Connect-PnPonline: Connect to SharePoint Online Using PnP PowerShell module | 3 Best ways

PowerShell Connect-PnPonline cmdlets called SharePoint Patterns and Practices (PnP) for SharePoint Online were created by the community to operate SharePoint Online effectively. 


The Client-Side Object model code is used by PnP PowerShell internally for all of its activities. By using PnP PowerShell’s built-in cmdlets and lowering the complexity of scripting implementations, we can cut the number of lines in our scripts. 

Connect to SharePoint Online using connect-pnponline

1. Installing the SharePoint PnP PowerShell Module

The Connect-PnPonline PowerShell module is what allows users and administrators to communicate with SharePoint Online using PowerShell. This module can be downloaded and installed from the PowerShell Gallery.

Install the Connect-PnPonline PowerShell module (PnP.PowerShell) by using the Install-Module command listed below in a PowerShell window.

Install-Module -Name "PnP.PowerShell"
Install-Module -Name "PnP.PowerShell"

Use the Get-Module command to display the PnP PowerShell module information and verify the installation.

Get-Module "PnP.PowerShell" -ListAvailable
Get-Module "PnP.PowerShell" -ListAvailable

2. Using interactive PnP PowerShell to connect to SharePoint

Due to the fact that installing the PnP PowerShell module does not immediately link you to SharePoint online. Connect-PnPOnline is the cmdlet that enables you to connect PowerShell to SharePoint Online. 

You have two options for authenticating with this cmdlet: interactive and non-interactive. The Connect-PnPonline credentials must be entered during authentication in interactive authentication. 

This approach is frequently used while performing sporadic or manual chores.

Using the Credential Prompt to Connect

Credential prompts can be used to quickly establish a connection to SharePoint Connect-PnPonline PowerShell.

To connect to PnP PowerShell using a credential prompt, use the command below. MFA is incompatible with this interactive approach.

Connect-PnPOnline -Url https://<tenant_name>.sharepoint.com

image 164

Logging in with a Web Browser

Adding the -DeviceLogin or -Interactive switch is another interactive authentication technique. You can log in using one of these switches if your account has MFA enabled.

To complete the OAuth device code flow, you must enter a code generated by the -DeviceLogin option onto a web page. This authentication method enables you to continue the authentication on a different machine device when you’re using a client that doesn’t have a web browser.

The -Interactive option runs a web browser that requires your login information automatically.

Run the below command to start interactive web browser authentication. Make sure to substitute the SharePoint URL for your tenant.

# Generate a code to do the OAuth device code flow.
Connect-PnPOnline -Url https://.sharepoint.com -DeviceLogin
Connect-PnPOnline -Url https://.sharepoint.com -DeviceLogin
# Launche a browser to log in with your credentials
Connect-PnPOnline -Url https://.sharepoint.com -Interactive
Connect-PnPOnline -Url https://.sharepoint.com -Interactive

Make sure to write down the produced code if you used the -DeviceLogin switch while running the command.

Start your browser, then navigate to https://microsoft.com/devicelogin. Copy the produced code, then paste it into the browser and choose Next.

Your browser is redirected to the Microsoft login page after you submit the code.

Instead, Connect-PnPonline PowerShell starts a new web browser and directs you to the Microsoft login page if you used the -Interactive switch.

As usual, sign in to your Microsoft 365 account. If the MFA challenge is required for your account, finish it.

To proceed, click Accept (bottom-right) on the Permissions Asked screen.

Only if your account is a global administrator will the Consent on behalf of your organization box be displayed. Leave this box unchecked so that other users will still see the same prompt and be able to accept the permission requests.

When you’ve finished the authentication process, your browser will display the message below as confirmation that the authentication was successful.

3. Using PnP PowerShell (Non-Interactive) to Connect to SharePoint

It is possible to connect to SharePoint Connect-PnPonline PowerShell in interactive mode. But in automation instances where manually entering the credentials is not possible, such as in scripts and programs, the non-interactive approach is ideal. 

For OAuth authentication, this technique makes use of a registered Azure AD app with explicit permissions (default or custom).

Creating a PnP PowerShell App Registration

It is risky to use a Microsoft 365 account without MFA.Creating a PnP PowerShell App Registration
It is risky to use a Microsoft 365 account without MFA, especially if the account has administrative rights. On the other hand, you cannot automate an account that has MFA enabled.

The answer is to add explicit permissions to an Azure AD app when registering it. To further security, the app must additionally support certificate-based authentication.

When using Windows, the Azure AD app for PnP PowerShell must be registered.

1. Run the PowerShell script listed below to add a new app registration to Azure AD.

It is optional, but strongly advised, to provide a certificate password to secure the certificate. Remove the CertificatePassword argument if you’d prefer not to have a certificate password.

<# What will this code do?
- Launch a browser window, and open the `Interactive` log-in page.
- Generate a certificate with the password `mycertpassword` and valid for one (1) year.
- Save the certificate files (*.cer, *.pfx) to `C:\\PnP\\certificates`.
- Register a new app with the name `Pwsh PnP`.
- Upload the certificate (*.cer) to the Azure app registration and assign the following default permissions: `Sites.FullControl.All`, `Group.ReadWrite.All`, `User.Read.All`.
- Store the app registration results to the `$pnpApp` variable.
$appSplat = @{
    ApplicationName     = 'Pwsh PnP'
    Tenant              = 'lzex.onmicrosoft.com'
    OutPath             = 'C:\\PnP\\certificates'
    CertificatePassword = $(ConvertTo-SecureString -String 'mycertpassword' -AsPlainText -Force)
    Interactive         = $true
    ValidYears          = 1
$pnpApp = Register-PnPAzureADApp @appSplat

But in order to create a new app registration in Azure AD if you’re using Linux or Mac OS, follow these instructions:

To create a self-signed certificate, execute the following openssl command in PowerShell or Bash.

A new certificate that has the topic Pwsh PnP and a 365-day validity period is created by this command. Pnp_certificate.pfx will be the name of the final certificate file.

# Create a new directory to store your certificate
mkdir ~/certs && cd ~/certs

# Generate the certificate (valid for 365 days)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out pnp_certificate.pem -subj '/CN=Pwsh PnP'

# Convert the certificate to a PKCS12 format with .PFX extension
openssl pkcs12 -inkey key.pem -in pnp_certificate.pem -export -out pnp_certificate.pfx -passout pass:mycertpassword

2. To register the new app, execute the PowerShell code below.

<# What will this code do?
- Launch a browser instance for the `Interactive` login.
- Register a new Azure AD app named `Pwsh PnP` to the `lzex.onmicrosoft.com` tenant.
- Upload the existing `pnp_certificate.pfx` certificate to the Azure AD app registration.
- Assign the following default permissions: `Sites.FullControl.All`, `Group.ReadWrite.All`, `User.Read.All`.
- Store the app registration results to the `$pnpApp` variable.
$appSplat = @{
    CertificatePath = "pnp_certificate.pfx"
    CertificatePassword = $(ConvertTo-SecureString -String 'mycertpassword' -AsPlainText -Force)
    ApplicationName = 'Pwsh PnP'
    Tenant          = 'lzex.onmicrosoft.com'
    Interactive     = $true
$pnpApp = Register-PnPAzureADApp @appSplat

3. Enter your login information in the pop-up window. Only register the application using this login instance.

As illustrated below, the command will wait 60 seconds before beginning the consent flow. Step 4: After starting, the Microsoft login window appears.

To provide the app rights, sign in with your global admin account and click Accept. This login session is intended only for giving the app’s permissions.

Run the command listed below to view the variable and examine the new app’s details.