[Bug/Question] Tenant.GroupifySite not working with Application Permissions

[retostadelmann]

We're trying to groupify a site in a powershell script using Add-PnPMicrosoft365GroupToSite. This throws the following error:

pwsh Information: 0 : 2025-10-15 15:02:57.9162 [Add-PnPMicrosoft365GroupToSite] [23] [Debug] Cmdlet execution started for Add-PnPMicrosoft365GroupToSite -Url $groupurl -Alias $alias -DisplayName $disp -KeepOldHomePage 0ms ac4899f3-0ad6-45cf-bd81-f0cc385bed4d pwsh Information: 0 : 2025-10-15 15:02:57.9165 [Add-PnPMicrosoft365GroupToSite] [23] [Debug] Already connect to the SharePoint Online Admin Center at '[https://xxx-admin.sharepoint.com/'](https://xxx-admin.sharepoint.com/) 0ms ac4899f3-0ad6-45cf-bd81-f0cc385bed4d pwsh Information: 0 : 2025-10-15 15:02:57.9167 [GetAccessTokenAsync] [0] [Debug] Authentication type: AzureADCertificate 0ms pwsh Information: 0 : 2025-10-15 15:02:57.9171 [AccessTokenPermissionValidationResponse] [0] [Debug] Evaluating application permissions in access token for audience SharePoint Online 0ms pwsh Information: 0 : 2025-10-15 15:02:57.9173 [AccessTokenPermissionValidationResponse] [0] [Debug] Access token contains the following 2 application permission scopes for resource SharePoint Online: User.ReadWrite.All, Sites.FullControl.All0ms pwsh Information: 0 : 2025-10-15 15:02:57.9175 [AccessTokenPermissionValidationResponse] [0] [Debug] No required permissions have been defined on this cmdlet 0ms pwsh Error: 0 : 2025-10-15 15:02:58.9605 [PnP.Framework] [0] [Error] ExecuteQuery threw following exception: Microsoft.SharePoint.Client.ServerException: An error occurred while processing this request. at Microsoft.SharePoint.Client.ClientRequest.ProcessResponseStream(Stream responseStream) at Microsoft.SharePoint.Client.ClientRequest.ProcessResponse() at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServerAsync(ChunkStringBuilder sb) at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryAsync() at Microsoft.SharePoint.Client.ClientRuntimeContext.ExecuteQueryAsync() at Microsoft.SharePoint.Client.ClientContext.ExecuteQueryAsync() at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryImplementation(ClientRuntimeContext clientContext, Int32 retryCount, String userAgent) ServerErrorCode: -1 ServerErrorTypeName: System.Data.Services.Client.DataServiceRequestException ServerErrorTraceCorrelationId: 44a2cfa1-80f6-e000-135a-bb5c664358d5 ServerErrorValue: ServerErrorDetails: . 0ms Add-PnPMicrosoft365GroupToSite: Line | 12 | Add-PnPMicrosoft365GroupToSite -Url $groupurl -Alias $alias -DisplayN … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | An error occurred while processing this request.

This works when using connect-pnponline with a user

Is this not implemented yet or are we doing something wrong? Whats the permissions needed for this to work?

[Tanddant]

From reading the debug stack in your post, it appears your app only has the following permissions:

• User.ReadWrite.All
• Sites.FullControl.All

And you're trying to create a group that requires a

Permission type	Least privileged permissions	Higher privileged permissions
Application	Group.Create	Directory.ReadWrite.All, Group.ReadWrite.All

https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#permissions

I would suggest updating your app registration with the required permissions, and seeing if that helps

[retostadelmann]

Hi @Tanddant This somehow is not logged, but the Directory.ReadWrite.All and Group.ReadWrite.All are given to the App Registration we're trying to create the group with. I presume because these are not in the SharePoint Scope.

[Tanddant]

@retostadelmann I can't really read a whole lot more out of the logs, could you try to enable tracelogging, and provide a more detailed log? 😊

[retostadelmann]

@retostadelmann I can't really read a whole lot more out of the logs, could you try to enable tracelogging, and provide a more detailed log? 😊

Hi @Tanddant, this unfortunately already is the Trace Log on Level Debug. We're still trying to make it work but no luck so far.

[Tanddant]

@retostadelmann, I have a vague recollection of creating groups being supported with application permissions in the past, but I cannot for the life of me find any info on it now 😅

Sorry I can't be of much help

[patrikhellgren]

I ran a few tests around this using both GroupifySite and CreateGroupForSite which is the CSOM method used behind the scenes. From those tests I can only conclude that only delegated permissions are supported and like so many times before this is undocumented.
I tested different settings for all options available for CreateGroupForSite and always got the same result.

I also found this answer about the same method but in the REST API where he had seen the same result, pnp/pnpjs#2535 (comment)