharePoint admin center (https://yourtenantname-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement) and verify that you see a tenant-wide API approved with name SharePointPnP.Modernization?

Test 2: Can you run below PowerShell to test if you can programmatically create a communication site:

 New-PnPSite -Type CommunicationSite -Title "test" -Url "https://yourtenantname.sharepoint.com/sites/todeletedemo"

If that worked you can delete the site again, if that failed please run Get-PnPException as that will give me the stracktrace of the error.

from modernization.

@jansenbe ,

Test 2 ran fine and created the communication site in the "/sites/" managed path. Test 1 didn't go as well. The API Management Page has nothing approved or pending but has two errors:

[HTTP]:500 - [CorrelationId]:0bdead9e-d0c5-7000-9a0c-ee9d8828bd5b [Version]:16.0.0.8405 - Insufficient privileges to complete the operation.

[HTTP]:500 - [CorrelationId]:0bdead9e-80df-7000-9990-8ad53c69416a [Version]:16.0.0.8405 - Insufficient privileges to complete the operation.

from modernization.

@jansenbe ,

I am not sure if this makes a difference but every time I go to the API Management page I get the message "***Access to Azure Active Directory resources using the SharePoint Framework will be available soon."

from modernization.

@jathorpe : think we've found the root cause of your issues. Can you try below guidance.

From SharePoint/sp-dev-docs#2472:

OK, latest updates on this. We've tracked down the root cause, and it's a bit strange.

Some tenants have the Site Collection Admin for the tenant admin site (mytenant-admin.sharepoint.com) set incorrectly. It should be "Company Administrator", but it winds up with a weird account like YLO001_frm123... When you go to the admin API page, we try and update a property on the web of the admin site collection, but the user doesn't have permissions, and so it fails.

We need to figure out why some of these sites are incorrectly set up, but in the meantime, here is a workaround.

1 - Go to the user page in the Microsoft 365 admin center (https://admin.microsoft.com/adminportal, then select Users->Active Users)
2 - Click Add A User
3 - complete the information, and make sure that you set the License to be "SharePoint Online For Developer" and set the Role to be "Customized Administrator" with "SharePoint Administrator" selected.
4 - Click "Add".
5 - This might take a while....
6 - Log in to the SP admin center as this new users (tenant-admin.sharepoint.com)
7 - Go to _layouts/15/settings.aspx and select "Site Collection Administrators" under Users and Permissions
8 - delete the incorrect user (hit the X, even if the UX is spinning)
9 - In the little text box, enter "Company Administrator", select the Company Administrator when it resolves, then click "OK". Note - at this point you may get an access denied. Ignore it.
10 - Now log back on with the tenant admin, and hit the API page.
11 - If this is all working, you can delete the user you added.

from modernization.

@jansenbe ,

I am a little confused by the instructions. It sounds like I am supposed to create a dummy user with the SharePoint Admin role and a "SharePoint Online For Developers" license. Our tenant is licensed with E5, so the only option there is "SharePoint Online (Plan 2)".

Also what account am I deleting in the "Site Collection Administrators"?

from modernization.

Can you show me what you currently have as administrators in your tenant admin site? To do so go to https://yourtenantname-admin.sharepoint.com/_layouts/15/mngsiteadmin.aspx and check

from modernization.

I have attached a screenshot. I groups are in the screenshot but I did blur one user name but not mine name for privacy reasons.

from modernization.

This looks good, so the problem is not what was mentioned in the thread I shared. Can you open an issue in https://github.com/SharePoint/sp-dev-docs/issues for this? In parallel, I'll see what more I can find out.

Is there anything specifically restricted in your Azure AD?

from modernization.

Our Security Team has locked down App Registration in AAD, so only someone on their team can register an app. So I had one of our Global Admins run Step 1 of the set-up process which included clicking the consent link when the Provision-ModernizationFramework.ps1 finished.

Then I started with Step 2. I have the Tenant SharePoint Admin role, so we thought I should be able to finish the rest of the steps in deploying the modernization tool.

from modernization.

Well, there's a SharePoint App in Azure AD that's being updated from the SharePoint Management UI and seems like the listed accounts (including company admin, SharePoint admin) don't have the proper permissions to this. Would recommend checking back with them on see if this above rings any bells: maybe they can open the App created by SharePoint for modifications?

The app I'm talking about can be found via going to AAD portal (https://aad.portal.azure.com), clicking on "App registrations", typing "SharePoint" in the filter combined with selecting "All Apps": app to see is named SharePoint Online Client Extensibility Web Application Principal as shown in the screenshot below:

Without this app any SharePoint Framework customization making calls to Azure AD secured resources will fail.

from modernization.

I don't see the "SharePoint Online Client Extensibility Web Application Principal" app listed. I do see the "SharePointPnP.Modernization" app listed. Does this mean something went wrong with Step 1 or we missed a step?

from modernization.

All environments should have the "SharePoint Online Client Extensibility Web Application Principal" app installed, it's a "system" app...the fact that you don't have it explains the issues. Can you ask your Azure AD admins if they've deleted it? If they could restore from the recycle bin, if not please open a support ticket with Microsoft support.

from modernization.

@jansenbe ,

I ran Get-AzureADDeletedApplication and the app isn't list there. Is it possible it was been deployed to our tenant?

from modernization.

Might be that it's created at first use...can you have a company admin (so someone with admin level permissions in SPO and AAD) go the API permission management page in new SPO admin center and check if they see the same errors as you saw?

from modernization.

@jansenbe , we have made some progress. I had our Global Admin go to the SharePoint API Management page and then the "SharePoint Online Client Extensibility Web Application Principal" app was deployed. I was able to then run step 2 of the deployment without an error.

I used the modernizationcenter to enable the "Create modern version" in a test site collection. Then I went to a sub site in the test site collection and used the "Create modern version" on a web part page. The screen redirects to the modernize page in the modernizationcenter and displays the message "Busy generating a modern version of Test-WP-Page-Convert.aspx...". The issue now is that it just sits there on that page and nothing is happening.

from modernization.

I tried the Powershell "ConvertTo-PnPClientSidePage" command and that worked, so the issue appears to be related to the "Create modern version" action in the ribbon.

from modernization.

Hi @jathorpe ,

• When the page is "hanging" on "Busy generating a modern version" can you press F12 and go the "console" view to see if there are errors (typically marked in red text)?
• I did fix a bug in page transformation on sub sites (c08bbe7). Not sure if that's hitting you, but if you can try from the root web of a site collection we can rule that out

from modernization.

I tried the root site and got the same error. I tried both Edge and Chrome and I see that the errors are a little different.

In Chrome I get the Busy message and the screenshot below shows the F12 Console.

In Edge I get the message "Not all parameters are configured, can't execute. Please run the setup steps." and the screenshot below shows the F12 Console.

I also ran Get-PnPStorageEntity for all the Modernization keys and they all seem to have the correct value.

from modernization.

The fact that the Chrome screenshot shows the Azure function url means that the storage entities can be read. You've double checked them and they seem to be ok. Can you go the API management page in the modern SharePoint admin center (https://yourtenantname-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement) and verify that you see a tenant-wide API approved with name SharePointPnP.Modernization?

from modernization.

FYI: I'll be boarding a plane soon, will be offline for a couple of hours.

from modernization.

I don't see any APIs (approved or pending). I asked our Global Admin who went in this morning and approved it if there was any issues and he said there were two entries with the same name that were pending approval and he approved one and rejected the other. I wonder if this is the issue. How can we reset it so that it asks for the approval again?

from modernization.

If he still sees the approved one then it's OK, if he doesn't then can you ask him to use below PnP PowerShell command:

Grant-PnPTenantServicePrincipalPermission -Scope "user_impersonation" -Resource "SharePointPnP.Modernization"

from modernization.

I ran the PowerShell and received an error. The app is now showing up on the API Management page under Pending Approval and when I try to approve it I get the same error message that I saw running the PowerShell. There still isn't anything under Approved on the API Management Page.

[HTTP]:400 - [CorrelationId]:8162b29e-b0e5-7000-9990-84726337ad6c [Version]:16.0.0.8405 - An OAuth permission with the resource SharePointPnP.Modernization and scope user_impersonation already exists.

Parameter name: permissionRequest

from modernization.

Your tenant admin has to approve it, due to your setup all update operations towards Azure AD seem to be blocked from a regular SharePoint Admin.

from modernization.

I had our global tenant admin try and approve it and got the same error.

from modernization.

hmm...I think it's best to fully clean the SharePoint side of the setup and start over by having the global admin run the setup.

To fully remove the SharePoint side you need to take these steps:

• Remove the UI integration for the site collections you installed it into (using the web part on the modernization center home page)
• Remove the site: Remove-PnPTenantSite -Url https//yourtenant.sharepoint.com/sites/modernizationcenter -SkipRecycleBin
• Remove the apps installed in the app catalog (sharepointpnp-pagetransformation-central.sppkg and sharepointpnp-pagetransformation-client.sppkg), also remove them from the recycle bins
• Go to Azure AD and lookup the SharePoint Online Client Extensibility Web Application Principal application, click on SharePoint Online Client Extensibility Web Application Principal, click on permissions and verify that there's no "SharePointPnP.Modernization" permission anymore. If there is then remove it

Once everything has been removed have the global admin execute the SharePoint setup part again:

Connect-PnPOnline -Url https://yourtenant.sharepoint.com

# Update AzureAppID and AzureFunction before running this
Apply-PnPTenantTemplate -Path .\modernization.pnp -Parameters @{"AzureAppID"="Application id of the SharePointPnP.Modernization app";"AzureFunction"="https://your_function_host.azurewebsites.net"}

from modernization.

@jansenbe , I think your previous comment was meant for a different thread.

In regards to this issue, I did follow the steps above and have a global admin run the set-up and we received the same error when trying to run the page conversion through the ribbon action button. If I run PowerShell commands for it I can get it to run on all the pages. So we know some things are set-up correctly.

Connect-PnPOnline -Url [Site URL goes here] $pages = Get-PnPListItem -List sitepages foreach($page in $pages) { # No need to convert modern pages again if ($page.FieldValues["ClientSideApplicationId"] -eq "b6917cb1-93a0-4b97-a84d-7cf49975d4ec" ) { Write-Host Page $page.FieldValues["FileLeafRef"] is modern, no need to modernize it again} else { # Create a modern version of this page Write-HostModernizing $page.FieldValues["FileLeafRef"]... $modernPage = ConvertTo-PnPClientSidePage -Identity $page.FieldValues["FileLeafRef"] -Overwrite Write-Host "Done" -ForegroundColor Green } }

from modernization.

Hi @jathorpe,

Are you using a regular tenant url, meaning something like https://abc.sharepoint.com? Also think it would be better to setup a meeting to jointly debug this...do you have availability next week?

from modernization.

Closing this issue due to it being stale for a long time. Feel free to open a new one if this is still relevant.

from modernization.