New-PnPWeb does not work with -ManagedIdentity flag in Azure Automation

[eshartwell]

Discussed in #3515

^{Originally posted by eshartwell October 17, 2023}
When using a system managed identity, most options work, when attempting to create a sub web within a site collection, I receive the following error when getting a new list item from the site collection and then processing.

Connect-PnPOnline -Url $collection -ManagedIdentity
$newSite = New-PnPWeb -Title $subSiteTitle -Url $subSiteDir -Description $siteType -Locale 1033 -Template $template -BreakInheritance

New-PnPWeb : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

This same script worked well before switching from an actual service account (user), but nothing seems to work to create the site when using the system managed identity. I've omitted the variables and actual site names above, but I've ensured they all contain the same URL, paths, subsite names, templates, etc. Any suggestions? Thanks!

Additional testing shows that I can definitely connect to a site collection using the System Managed Identity, and I can also get a list and a specific item, but any commands that involve users (Get-PnPUser) or permissions (Set-PnPGroup, etc.) always yield the "Access Denied" error. Could I be missing a specific permission for the identity? I already have Sites.FullControl.All permissions, so I'm perplexed as to why user and group commands always fail. Any thoughts?

[eshartwell]

Apologies - this ended up being a miscommunication re: permissions levels. Once I had Sites.FullControl.All, it started working as expected. Thanks!