SPARK Pre-Deployment Guide

This guide helps customers prepare their environment for the SPARK deployment by outlining the process, prerequisites, configurations, permissions, and resource dependencies required before installing SPARK. It ensures teams validate infrastructure readiness, understand security boundaries, and avoid common setup errors.

What is SPARK?

SPARK (SharePoint Attestation and Reporting Kit) is a Microsoft Azure based comprehensive solution designed to automate and manage SharePoint Online attestation actions and notifications. It provides a streamlined process for site owners to attest to their sites, ensuring compliance and governance within DoD IL5 SharePoint Online environments.

📎 Read the detailed SPARK datasheet

The SPARK deployment process

The SPARK Manual Deployment process involves using the Azure & M365 Portals to manually install each component. In Version 1.0, this method is used to ensure that all components are installed and configured correctly.

📎 Several methods of automating the SPARK deployment process are currently in development by the SPARK Development Team. We are well aware that all of this can be automated, but chose not to in this release.

The SPARK manual deployment process is divided into the following steps:

Pre-Deployment

SPARK Deployment

This list is just a basic overview of the steps required to deploy SPARK.
Your environment and organizational policies may require additional steps

Discussion Points prior to deployment

Before you begin the SPARK deployment, there are several key decision points that need to be addressed. Please utilize your local dedicated Cloud Solution Architects (CSA) or the SPARK Team for information and assistance with these steps.

Azure Subscription

SPARK requires your own Azure subscription to deploy the necessary resources and services. Microsoft cannot provide a free Azure tenant for you to use for SPARK.

Ensure that your tenant meets the following requirements:

An active Azure subscription
Verify that the subscription has sufficient permissions, usage and quota to create resources .
Ensure that the subscription is configured for Entra ID (Azure Active Directory) integration. —

Microsoft 365 Tenant

SPARK requires a Microsoft 365 tenant with SharePoint Online (SPO) and Exchange Online (EXO) enabled. SPARK CANNOT SUPPORT ENVIRONMENTS WITH EXCHANGE OR SHAREPOINT ON PREMISES

Ensure that the Microsoft 365 tenant meets the following requirements:

Ensure you have an active Microsoft 365 tenant with SharePoint Online enabled.
Verify that the installer or customer representative has the necessary permissions to create and manage SharePoint Online sites.
Verify that Exchange Online is enabled and used as the primary email service for the tenant.
Verify that SharePoint Online App Catalog is enabled for the tenant.

Network Configuration

In SPARK v1.0, a specific Azure Virtual Network (VNET) is not required for SPARK resources. In this version, SPARK uses the default Azure “public” endpoints for all services without the need for additional network resources to be deployed.

Every Azure environment is different. If specific network services are required per your organization’s networking policies, such as VNET Peering, Azure Firewall, Network Security Groups (NSGs), or Azure DDoS Protection, they will need to be configured manually or through additional scripts. Service or script modifications may be necessary, depending on the network resources deployed.

If you already have a Unified Support Agreement, the SPARK team can directly assist with these modifications. If not, please contact your Microsoft account team to discuss options, or visit our Github repository to submit an issue and we will use best-effort to assist.

Communication Flow	Port & Protocol	Details
Azure Functions/Runbooks to Microsoft 365 (Graph API, SharePoint Online, Exchange Online)	HTTPS 443 (outbound)	Required for all calls from Azure services to cloud endpoints. Examples: the SPARK function app calling the Graph API to fetch site info or send email, and the Automation runbook connecting to Exchange Online PowerShell1. These occur over TLS 1.2 on port 443. The IL5 VNet’s NSG must allow outbound 443 to Microsoft 365 endpoints (which are in Azure Government for DoD). All external REST calls (Graph, SPO REST, Outlook API) use this port. No other outbound internet access is needed.
Azure Function App to Azure SQL DB (SPARK Database)	TCP 1433 (outbound)	The function app and runbooks connect to the Azure SQL Database on port 1433 (the standard SQL port)2. In our setup, the SQL server has a private endpoint, so this traffic stays within Azure’s IL5 boundary. The SQL server’s firewall is configured to deny public traffic; only the VNet can reach it. During initial setup, an admin can temporarily add their IP to the SQL firewall for direct access2, but at runtime all access is through the private channel on 1433.
Automation Runbooks to Azure File Share (SPARK scripts share)	TCP 445 (SMB) (outbound)	The runbook worker may mount the Azure Files share (if using one for scripts/modules) over SMB, which uses port 445. This port is opened internally from the Automation subnet to the storage account’s private endpoint. In IL5, Azure Networking allows SMB within the VNet. If the solution instead copies files via HTTPS, 445 may not be used, but given the design uses Azure Files for PowerShell modules, 445 access is needed. As with SQL, the storage account has a private endpoint, so no public SMB exposure exists.
SPFX Web (SharePoint Online) to Function App (SPARK API)	HTTPS 443 (inbound to Azure, outbound from M365)	The SPARK SPO Actions Azure Function exposes a secure HTTPS endpoint for the SPFX webpart to call (e.g., to get a user’s sites or update an attestation). This is protected by Azure AD authentication. SharePoint Online will call this API over 443. From Azure’s perspective this is inbound traffic to the function. The function app either has a public endpoint limited by AAD, or it might also be behind a private endpoint with a special allowance for SharePoint – but most likely, it’s exposed over 443 with an AAD JWT requirement. No other inbound ports on the function are open.
Admin Access (Optional) to Azure VMs/Bastion	HTTPS 443 (for Bastion) RDP/SSH 3389/22 (internal)	If a Bastion host is deployed for management, admins connect to Bastion over 443 (web client). Bastion then opens 3389 or 22 to any VM jumpboxes in the VNet. SPARK’s reference architecture doesn’t include persistent VMs – it’s mostly PaaS – so this is only for troubleshooting scenarios. There is no need to open RDP/SSH from outside; all admin maintenance can be done via Bastion or Azure portal.

Support for the following features is not included in the SPARK installation scripts and will need > to be configured and tested manually.

Azure Private Endpoints

Azure Firewall

Network Security Groups (NSGs)

Azure Private Link

Azure Virtual Network (VNet) Peering

Azure DDoS Protection

Azure Application Gateway

Azure Front Door

Azure API Management

Native support for many of these features (and more) is on the SPARK roadmap and may be added in future releases. If you require immediate support for any of these features, please contact your Customer Success Account Manager (CSAM) or the SPARK team.

SPARK Authentication and Authorization

SPARK Services use tightly scoped Entra ID Managed Identities for the individual microservices to securely authenticate between Azure resources, M365 Services and Graph API. Any workflows that require write access or changes to the production M365 environment are queued and can be stopped in advance if necessary.

Entra ID Security Groups

Several Entra ID Security Groups are required to manage user access and permissions for SPARK. These groups will be used to control access to the SPARK components and SharePoint Online sites.

Spark System Admins - specifically for SPARK Service Administrators & Installers
Spark Management Admins - specifically for Tenant Admins & Approvers
SPARK Site Owners - specifically for Site Creator Owners

End Users will authenticate using their Entra ID organizational accounts only to the SharePoint Online Attestation or Administration Portals with Entra ID Security Groups controlling access.

Azure RBAC (Role-Based Access Control)

Azure RBAC is used to manage access to Azure resources.This ensures that only authorized installers, administrators and managed identities can perform actions on the SPARK service resources. No Shared Keys are used for access to any SPARK resources or Entra ID App Registrations.

SPARK Installer Permissions

The overall installation of SPARK will require the following permissions to create and configure the necessary resources and configurations required for functionality. These roles are usually delegated across a team of administrators doing the installation. (Typically using the Spark System Admins Entra Group, but not required)

📎 FOR A LIMITED TIME ONLY!

These roles and permissions are only required during the actual deployment of SPARK. They are not required by the SPARK services or managed identities to function!

Role Name	Scope	Purpose
Contributor	Azure Subscription or Resource Group	Access to creating, updating, and deleting subscription resources for SPARK.
Role Based Access Control Administrator	Azure Subscription or Resource Groups	Manage user access to Azure resources & Assign roles in Azure RBAC
Application Administrator	Entra ID Tenant	Manage application registrations and API permissions in Entra ID
Security Administrator	Entra ID Tenant	Create and manage Entra ID Security Groups for SPARK
SharePoint Administrator	Microsoft 365 Tenant	Configure SharePoint Site Collection, import SPFx Web Part into App Catalog
Exchange Administrator	Microsoft 365 Tenant	To create Non-Person Entity (NPE) shared mailbox for SPARK, creation of distribution lists (DL) for SPARK notifications, mail flow rule to restrict NPE to send to DLs only, creation of service principals for both DL management and email notifications, and to configure role groups and scopes to restrict service principals to only DL management, and restrict service principal to send as NPE only.

Authentication Mechanisms

The SharePoint Framework webparts will authenticate with the SPARK application registration from SharePoint, using the logged in user’s context. The authentication token returned from the application registration will be used to authenticate with the function app. The user context information is extracted from the authentication token and used to return data.

The Azure Function App utilizes an Azure User Assigned Management Identity (UAMI) to authenticate with the Azure Automation Runbooks and Azure SQL Database.

SPARK Authentication Methods Table

Authentication Method	Target Service/Endpoint	Credentials Source	Protocol
Managed Identity (UAMI/SAMI)	Azure Resource Manager, Graph API	Automation Variables (v_managedIdentity, v_uami, v_clientId)	HTTPS
OAuth 2.0 Bearer Token	Microsoft Graph API	Get-AzAccessToken	HTTPS
OAuth 2.0 Bearer Token	Azure SQL Database	Get-AzAccessToken	HTTPS
OAuth 2.0 Bearer Token	Azure Automation REST API	Get-AzAccessToken	HTTPS
OAuth 2.0 Bearer Token	Microsoft Graph via Connect-MgGraph	Access token from Azure context	HTTPS
OAuth 2.0 Bearer Token	PnP PowerShell (Connect-PnPOnline)	Managed Identity or ClientId	HTTPS

SPARK Connection Targets Table

Service/Endpoint	Purpose	Authentication Method
Microsoft Graph API	Site, user, group, org info queries	OAuth 2.0 Bearer Token (Managed Identity)
Azure SQL Database	Store site collection data	OAuth 2.0 Bearer Token (Managed Identity)
Azure Automation REST API	Job status, runbook management	OAuth 2.0 Bearer Token (Managed Identity)
PnP PowerShell (SharePoint Online)	Site/group/user enumeration	Managed Identity or ClientId

Managed Identities:

SPARK uses Managed Identities to securely automate access Azure and Microsoft 365 resources without the need for hard-coded credentials or shared secrets. This ensures that SPARK can interact securely with Azure services such as Azure Function Apps, Azure Storage, Runbooks, and the Azure SQL Database without exposing sensitive information or credentials.

SPARK uses both User Assigned Managed Identity (UAMI) and System Assigned Managed Identity (SAMI) for its components.

UAMIs Used By SPARK

uami-spark-spoactions The uami-spark-spoactions UAMI in SPARK has a very specific role:

It is the identity that authorizes the SPARK backend services (function app/runbooks) to make Microsoft Graph calls into SharePoint Online.

Key points about its purpose in the SPARK architecture:

✅ Not tied to SharePoint directly; the UAMI itself never logs into or interacts with SPO.
✅ Attached to the backend service; specifically the Azure Function App & Runbooks
✅ Grants least-privilege access; it is granted Azure RBAC and Graph API permissions (via the appreg-spark-spoactions app registration) to perform only the allowed actions.
✅ Reusable; the UAMI can be reused across multiple SPARK installations if needed, providing a single consistent identity for SPARK actions.

Roles/Permissions required

uami-spark-spoactions

SPARK Azure Role Assignment Table:

Azure Role Assignment	Assigned to	Purpose
SQL DB Contributor	sql-spark-svr	SPARK Database Server Access
Storage Blob Data Contributor	sasparkstorage	SPARK Storage Account access for Function Apps & Runbooks
Automation Operator	rg-spark-svc	SPARK Automation Account access for Runbooks

The SPARK Automation Account SAMI

This SAMI is assigned the Exchange.ManageAsApp permission within the Entra ID App Registration and is used for authentication to Exchange Online and to manage the 10 defined distribution lists used for SPO site admin/owner email notifications. The SAMI’s service principal is restricted within EXO via an Exchange Application Role Group Scope to only be able to manage the ten predefined distribution lists created during SPARK deployment. No additional Exchange permissions are granted to this SAMI.

Exchange Online will not allow a UAMI to authenticate and manage the DL. A SAMI is required for this function.

Entra ID Application Registrations

Two Entra ID Application Registrations are required to enable authentication and authorization for SPARK. This application will be used to authenticate users and managed identities to access Graph API and SharePoint Online sites.

appreg-spark-spoactions This application will be used to authenticate managed identities to access SharePoint Online sites and perform actions such as attestation capture, notifications, and reporting.

Admin Consent for these permissions will be required

Module Name	Type	Permission	Justification
Microsoft Graph	Application	Directory.Read.All	Required to read user information from Entra.
Microsoft Graph	Application	Group.Read.All	Required to read M365 group information from Entra.
Microsoft Graph	Application	Sites.FullControl.All	Required to make changes to SharePoint sites in the tenant.
Microsoft Graph	Application	User.Read.All	Required to extract user information from Entra.
Office 365 Exchange Online	Application	Exchange.ManageAs.App	Manages the distribution lists associated with this application.
Office 365 SharePoint Online	Application	Sites.FullControl.All	Required to make changes to SharePoint sites in the tenant.

appreg-spark-sendmail: SPARK Notifications Application
This application will be used to send notifications via email to the SPO site owners and admins. This is a dedicated application for this function with restricted send rights within Exchange Online.

Entra App Permission Table

Module Name	Permission
Microsoft Graph	Mail.Send

The appreg-spark-sendmail** certificate.

SPARK utilizes a dedicated registered application with the graph permission of Mail.Send. This permission allows the application to send email as any user within the Exchange organization.

In SPARK, the app registration uses a certificate for secure, non-interactive authentication to Exchange via Microsoft Graph. The certificate replaces a client secret, letting the app prove its identity to Entra ID by signing requests with its private key, while Entra verifies the public key stored in the app registration.

Certificate Requirements:

X.509 RSA certificate

2048-bit

1–2-year validity

Certificate in .PFX format with the Private Key set to exportable (password will be required for initial installation into the App)

Certificate in .CER format

SPARK observes security best practices!

No Hardcoded Secrets: All credentials and tokens are retrieved from secure automation variables or managed identity.
Token Handling: Tokens are passed securely to REST API calls and SQL connections.
Parameterization: SQL commands use parameterized queries to prevent injection.
Environment Awareness: Cloud endpoints and authentication authorities are dynamically mapped for government cloud support.

SPARK Components Overview

Azure Function Apps

The function app will be used to get data from the SQL database and pass it back to the SharePoint webparts. It’s used to authenticate the logged in user in SharePoint in order to return data from the Azure SQL database.

Get All Sites

This function returns all sites. This is used for the management portal webpart to export all of the data.

Get Site Counts

This function returns the SQL query for all site counts by the state it's currently in. This is used for the management portal webpart to show the high level states of the sites.

Get Sites by Action

This function returns the sites for a specified state. This is used for the management portal webpart to view or export the data.

Get Sites by Keyword

This function searches for sites by a specified keyword. This is used for the management portal webpart's search functionality.

Get SPARK Sites

This function returns the sites for the user accessing the attestation portal webpart to display the sites they are an admin or owner of. The user information comes from the authentication token of the call.

Update SPARK Sites

This function is used by the attestation portal webpart to submit the attestation for the site admin or owner.

Azure Automation Runbooks

The Azure Automation Runbooks provides the automation for most of the backend services

Manage Crawl State

This runbook runs nightly to add or remove attested/rejected sites by site administrators. It also removed sites to which site administrators have not attested/rejected to within the required timeframe. By default the threshold is 30 days.

Manage Distribution List Notifications

This runbook will manage the site owners/admins that need to be notified. It will round-robin add the users to the distribution lists to have an even number across them.

Send Email to Distribution List

This runbook will send the notification to the site owners/admins that need to attest for their site(s).

Site Collector

This runbook automates the discovery and collection of SharePoint site collections within a Microsoft 365 tenant. It uses Microsoft Graph API and Azure Automation to enumerate sites, gather metadata and store results in a SQL database. It also manages runbook execution for site permissions collection and ensures safe, concurrent operation within an Azure Automation environment.
Key Functions:

Site Collection Discovery: Queries Microsoft Graph for SharePoint site collections, including deleted sites if configured.
Metadata Extraction: Collects site details (ID, URL, owner, creation/deletion time, template type, sharing status).
Database Storage: Writes site data to a SQL database using parameterized stored procedures.
Runbook Coordination: Starts additional runbooks for permissions inventory if thresholds are met.
Cloud Routing: Dynamically determines endpoints and environment parameters for national clouds (Global, USGov, China, Germany).
Safety Checks: Ensures only one instance runs and coordinates with other automation jobs.

Site Inventory Management

This runbook will analyze the sites requiring analysis. The site properties and admin/owner information is collected and updated in the database.

Azure SQL Database

In SPARK, the Azure SQL Database acts as the single source of truth for the entire system. It stores, indexes, and manages all SharePoint site metadata, user attestation records, and attestation state to drive the automation functions of SPARK. It enables fast querying at scale (hundreds of thousands of sites), supports caching and delta updates, and provides the backbone for SPARK’s functionality.

SharePoint Framework (SPFx) WebParts

The SharePoint Framework (SPFx) webparts are be used to display dashboards for both the site owners/admins to attest for their sites, and the overall tenant sites for management/leadership to review.

Attestation WebPart

The attestation webpart is used to display all sites the user is an owner or admin of. This webpart will allow the user to attest for their site or request an exemption.

Management WebPart

The management webpart is used to display all sites by their state. The user is able to view sites by state, or export data as a CSV. The user will be able to accept/reject exemption requests from the site admin or owner.