Prepare Microsoft tenant

This section details the steps for preparing the client Microsoft tenant for hosting the app.

Multiple tenants

It is assumed Azure resources will be hosted in the same tenant as Office 365. If this is not the case discussion is required with Pro-Sapien before proceeding.

Deployment accounts

Permission required: User Administrator

Create Pro-Sapien deployment accounts. See Deployment accounts for guidance on accounts required.

The following values should be captured in the parameters workbook:

{Deployment-Accounts}

Tenant app catalog

Permission required: SharePoint Administrator

A Tenant App Catalog (also called App Catalog site) must exist. Follow steps in Microsoft docs to ensure one exists in the client tenant.

Register PnP PowerShell Entra ID app

Permission required: Global Administrator

An Entra ID Application must be registered to enable execution of PnP PowerShell commands.

It has always been a recommended practise to register an Entra ID Application to use with PnP PowerShell. As of September 9th, 2024, this has become mandatory step. See Microsoft announcement. This step is only required if an app registration does not already exist. If an app registration already exists, skip this step and add the app Client Id in the parameters workbook under {Pnp-App-ClientId}.

This app will also require Sites.FullControl.All Delegated Graph API permission. This app is used to grant the required Sites.Selected permission to the Pro-Sapien app.

Execute PowerShell

Execute the following PowerShell to create the app registration.

Alternatively see PnP GitHub for manual steps.

note

IMPORTANT: Variables at top of script must be updated before proceeding.

$ApplicationName: populate with display name for new registration e.g. PnP PowerShell App
$TenantName: populate with tenant name e.g. psdemo42x.onmicrosoft.com

$ApplicationName = ""
$TenantName = "xxxx.onmicrosoft.com"

Register-PnPAzureADApp `
-ApplicationName $ApplicationName `
-Tenant $TenantName `
-SharePointDelegatePermissions AllSites.FullControl `
-GraphDelegatePermissions Sites.FullControl.All `
-Interactive

Consent to permissions when prompted.

Capture Client Id

Capture the app Client Id in the parameters workbook under {Pnp-App-ClientId}.

The Client Id is output by the PowerShell command for registered the app, or can be found in the Entra ID app registrations list.

Example PowerShell command output:

Register Azure resource providers

Permission required: Azure Administrator

The following non-default resource providers are required prior to deployment execution.

Microsoft.Web
Microsoft.Sql
Microsoft.Storage
Microsoft.AnalysisServices
Microsoft.Automation
Microsoft.Network
Microsoft.KeyVault

Follow steps in Microsoft docs to register resource providers.

Resource providers are registered at the subscription level. If UAT and Production resources are to be hosted in different subscriptions, resource providers must be registered on both subscriptions.

Before you finish

The following details should be captured in the parameters workbook:

{Deployment-Accounts}
{Pnp-App-ClientId}

Multiple tenants​

Deployment accounts​

Tenant app catalog​

Register PnP PowerShell Entra ID app​

Execute PowerShell​

Consent to permissions​

Capture Client Id​

Register Azure resource providers​

Before you finish​