Introduction
In this article, you will learn how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell. The script will perform the following actions.
- Register a new application in Microsoft Entra ID.
- Configure the required SharePoint permissions.
- Provide admin consent for the permissions.
Prerequisites
- Install the Microsoft Graph PowerShell SDK.
- Microsoft Entra ID administrator permissions to create and configure app registration.
- Create a self-signed certificate by executing Create-SelfSignedCertificate.ps1.
Steps Involved
Perform the following steps to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.
Open Windows PowerShell ISE. Copy and paste the below script.
param(
[Parameter(Mandatory=$true,
HelpMessage="The friendly name of the app registration")]
[String]
$AppName,
[Parameter(Mandatory=$true,
HelpMessage="The file path to your public key file")]
[String]
$CertPath,
[Parameter(Mandatory=$false,
HelpMessage="Your Azure Active Directory tenant ID")]
[String]
$TenantId,
[Parameter(Mandatory=$false)]
[Switch]
$StayConnected = $false
)
# Display the options for permission
$validOptions = @('F', 'S')
Write-Host "Select the permissions: [F]-sites.FullControl.All [S]-sites.Selected"
# Loop to prompt the user until a valid option is selected
do {
foreach ($option in $validOptions) {
Write-Host "[$option]"
}
$selectedPermission = Read-Host "Enter your choice (F, or S)"
} while ($selectedPermission -notin $validOptions)
# Map user input to corresponding permissions
$permissionMapping = @{
'F' = '678536fe-1083-478a-9c59-b99265e6b0d3'
'S' = '20d37865-089c-4dee-8c41-6967602d4ac8'
}
$selectedPermissionValue = $permissionMapping[$selectedPermission]
# Requires an admin
if ($TenantId)
{
Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All" -TenantId $TenantId
}
else
{
Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All"
}
# Graph permissions constants
$sharePointResourceId = "00000003-0000-0ff1-ce00-000000000000"
$SitePermission = @{
Id=$selectedPermissionValue
Type="Role"
}
# Get context for access to tenant ID
$context = Get-MgContext
# Load cert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
Write-Host -ForegroundColor Cyan "Certificate loaded"
# Create app registration
$appRegistration = New-MgApplication -DisplayName $AppName -SignInAudience "AzureADMyOrg" `
-Web @{ RedirectUris="http://localhost"; } `
-RequiredResourceAccess @{ ResourceAppId=$sharePointResourceId; ResourceAccess=$UserReadAll, $GroupReadAll, $SitePermission } `
-AdditionalProperties @{} -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
Write-Host -ForegroundColor Cyan "App registration created with app ID" $appRegistration.AppId
# Create corresponding service principal
$servicePrincipal= New-MgServicePrincipal -AppId $appRegistration.AppId -AdditionalProperties @{} | Out-Null
Write-Host -ForegroundColor Cyan "Service principal created"
Write-Host
Write-Host -ForegroundColor Green "Success"
Write-Host
# Providing admin consent
$scp = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'"
$app = Get-MgServicePrincipal -Filter "AppId eq '$sharePointResourceId'"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $scp.id -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $selectedPermissionValue
# Generate Connect-MgGraph command
$connectGraph = "Connect-MgGraph -ClientId """ + $appRegistration.AppId + """ -TenantId """`
+ $context.TenantId + """ -CertificateName """ + $cert.SubjectName.Name + """"
Write-Host $connectGraph
if ($StayConnected -eq $false)
{
Disconnect-MgGraph
Write-Host "Disconnected from Microsoft Graph"
}
else
{
Write-Host
Write-Host -ForegroundColor Yellow "The connection to Microsoft Graph is still active. To disconnect, use Disconnect-MgGraph"
}
Save the file as RegisterAppOnly.ps1 and run the PowerShell script.
Note. SharePointResourceId and SitePermissionID are captured, as shown in the screenshot below.
Summary
This article describes how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.