Section 5: Configure the PowerShell PnP App
SPARK uses PnP PowerShell for to apply configurations that cannot be completed using the M365 Portals, Graph API or the Microsoft PowerShell modules.
Once the deployment is completed, you can remove this app registration.
Use the correct URL for your environment:
Worldwide (Commercial) & GCC
https://entra.microsoft.comGCC-High and DoD
https://entra.microsoft.us
PowerShell Scripts
- Review the
Create Application Registrationscript and install the required modules if needed - Comment out the appropriate
Connect-MgGraphline for your environment - Run the script
- Validate that the
pnp-powershellapplication registration is created - Complete step 4 to consent the permissions
- Review the
Create Self-Signing Certificatescript and create a certificate - Complete step 5 to add a certificate to the app registration
- Complete step 6 to test the connection and retrive the tenant admin site id
Create Application Registration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
########################################## Required Modules ##########################################
#Install-Module Microsoft.Graph.Applications
########################################## Connect to Graph ##########################################
# Connect to MgGraph
Import-Module Microsoft.Graph.Applications
# Commercia/GCC
#Connect-MgGraph -Scopes "Application.ReadWrite.All"
# GCC High
#Connect-MgGraph -Environment UsGov -Scopes "Application.ReadWrite.All"
# DoD
#Connect-MgGraph -Environment UsGovDoD -Scopes "Application.ReadWrite.All"
########################################## Security Groups ##########################################
# The application registrations
$appRegistrations = @(
@{
name = "pnp-powershell"
permissions = @(
# Microsoft Graph
@{
ResourceAppId = "00000003-0000-0000-c000-000000000000"
ResourceAccess = @(
# Application.Read.All
@{
Id = "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30"
Type = "Role"
},
# AppRoleAssignment.ReadWrite.All
@{
Id = "06b708a9-e830-4db3-a914-8e69da51d44f"
Type = "Role"
},
# Sites.FullControl.All
@{
Id = "a82116e5-55eb-4c41-a434-62fe8a61c773"
Type = "Role"
}
)
},
# Office 365 SharePoint Online
@{
ResourceAppId = "00000003-0000-0ff1-ce00-000000000000"
ResourceAccess = @(
# Sites.FullControl.All
@{
Id = "678536fe-1083-478a-9c59-b99265e6b0d3"
Type = "Role"
}
)
}
)
}
)
########################################## Create Application Registrations ##########################################
# Parse the application registrations to create
$appRegistrations | ForEach-Object {
$appReg = Get-MgApplication -Filter "DisplayName eq '$($_.name)'"
if($appReg -eq $null) {
# Create the group
$appReg = New-MgApplication -DisplayName $_.name
# Log
Write-Host "Application Registration created: $($_.name)"
} else {
# Log
Write-Host "Application Registration already exists: $($_.name)"
}
# Add the api permission
Update-MgApplication -ApplicationId $appReg.Id -RequiredResourceAccess $_.permissions
# Log
Write-Host "Permission added to the application registration"
# Log
Write-Host "Admin consent is required"
}
########################################## Disconnect ##########################################
Disconnect-MgGraph
Create Self-Signing Certificate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Certificate Information
$certname = "CN=SPARKAutomationPnP"
$certPath = "Cert:\CurrentUser\My"
$pfxOutputPath = "C:\certs\SPARKAutomation_PnP.pfx"
# Password for the certificate
$pfxPassword = ConvertTo-SecureString -String "Sp@rkAutom8tion" -Force -AsPlainText
# Create the certificate and add it to the user's store
$cert = New-SelfSignedCertificate `
-Subject $certname `
-CertStoreLocation $certPath `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(2)
# Export the certificate to a file
Export-PfxCertificate `
-Cert $cert `
-FilePath $pfxOutputPath `
-Password $pfxPassword
Manual Steps:
Video Walkthrough
Step 1: Create the App Registration
- Select App registrations from the left navigation menu
- Click on + New registration
- Enter
pnp-powershellfor the name of the application to register - Click on Register to create the application
Step 2: Remove the Default API Permissions
- Select API permissions from the left navigation
- Under Configured Permissions, click the ellipsis (…) at the top right side of the table and choose Remove all permissions
If permissions still remain, repeat this step until all of the default permissions have been removed from the app
Step 3 - Configure the API permissions using the Manifest
- Select Manifest from the left navigation
- Find the requiredResourceAccess property.
- highlight from “requiredResourceAccess: [“ to the comma after the closed bracket ] as shown in the figure below and delete the highlighted area.
- In the same section, copy and paste in the json code below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
"type": "Role"
},
{
"id": "06b708a9-e830-4db3-a914-8e69da51d44f",
"type": "Role"
},
{
"id": "a82116e5-55eb-4c41-a434-62fe8a61c773",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
}
]
Then click Save.
Step 4 - Grant Admin Consent to the API permissions.
- Select API permissions from the left navigation
- Click on Grant API consent for Contoso
- Click on Yes to approve the permissions requested
Step 5: Apply the PowerShell PnP Certificate
Using the PowerShell PnP Certificate that you generated and saved in the Create a certificate for PnP PowerShell in the Step 0 - Prepare for SPARK the SPARK Deployment step.
- Select Certificates and secrets from the left navigation
- Click on Upload certificate
- Browse and select the
SPARKAutomation_PnP.ceryou generated previously for this app. - Click on Add to upload the certificate
- Expand the Thumbprint column
DOCUMENTATION STEP
Document the following values in the SPARK Deployment Workbook
Deployment Tab > Azure General
- PnP PowerShell Certificate Thumbprint The thumbprint of the pnp certificate uploaded to the app registration
- Certificate Password The password for the pnp certificate
- Click on Overview from the left navigation
- Add the Application (client) ID and Directory (tenant) ID values to the SPARK Deployment Workbook
Step 6: Test PnP Connection
- Open PowerShell 7.2
- Modify the script below with the values collected in the SPARK Deployment Workbook
1
2
3
4
5
6
7
8
9
10
11
12
# Template
#Connect-PnPOnline -Url <SPO Admin Url> -Thumbprint <Cert Thumbprint> -ClientId <App Reg Client Id> -Tenant <Tenant Id>
# Example - Commercial/GCC
#Connect-PnPOnline -Url https://GOVSPOTENANT-admin.sharepoint.com -Thumbprint 1A2B3C4D5E6F708192A3B4C5D6E7F8091A2B3C4D -ClientId 7c9e6679-7425-40de-944b-e07fc1f90ae7 -Tenant d1a2f3b4-5678-49cd-8c2a-8a7e0f124abc
# Example - GCC-H/DoD
#Connect-PnPOnline -Url https://GOVSPOTENANT-admin.sharepoint.com -Thumbprint 1A2B3C4D5E6F708192A3B4C5D6E7F8091A2B3C4D -ClientId 7c9e6679-7425-40de-944b-e07fc1f90ae7 -Tenant d1a2f3b4-5678-49cd-8c2a-8a7e0f124abc -AzureEnvironment <Tenant Environment>
# Get the Site Id
Get-PnPSite -Includes Id | Select Id
- Copy and Paste the script into your PowerShell terminal.
-
Get the admin site id by running **Get-PnPSite -Includes Id Select Id**
Annotate the following variables in the template spreadsheet:
- v_tenantSiteId: The site id of the SharePoint Admin Center