[BUG] Invoke-PnpSiteScript throws AudienceUriValidationFailedException

[JDziurlaj]

Reporting an Issue or Missing Feature

Site script will not execute from a file, instead erroring.

Expected behavior

Site script is applied to site

Actual behavior

Invoke-PnPSiteScript: Unauthorized (401): {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}

Steps to reproduce behavior

I used the linked script, to rule out any script specific issues.

Connect-PnpOnline -Url https://xxx-admin.sharepoint.com/ -ClientId "XXXX"
$script = Get-Content "..\portal-data\sharepoint\sites\xxx\site-script.json" -Raw
Invoke-PnpSiteScript -Script $script -WebUrl "https://xxx.sharepoint.com/sites/scratch"
pwsh Information: 0 : 2025-10-24 07:53:42.7338	[Invoke-PnPSiteScript]	[18]	[Debug]	Cmdlet execution started for Invoke-PnpSiteScript -Script $script -WebUrl "https://xxx.sharepoint.com/sites/scratch"	0ms	e69fb65d-44d9-487e-95d8-4d74b7f27be9
pwsh Information: 0 : 2025-10-24 07:53:42.7341	[Invoke-PnPSiteScript]	[18]	[Debug]	Site scripts will be applied to site https://xxx.sharepoint.com/sites/scratch	0ms	e69fb65d-44d9-487e-95d8-4d74b7f27be9
pwsh Information: 0 : 2025-10-24 07:53:42.7343	[Invoke-PnPSiteScript]	[18]	[Debug]	Executing provided script	0ms	e69fb65d-44d9-487e-95d8-4d74b7f27be9
pwsh Information: 0 : 2025-10-24 07:53:42.7345	[GetAccessTokenAsync]	[0]	[Debug]	Authentication type: AzureADInteractive	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.7349	[ApiRequestHelper]	[0]	[Debug]	Making POST call to https://xxx.sharepoint.com/sites/scratch/_api/Microsoft.Sharepoint.Utilities.WebTemplateExtensions.SiteScriptUtility.ExecuteTemplateScript() with payload	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.7350	[GetAccessTokenAsync]	[0]	[Debug]	Authentication type: AzureADInteractive	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.7357	[AccessTokenPermissionValidationResponse]	[0]	[Debug]	Evaluating delegated permissions in access token for audience Microsoft Graph	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.7360	[AccessTokenPermissionValidationResponse]	[0]	[Debug]	Access token contains the following 7 delegated permission scopes for resource Microsoft Graph: AllSites.FullControl, Group.ReadWrite.All, TermStore.ReadWrite.All, User.ReadWrite.All, profile, openid, email	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.7363	[AccessTokenPermissionValidationResponse]	[0]	[Debug]	No required permissions have been defined on this cmdlet	0ms	
pwsh Error: 0 : 2025-10-24 07:53:42.9608	[ApiRequestHelper]	[0]	[Error]	Response failed with HTTP 401 containing 123 characters: {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}	0ms	
pwsh Information: 0 : 2025-10-24 07:53:42.9633	[GetAccessTokenAsync]	[0]	[Debug]	Authentication type: AzureADInteractive	0ms	
Invoke-PnPSiteScript: Unauthorized (401): {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}

If a script hosted on the admin site is invoked, e.g. Invoke-PnPSiteScript -Identity $id -WebUrl $siteUrl the end result is the same. The script WILL execute if run manually via the SharePoint Web interface.

What is the version of the Cmdlet module you are running?

3.1.0

Which operating system/environment are you running PnP PowerShell on?

• Windows

Run on a DEVELOPERPACK_E5 tenant.

[reshmee011]

What levels of permissions do you have on the site and tenant level? Is it possible to elevate your permissions to SharePoint Admin and try it out?

[JDziurlaj]

Hello, I have the AllSites.FullControl scope. I'm not sure how more elevated I could be from a PnP context.

[gautamdsheth]

@JDziurlaj - can you please try with nightly builds ? I think we fixed this issue sometime ago in the nightly builds

[JDziurlaj]

Fixed in at least 3.1.211-nightly

[gautamdsheth]

@JDziurlaj , thanks for confirming , closing this issue.