PnP PowerShell multi-tenant app is being retired in September 2024

SharePoint administrators and authorized accounts can register a PnP PowerShell Multi-Tenant App via the following commands in the tenant.

• Register-PnPManagementShellAccess
• Connect-PnPOnline <tenantname>.sharepoint.com -Credentials (Get-Credential) > for accounts without MFA
• Connect-PnPOnline <tenantname>.sharepoint.com -Interactive > for accounts with MFA

PnP wants to register the multi-tenant app “PnP Management Shell” in the tenant with the first call. An administrator can approve the permissions.

The app is registered as an Enterprise App in Entra.

As informed by the PnP community (here and here), this multi-tenant app will be removed on September 9, 2024.
CLI for Microsoft 365, which also uses the PnP PowerShell Multi-Tenant App, is also affected by the change.

The PnP help informs about the change.
Instead of the multi-tenant app, organizations should use their own Azure app. With their app organizations can define their own permissions for the app. The multi-tenant app had predefined permissions.

Setting up an Azure app is not a big deal. Microsoft and the PnP community (for CLI for Microsoft) describe the steps for registering an app and how administrators assign API permissions. Optionally, the Command Register-PnPEntraIDApp registers a preconfigured Azure app.

• I recommend using a certificate instead of the secret key in an Azure app for the connection with code.

# PnP connection with Azure app and certificate
Import-Module PnP.PowerShell
Connect-PnPOnline <SharePointUrl> -ClientId <AppID> -Thumbprint <CertThumbprint> -Tenant <TenantID>

• You can also use the Interactive parameter to perform an interactive login with a user account. Interactive login works for delegated permissions.

You need an interactive login for user accounts with MFA.

# PnP connection with Azure app and interactive logon (for users with MFA)
Import-Module PnP.PowerShell
Connect-PnPOnline -Url <SharePointUrl> -ClientId <AppID> -Interactive

Note that PnP PowerShell requires the redirect URI http://localhost in the app registration for the Interactive parameter. Add the redirect URI in Authentication.

When connecting without the redirect URI PnP returns an error.

Bonus – Azure App in PowerShell as an environment variable

You can store values such as the Azure App ID as an environment variable in PowerShell. In that configuration PowerShell can use the command Connect-PnPOnline with interactive login like in the past.

# Save the Azure App ID as environment variable
# Set the environment variable for the current PowerShell session
$env:ENTRAID_APP_ID = "e17dc044-f8d5-4542-bb4b-3ceb352d3ab1"

# Or set the environment variable for the current user
[System.Environment]::SetEnvironmentVariable("ENTRAID_APP_ID", "e17dc044-f8d5-4542-bb4b-3ceb352d3ab1", [System.EnvironmentVariableTarget]::User)

Connect-PnPOnline -Url <SharePointURL> -Interactive

The interactive connection to the SharePoint site was successful, SharePoint is returning data.
A validation proves that the connection was established via my Azure application e17dc044-f8d5-4542-bb4b-3ceb352d3ab1. Without the environment variable PnP would ask to register the multi-tenant app.