Post
Ask Question

App Registration with Microsoft Entra ID Configure SharePoint Permissions

Introduction

In this article, you will learn how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell. The script will perform the following actions.

  1. Register a new application in Microsoft Entra ID.
  2. Configure the required SharePoint permissions.
  3. Provide admin consent for the permissions.
    Microsoft Entra ID

Prerequisites

  1. Install the Microsoft Graph PowerShell SDK.
  2. Microsoft Entra ID administrator permissions to create and configure app registration.
  3. Create a self-signed certificate by executing Create-SelfSignedCertificate.ps1.

Steps Involved

Perform the following steps to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.

Open Windows PowerShell ISE. Copy and paste the below script.

param(
    [Parameter(Mandatory=$true,
    HelpMessage="The friendly name of the app registration")]
    [String]
    $AppName,

    [Parameter(Mandatory=$true,
    HelpMessage="The file path to your public key file")]
    [String]
    $CertPath,

    [Parameter(Mandatory=$false,
    HelpMessage="Your Azure Active Directory tenant ID")]
    [String]
    $TenantId,

    [Parameter(Mandatory=$false)]
    [Switch]
    $StayConnected = $false
)

# Display the options for permission
$validOptions = @('F', 'S')
Write-Host "Select the permissions: [F]-sites.FullControl.All [S]-sites.Selected"

# Loop to prompt the user until a valid option is selected
do {
    foreach ($option in $validOptions) {
        Write-Host "[$option]"
    }
    $selectedPermission = Read-Host "Enter your choice (F, or S)"
} while ($selectedPermission -notin $validOptions)

# Map user input to corresponding permissions
$permissionMapping = @{    
    'F' = '678536fe-1083-478a-9c59-b99265e6b0d3'
    'S' = '20d37865-089c-4dee-8c41-6967602d4ac8'
}

$selectedPermissionValue = $permissionMapping[$selectedPermission]

# Requires an admin
if ($TenantId)
{
    Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All" -TenantId $TenantId
}
else
{
    Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All"
}

# Graph permissions constants
$sharePointResourceId = "00000003-0000-0ff1-ce00-000000000000"
$SitePermission = @{
    Id=$selectedPermissionValue
    Type="Role"
}

# Get context for access to tenant ID
$context = Get-MgContext

# Load cert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
Write-Host -ForegroundColor Cyan "Certificate loaded"

# Create app registration
$appRegistration = New-MgApplication -DisplayName $AppName -SignInAudience "AzureADMyOrg" `
 -Web @{ RedirectUris="http://localhost"; } `
 -RequiredResourceAccess @{ ResourceAppId=$sharePointResourceId; ResourceAccess=$UserReadAll, $GroupReadAll, $SitePermission } `
 -AdditionalProperties @{} -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
Write-Host -ForegroundColor Cyan "App registration created with app ID" $appRegistration.AppId

# Create corresponding service principal
$servicePrincipal= New-MgServicePrincipal -AppId $appRegistration.AppId -AdditionalProperties @{} | Out-Null
Write-Host -ForegroundColor Cyan "Service principal created"
Write-Host
Write-Host -ForegroundColor Green "Success"
Write-Host

# Providing admin consent
$scp = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'" 
$app = Get-MgServicePrincipal -Filter "AppId eq '$sharePointResourceId'" 
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $scp.id -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $selectedPermissionValue  

# Generate Connect-MgGraph command
$connectGraph = "Connect-MgGraph -ClientId """ + $appRegistration.AppId + """ -TenantId """`
 + $context.TenantId + """ -CertificateName """ + $cert.SubjectName.Name + """"
Write-Host $connectGraph

if ($StayConnected -eq $false)
{
    Disconnect-MgGraph
    Write-Host "Disconnected from Microsoft Graph"
}
else
{
    Write-Host
    Write-Host -ForegroundColor Yellow "The connection to Microsoft Graph is still active. To disconnect, use Disconnect-MgGraph"
}

Save the file as RegisterAppOnly.ps1 and run the PowerShell script.

PowerShell

Note. SharePointResourceId and SitePermissionID are captured, as shown in the screenshot below.

SitePermissionID

Summary

This article describes how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.


Similar Articles