Grant permission to an Entra ID App to a SPO site

[SPT-Seb]

Hello,
Issue when granting permissions to an Pnp script created App. If I use Grant-PnPAzureADAppSitePermission to grant permission to site collection then connect to pnponline using AppId and Secret, I get a 403 error when performing Resolve-PnPFolder or Get-PnPFile.
If I add permissions manually trhough /_layouts/15/appinv.aspx and retry. It works like a charm. What am I missing?

Detailled steps
I create a brand new site collection by script (TeamSite, no permission inheritence broken).
I create an app using
$appTitle = $_.AppName $result = Register-PnPAzureADApp -ApplicationName $appTitle -Tenant $tenantFullName -Store CurrentUser -OutPath $CertificatesFolderPath -Interactive -SharePointApplicationPermissions 'Sites.Selected' -GraphApplicationPermissions 'Sites.Selected' $_.AppId = $result.'AzureAppId/ClientId'
App is created and Sites.Selected permission are set.

Then I connect to PnPOnline again and use :
Connect-PnpOnline -Url 'https://contoso-admin.sharepoint.com' -ClientId 'XXX-XXXX-XXXX-XXXX' -Interactive Grant-PnPAzureADAppSitePermission -AppId $AppId -Site $sitecollection -Permissions Write -DisplayName 'TEST'
No error.
Afterthen, I create a secret for this app and connect PnpOnline using it.
Connect-PnPOnline –Url $DestinationSiteCollectionURL -ClientId $SPOAppID -ClientSecret $SPOAppSecret
And when using Get-PnpFile command, I get a 403.

Then, if I go to site collection adding /_layouts/15/appinv.aspx to the URL,look for the app Id and provide XML code
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write" /> </AppPermissionRequests>
If I retry connexion and Get-PnpFile, It works perfectly.
This is a permission issue. I guess I'm missing something on Grant-PnPAzureADAppSitePermission but what?
Note :
I tried with Read, Full control, same issue.
Note also : If, I do :
Connect-PnpOnline -Url $sitecollection -ClientId 'XXX-XXXX-XXXX-XXXX' -Interactive Grant-PnPAzureADAppSitePermission -AppId $AppId -Permissions Write -DisplayName 'TEST'
I get a 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))' error instead of 403.

Environment
PSVersion : 7.4.6
PnP.PowerShell : 2.12.0

[enricobeyer]

Hello SPT-web,
How do you connect before you ask for: Grant-PnPAzureADAppSitePermission ?
What was the result after this command? And to wich ClientID you connect before the command: Grant-PnPAzureADAppSitePermission?

Best regards,
Enrico

[SPT-Seb]

Hello Enrico,
Thank you for replying.
Before Grant-PnPAzureADAppSitePermission, I connect using interactive connexion:
Connect-PnPOnline -Url $sharePointAdminURL -Interactive -ClientId $PnpClientId
PnPClientId app (created from dedicated Pnp Command) uses those permissions:

My user is global admin.
App creation and grant capture :

Connexion result with this app and manually created secret:

Then, I do the /_layouts/15/appinv.aspx stuff and in the same prompt:

[enricobeyer]

Hello Sebastien,

can you try it with an connection like this: Connect-PnPOnline -Url -ClientId -Thumbprint ?

Best regards,
Enrico