- Suppose, you are working for the company that enforces MFA policy across all user accounts. This makes it hard to use PowerShell PnP for remote deployments via Azure DevOps or Azure Automation. As an alternative to disabling MFA, we can register an Azure AD app and assign Full control to the SharePoint Tenant.
- Suppose you need to register an Azure App registration for a service or a product that does not have an automated way of doing it. It can be a pain to create a certificate manually, upload it to the Azure app registration, request concent for the permissions, etc. Why don't you just run a batch script that does it all at once?
The script will automatically:
- Generate self-signed password-protected certificate
- Generate random secure password
- Register a new Azure AD app
- Upload certificate to the registered app
- Grant Full Control to SharePoint sites
- Grant Admin's consent
- Save the results in the same folder
Optionally, you can modify the requiredResourceManifest.json script to change the permissions that the Azure App registration will have. Alternatively, you can just create it as-is and then request permissions via the Azure portal. Remember, this is an easy part. Creating a certificate is the difficualt part that is being automated here.
By default, the requiredResourceManifest.json defines:
- Sites.FullControl.All (678536fe-1083-478a-9c59-b99265e6b0d3)
- TermStore.ReadWrite.All (c8e3537c-ec53-43b9-bed3-b2bd3617ae97)
- User.ReadWrite.All (741f803b-c850-494e-b5df-cde7c675a1ca)
- Install Azure CLI
Install-Module -Name SharePointPnPPowerShellOnline -Force
Install-Module -Name "PnP.PowerShell" -Scope CurrentUser
- The script needs to be run by the Global Microsoft 365/Azure Administrator
-
Optionally, if you want your Azure App Registration to have a custom name, modify the
appName
variable in the script -
Right-click on the
Register_AAD_app.bat
and run as administrator -
Enter credentials for the Microsoft 365 Global admin
-
Open
AppDetails.json
file and copy thecertificatePassword
value to the clipboard -
Install DeploymentApp.pfx certificate by using the copied password
- Done. Now you can connect to SharePoint via Powershell PnP
- Install the certificate to your local store
- Run this script
Connect-PnPOnline `
-Thumbprint '<Certificate thumbprint>' `
-Tenant <TENANT>.onmicrosoft.com `
-ClientId <CLIENT/ADPP ID> `
-Url https://<TENAMT>.sharepoint.com
OR Simply run to avoid installing the certificate:
Connect-PnPOnline `
-CertificatePath '.\DeploymentApp.pfx' `
-Tenant <TENANT>.onmicrosoft.com `
-ClientId <CLIENT/ADPP ID> `
-Url https://<TENAMT>.sharepoint.com
Connect-PnPOnline `
-Thumbprint '&CA93F4CA9C32A490361986AB3170EC8E1FAFFB9' `
-Tenant contoso.onmicrosoft.com `
-ClientId ab32c27b-37be-4824-8af0-e8d303553d9e `
-Url https://contoso.sharepoint.com
Get-PnPSite
# See the list of site collections