Reporting an Issue or Missing Feature
Reporting an issue — Get-PnPTenantRestrictedSearchMode and Get-PnPTenantRestrictedSearchAllowedList returning 401 Unauthorized since June 9, 2026. Both were working on June 8, 2026 (confirmed by automated CI). No changes made on our side. Raw CSOM probes confirm this is a Microsoft-side CSOM schema change — the RestrictedSearchMode property no longer exists on the SharePoint Tenant object.
Expected behavior
Both cmdlets should return data as they did on June 8, 2026:
Get-PnPTenantRestrictedSearchMode → returns the current restricted search mode value (e.g. Disabled)Get-PnPTenantRestrictedSearchAllowedList → returns the list of allowed site URLs
Actual behavior
# PnP 3.0.0
Get-PnPTenantRestrictedSearchMode
# Restricted search mode is currently not set.
# (catch block swallowing InvalidClientQueryException: Property does not exist)
Get-PnPTenantRestrictedSearchAllowedList
# Get-PnPTenantRestrictedSearchAllowedList: The remote server returned an error: (401) Unauthorized.
Set-PnPTenantRestrictedSearchMode -Mode Enabled
# Set-PnPTenantRestrictedSearchMode: The remote server returned an error: (401) Unauthorized.
Raw CSOM probe (bypassing PnP entirely) reveals the root cause:
Property query → InvalidClientQueryException: Property does not exist
$body = '<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0"
LibraryVersion="16.0.0.0" ApplicationName="PnP"
xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
<Actions>
<Query Id="3" ObjectPathId="1">
<Query SelectAllProperties="false">
<Properties><Property Name="RestrictedSearchMode" ScalarProperty="true"/></Properties>
</Query>
</Query>
</Actions>
<ObjectPaths>
<Constructor Id="1" TypeId="{268004ae-ef6b-4e9b-8425-127220d84719}"/>
</ObjectPaths>
</Request>'
$token = Get-PnPAccessToken -ResourceTypeName SharePoint
Invoke-WebRequest -Uri "https://<tenant>-admin.sharepoint.com/_vti_bin/client.svc/ProcessQuery" `
-Method POST `
-Headers @{ "Authorization" = "Bearer $token"; "Content-Type" = "text/xml" } `
-Body $body
# HTTP 200
# ErrorTypeName: "Microsoft.SharePoint.Client.InvalidClientQueryException"
# ErrorMessage: "Property does not exist."
# TraceCorrelationId: b2e21ba2-50f6-8000-a064-6c7d6216f694Method call → cascading 401 from downstream backend
$body = '<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0"
LibraryVersion="16.0.0.0" ApplicationName="PnP"
xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
<Actions>
<Query Id="3" ObjectPathId="2">
<Query SelectAllProperties="true"><Properties/></Query>
</Query>
</Actions>
<ObjectPaths>
<Method Id="2" ParentId="1" Name="GetSPORestrictedSearchAllowedList"><Parameters/></Method>
<Constructor Id="1" TypeId="{268004ae-ef6b-4e9b-8425-127220d84719}"/>
</ObjectPaths>
</Request>'
Invoke-WebRequest -Uri "https://<tenant>-admin.sharepoint.com/_vti_bin/client.svc/ProcessQuery" `
-Method POST `
-Headers @{ "Authorization" = "Bearer $token"; "Content-Type" = "text/xml" } `
-Body $body
# HTTP 200
# ErrorTypeName: "System.Net.WebException"
# ErrorMessage: "The remote server returned an error: (401) Unauthorized."
# TraceCorrelationId: e2e21ba2-508f-8000-7b94-69bcd119ada1Ruled out (all confirmed present):
- All 17 SharePoint application permissions including
Sites.FullControl.All, SitesMetadataAdmin.ReadWrite.All, TenantReports.ReadWrite.All, Migration.ReadWrite.All
- SharePoint Administrator Entra ID directory role on service principal (
wids: f28a1f50-f6e7-4571-818b-6a12f2af6b6c)
- Microsoft 365 Copilot license (3/3 assigned on tenant)
Get-PnPTenantSite works on the same connection — confirms token and -admin.sharepoint.com are accessible- Tested on both PnP 2.x and 3.0.0, both
-AccessToken and certificate auth — same result
Steps to reproduce behavior
Connect-PnPOnline -Url "https://<tenant>-admin.sharepoint.com" `
-ClientId "<client-id>" `
-CertificatePath "<cert.pfx>" `
-Tenant "<tenant>.onmicrosoft.com"
Get-PnPTenantRestrictedSearchMode
Get-PnPTenantRestrictedSearchAllowedList
Set-PnPTenantRestrictedSearchMode -Mode Enabled
All three return 401 / catch block error. Get-PnPTenantSite on the same connection succeeds.
What is the version of the Cmdlet module you are running?
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 3.0.0 PnP.PowerShell {Add-PnPAlert, ...}
Also tested on PnP.PowerShell 2.x — same result.
Which operating system/environment are you running PnP PowerShell on?
Reporting an Issue or Missing Feature
Reporting an issue —
Get-PnPTenantRestrictedSearchModeandGet-PnPTenantRestrictedSearchAllowedListreturning 401 Unauthorized since June 9, 2026. Both were working on June 8, 2026 (confirmed by automated CI). No changes made on our side. Raw CSOM probes confirm this is a Microsoft-side CSOM schema change — theRestrictedSearchModeproperty no longer exists on the SharePoint Tenant object.Expected behavior
Both cmdlets should return data as they did on June 8, 2026:
Get-PnPTenantRestrictedSearchMode→ returns the current restricted search mode value (e.g.Disabled)Get-PnPTenantRestrictedSearchAllowedList→ returns the list of allowed site URLsActual behavior
Raw CSOM probe (bypassing PnP entirely) reveals the root cause:
Property query →
InvalidClientQueryException: Property does not existMethod call → cascading 401 from downstream backend
Ruled out (all confirmed present):
Sites.FullControl.All,SitesMetadataAdmin.ReadWrite.All,TenantReports.ReadWrite.All,Migration.ReadWrite.Allwids: f28a1f50-f6e7-4571-818b-6a12f2af6b6c)Get-PnPTenantSiteworks on the same connection — confirms token and-admin.sharepoint.comare accessible-AccessTokenand certificate auth — same resultSteps to reproduce behavior
All three return 401 / catch block error.
Get-PnPTenantSiteon the same connection succeeds.What is the version of the Cmdlet module you are running?
Also tested on PnP.PowerShell 2.x — same result.
Which operating system/environment are you running PnP PowerShell on?