Section 1 - Create the Entra Security Groups
SPARK requires the creation of three Entra security groups to manage access to the SPARK application and resources.
Early in the process, engage the customer and their stakeholders in a discussion about group membership.
The groups required by SPARK are:
| Name | Description | Type | Members |
|---|---|---|---|
| SPARK System Admins | SPARK Service Administrators & Installers | Security | The group who will create/manage the Azure services used by this toolkit. This should be the administrators who will be granted the OWNER or Contributor RBAC role on the resource group in which SPARK is deployed. |
| SPARK Management Admins | SPARK (SPO) Tenant Admins & Approvers | Security | The Management Admins who are responsible for managing the SPARK program. This will likely be the SPO Administrators, or appropriate staff with delegated management rights within SPO. |
| SPARK Site Owners | Site Admins and Owners | Security | All SharePoint/Teams site owners and site collection administrators identified by the SPARK application will automatically be added to this group. Do not configure the membership of this Group |
You can modify the names of these groups to meet your organization’s requirements.
The members of the SPARK Management Admins group will be granted Full Access to the Shared Mailbox created the Exchange Shared Mailbox section of this guide.
Requirements
An Entra administrator will be required for this step. At minimum the installer must have:
- Access to the Microsoft Entra admin center
- Groups Administrator role
- A discussion about who should be notified for site attestation and have access to these groups
PowerShell Script
- Review the script and install the required modules if needed
- Review the security groups to create and set the
addUservalue to the current user deploying the solution - Comment out the appropriate
Connect-MgGraphline for your environment - Run the script and validate that the security groups were created
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
########################################## Required Modules ##########################################
#Install-Module Microsoft.Graph.Groups
#Install-Module Microsoft.Graph.Users
########################################## Security Groups ##########################################
# The security groups to create
$groups = @(
@{
addUser = "user@domain.com"
description = "SPARK Service Administrators & Installers"
name = "SPARK System Admins"
nickname = "SPARKSystemAdmins"
},
@{
description = "SPARK (SPO) Tenant Admins & Approvers"
name = "SPARK Management Admins"
nickname = "SPARKManagementAdmins"
},
@{
description = "Site Admins and Owners"
name = "SPARK Site Owners"
nickname = "SPARKSiteOwners"
}
)
########################################## Connect to Graph ##########################################
# Connect to MgGraph
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Users
# Commercia/GCC
#Connect-MgGraph -Scopes "Group.ReadWrite.All","User.Read.All"
# GCC High
#Connect-MgGraph -Environment UsGov -Scopes "Group.ReadWrite.All","User.Read.All"
# DoD
#Connect-MgGraph -Environment UsGovDoD -Scopes "Group.ReadWrite.All","User.Read.All"
########################################## Create Groups ##########################################
# Parse the groups to create
$groups | ForEach-Object {
$group = Get-MgGroup -Filter "DisplayName eq '$($_.name)'"
if($group -eq $null) {
# Create the group
$group = New-MgGroup -DisplayName $_.name `
-Description $_.description `
-MailEnabled:$false `
-MailNickname $_.nickname `
-SecurityEnabled:$true
# Log
Write-Host "Group created: $($_.name)"
} else {
# Log
Write-Host "Group already exists: $($_.name)"
}
# See if this is the system admins
if($_.addUser -ne $null) {
# Add the current user
$currUser = Get-MgUser -UserId $_.addUser
if($currUser -ne $null) {
# Add the user
New-MgGroupMember -GroupId $group.Id -DirectoryObject $currUser.Id
# Log
Write-Host "Added user $($_.currUser.DisplayName)"
}
}
}
########################################## Disconnect ##########################################
Disconnect-MgGraph
Manual Steps:
Video Walkthrough
Step 1: Create the Entra Groups
In this step, you will create the 3 Entra Groups used to grant admins and users access to the SPARK components they need to access.
- Sign into Microsoft Entra Admin Center
🔻 Use the correct URL for your environment:
Worldwide (Commercial) & GCC
https://entra.microsoft.comGCC-High and DoD
https://entra.microsoft.us
- Select Groups from the left navigation.
- Click on New group from the top navigation
- In the Group Type field, select Security
- Type in the Group Name (Suggested group names listed below for reference)
SPARK GROUP NAMES
SPARK System Admins
SPARK Management Admins
SPARK Site Owners
- Enter a Group Description (if desired)
- Under Microsoft Entra roles, select No
- Under Membership type, select Assigned
- Leave the Owner field blank, or add yourself as the owner if desired. You can always add additional owners later.
- For SPARK Management Admins and SPARK Site Owners: Under Members, select No members selected.
- For SPARK System Admins: Under Members, add the current account. This is required for access to SQL.
- In the flyout that appears on the right, add your Entra ID User or search for and select the appropriate users to add to the group. You can always add additional members later.
- Click on Select at the bottom of the flyout to save your selections
- Click on Create
📎- Repeat the above steps to create the SPARK Management Admins group.
📎- Repeat the above steps to create the Site Owners group.