App-Only authentication in PnP PowerShell allows automated and secure access to SharePoint Online without user credentials. This method is ideal for scheduled scripts, background processes, and automation tasks.
There are two ways to authenticate with App-Only credentials:
- Certificate-based authentication (Recommended for security)
- Client ID & Client Secret authentication (Less secure, but simpler)
Step 1: Prerequisites
Before authenticating, ensure:
PnP PowerShell is installed (Install-Module PnP.PowerShell)
Administrator access to Azure AD & SharePoint
App registration in Azure AD
Step 2: Register an App in Azure AD
You need an Azure AD App Registration to authenticate SharePoint Online with App-Only permissions.
1. Open Azure AD Portal
- Go to Azure AD Portal.
- Navigate to Azure Active Directory → App registrations → New registration.
- Enter:
- App Name:
PnPAppAuth - Supported account types:
Accounts in this organizational directory only (Single Tenant) - Redirect URI: Leave it blank.
- App Name:
- Click Register.
2. Get App ID & Tenant ID
- In the Overview section, note down:
- Application (Client) ID
- Directory (Tenant) ID
3. Assign API Permissions
- Go to API Permissions → Click Add a permission.
- Select Microsoft Graph → Application permissions.
- Add:
Sites.FullControl.All(Full control of all SharePoint sites)
- Click Grant admin consent.
4. Create Authentication Method
Now, choose either Certificate authentication (Recommended) or Client Secret authentication.
Step 3: Authentication via Certificate (Recommended)
1. Generate a Self-Signed Certificate
Open PowerShell (Admin) and run:
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "PnPAppAuth"
This creates a certificate in your local user store.
2. Export the Certificate
Run:
$pwd = ConvertTo-SecureString -String "YourStrongPassword" -Force -AsPlainText
Export-PfxCertificate -Cert "Cert:\CurrentUser\My\<Thumbprint>" -FilePath "C:\PnPAppAuth.pfx" -Password $pwd
Replace <Thumbprint> with the certificate thumbprint from the previous command.
3. Upload Certificate to Azure AD
- In Azure AD, go to your app → Certificates & secrets → Upload certificate.
- Upload the
.cerfile (exported in the previous step).
4. Authenticate with Certificate in PnP PowerShell
Use the following command to connect:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com" -ClientId "<App_ID>" -Tenant "<Tenant_ID>" -CertificatePath "C:\PnPAppAuth.pfx"
- Replace
<App_ID>with Application ID. - Replace
<Tenant_ID>with Directory (Tenant) ID.
Step 4: Authentication via Client ID & Client Secret (Less Secure)
⚠ Warning: This method is less secure since client secrets expire and must be stored safely.
1. Generate a Client Secret
- In Azure AD, go to your app → Certificates & secrets → New client secret.
- Choose expiration (
6 months,12 months, orNever). - Copy and store the secret securely (it will be hidden later).
2. Authenticate with Client Secret in PnP PowerShell
Run:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com" -ClientId "<App_ID>" -Tenant "<Tenant_ID>" -ClientSecret "<Client_Secret>"
- Replace
<Client_Secret>with the secret value.
Step 5: Verify Connection
After authentication, verify the connection with:
Get-PnPSite
If successful, it will return details of your SharePoint site.
Step 6: Disconnect from SharePoint Online
To ensure security, always disconnect after completing tasks:
Disconnect-PnPOnline
Common Issues & Troubleshooting
Issue: “Access denied” when running Connect-PnPOnline
✔ Solution: Ensure your app has the correct API permissions (Sites.FullControl.All) and grant Admin Consent.
Issue: “Certificate not found”
✔ Solution: Ensure the correct certificate path is used and it’s uploaded to Azure AD.
Issue: “Invalid client secret”
✔ Solution: Check that the client secret is copied correctly and not expired.