The remote server returned an error: (403) Forbidden

[nareshkun]

Ran PowerShell script and getting the following error after authenticating using weblogin

Apply-PnPTenantTemplate : The remote server returned an error: (403) Forbidden.
At C:\Users{usrname}\OneDrive\SACHA\RnD\setupSitedesignStudio.ps1:25 char:1

• Apply-PnPTenantTemplate -Path .\SiteDesignsStudio.pnp -Parameter @{Te ...

•   + CategoryInfo          : NotSpecified: (:) [Apply-PnPTenantTemplate], WebException
    + FullyQualifiedErrorId : System.Net.WebException,SharePointPnP.PowerShell.Commands.Provisioning 
   .Tenant.ApplyTenantTemplate
  

[nareshkun]

Successfully setup with out using weblogin.

[miguelisidoro]

Getting same error if not using -WebLogin in a tenant without MFA.
In a tenant with MFA, I am getting the same 403 Forbidden error.

What is the fix here?

At https://github.com/pnp/sp-site-designs-studio, you say.

"API Permissions
In order to allow the lookup of users and groups in the current tenant, The permission Directory.AccessAsUser.All to Microsoft Graph API is requested.

CAUTION: The solution is installed globally on the tenant, it means this permission, when granted, will be granted to the whole tenant. However, it will allow the application to only see the groups and users the current user is allowed to see. Thus, it should not cause any security breach. It will only be needed for the ability to grant Site Designs to specific principals. The other features will be working seamlessly without this granted permission."

But it seems a MFA issue to me.

Can you help?

[ypcode]

Hello,

Indeed, it seems to have several issues with MFA, I initially added the options for MFA, leveraging WebLogin option... but it turns out that this authentication method has several caveats in PnP PowerShell... :(

I will do my best to provide a workaround guide for MFA forced tenants using app principal authentication :)

Stay tuned!

Regards,
Yannick