Connect-PnPOnline with an app registration and app-only token

I admit it, it’s an old topic, but today I still struggled with an app-only connection to SharePoint Online. The sole thing that helped me was jogging in the woods. You expected a reboot I know, but this is the cloud!

Microsoft explains here how to authenticate via PowerShell to SharePoint Online. It’s important to note that an app-only authentication only works by authenticating via a certificate.


Through PnP.PowerShell SharePoint Online automation is at your fingertips: Checking OneDrives for the correct time zone, creating multiple SPO sites, cleaning up additional site collection admins.

You can connect with username, password, and a second factor, but not if the script should run unattended in the context of an Azure Automation Runbook or as an old-school scheduled task.


  • Create a certificate with private and public key.
$password = ""
$commonName = ""
$certFileNameWithoutExtension = "mycert"
New-PnPAzureCertificate -CommonName $commonName -OutPfx "$certFileNameWithoutExtension.pfx" -OutCert "$certFileNameWithoutExtension.cer" -CertificatePassword (ConvertTo-SecureString -String $password -AsPlainText -Force)
  • Install the certificate by double clicking the pfx file or use parameter “-CertificatePath” with Connect-PnPOnline later.
    • If you install the certificate under “Local Machine”, you need to run the PowerShell console with admin rights.
  • Create an app registration by navigating to – AAD – App registrations – “New registration”.
    • Take note of the client ID and directory ID.
  • Upload the generated cer-file under AAD – App Registrations – you registration – “Certificates & secrets”
  • Configure required permissions under AAD – App Registrations – you registration – “API permissions”.
    • Click “Add a permission” and select the required permissions under SharePoint – Application permissions
  • Give admin consent by clicking “Grant admin constent for [tenant name]”
  • Wait a couple of minutes
  • Connect
$thumbprint = "RETURNED WHEN RUNNING New-PnPAzureCertificate"

$connectionsParams = @{
    ClientId = $clientId 
    Thumbprint = $thumbprint 
    Tenant = $tenantId

$spoUrl = ""
Connect-PnPOnline -Url $spoUrl @connectionsParams
  • Do your magic 🎉


  • Kai

    Hello you! My name is Kai Boschung and I live with my girl Dominique and our dog Nikita close to Bern, Switzerland.I work at Experts Inside and founded together with compadres the IoT consulting firm appery.