Automate SharePoint Site Creation with Azure Functions and AD Auth

In this blog, I will walk through the steps to create a new SharePoint site using an Azure Function App with custom Azure Active Directory (AD) authentication. This guide will cover the setup of the Azure Function App, the necessary configurations in Azure AD, and the deployment of the function to create SharePoint sites programmatically.

Prerequisites

• Azure subscription
• SharePoint Online tenant
• Azure AD with necessary permissions

Step 1. Create a New Azure Function App

1. Create Function App: In the Azure portal, create a new Function App with the following settings.

   * Runtime stack: PowerShell Core
   * Operating System: Windows
   

2. Add PnP.PowerShell Module: Modify the requirements.psd1 file to include the PnP.PowerShell module.

   {
       'PnP.PowerShell' = '2.*'
   }
   

3. Disable MSI Authentication: In the profile.psd1 file, disable the Azure PowerShell MSI authentication section.

   #if ($env:MSI_SECRET) {
   #    Disable-AzContextAutosave -Scope Process | Out-Null
   #    Connect-AzAccount -Identity
   #}
   

Step 2. Configure Authentication

1. Add Identity Provider: In the Authentication blade of the Function App, add Microsoft as an identity provider. Note the name of the Azure AD application for later use.
2. Enable Managed Identity: Enable the system-assigned managed identity for the Function App.
3. Set Function Variables: Create the following application settings (variables).
   • SPO_SENSITIVITY_LABEL: GUID of the sensitivity label to be applied to the SharePoint site.
   • SPO_TENANT_NAME: Short tenant name (e.g., abcgroup).

Step 3. Create the Function

1. Create HTTP Trigger Function: Create a new function with an HTTP trigger template named NewSite. Set the authorization level to Anonymous (authentication will be handled via Azure AD integration).
2. Replace Function Code: Replace the default function code with the provided script to handle SharePoint site creation.

Step 4. Assign Permissions

Grant Permissions: Grant Directory.ReadWrite.All and Sites.FullControl.All permissions to the managed identity. Follow the steps in this guide to assign permissions.

Step 5. Configure Azure AD Authorization

1. Create App Roles: In Azure AD, navigate to App registrations and find the application created earlier. Create new app roles with the necessary permissions.
2. Enterprise Applications Settings: In Azure AD, go to Enterprise applications, find the application, and set “Assignment required” to Yes. Ensure “Visible to users” is set to No.
3. Assign Roles: Add test users and assign them the role. DLG.SPO.ADMIN.AT.

Configure AAD authorization

1. Open AAD -> App registrations and find the application you created in step 3 above.
2. Select App roles.
3. Click on Create a new role and create a role with the following settings.
   
4. Open AAD -> Enterprise applications and find the same application.
5. Select Properties and switch Assignment required to Yes. (this step is very important!).
6. Visible to users set to No.
7. Click on Users and Groups, add some test users, and assign them the role of DLG.SPO.ADMIN.AT.
   

Step 6. Test the Function

Invoke the Function: As a test user, open a browser and navigate to the function URL with the required parameters.

• https://[Function App Name].azurewebsites.net/api/NewSite?Type=CommunicationSite&Title=[Site Title]&Name=[Site Name]&Owner=[admin account]@[Your Tenant].onmicrosoft.com

Replace the function URL and owner UPN with your values.

Verify Site Creation: After authorization, the new SharePoint site should be created.

Available Input Parameters

• Type: (string, required) Specifies the type of new site. Possible values: TeamSite, CommunicationSite, TeamSiteWithoutMicrosoft365Group.
• Title: (string, required) Description of the site.
• Name: (string, required) Name of the new site used in the URL.
• Owner: (string, required) UserPrincipalName of the new site owner.
• Lcid: (string, default 1033) Language locale ID.
• Classification: (string) Classification description.
• SensitivityLabel: (string, default “[Your Company Name, e.g. For ABC Only]”) Sensitivity label ID.
• SiteDesignId: (string, default values provided) Site design ID.

By following these steps, you can automate the creation of SharePoint sites using Azure Function Apps with custom AD authentication, streamlining your workflow and enhancing productivity.