Step 4 - Create the Entra App Registrations

SPARK utilizes Entra registered applications to perform actions within Graph, SharePoint, and Exchange. Two registered applications are required for this toolkit.

Requirements

An Entra administrator will be required for this step. At minimum the installer must have:

  • Access to the Microsoft Entra admin center
  • The installer must have the Application Administrator Entra RBAC role
  • PowerShell 7.2+ installed on the machine performing the installation

[!IMPORTANT] A certificate must be issued.

  • A PFX with Private Key format of the certificate with a password assigned
  • A CER format of the certificate

Steps to complete:

Step 1: Create the Entra Groups

In this step, you will create the 3 Entra Groups used to grant admins and users access to the SPARK components they need to access.

  1. Sign into Microsoft Entra Admin Center

Use the correct URL for your environment:

Worldwide (Commercial) & GCC https://entra.microsoft.com
GCC-High and DoD https://entra.microsoft.us

Step 2: Create Notifications App Registration

This application will be used to send notifications via email to the SPO site owners and admins.

  1. Select App registrations from the left navigation

  2. Click on + New registration from the top navigation

  3. Set the Name to appreg-spark-sendmail

  4. Click on Register to create the application

New Registration

  1. Select the API permissions from the left navigation

  2. Click on the … ellipsis and remove the default permissions

Remove Default Permissions

API Permissions

Module Name Permission Justification
Microsoft Graph Mail.Send Required for sending email notifications to the distribution lists.

Access the Manifest under the Manage left navigation

Manifest SendEmail

8. Find the requiredResourceAccess property and paste in the JSON string shown below to add the following properties listed in the table above.

json “requiredResourceAccess”: [ { “resourceAppId”: “00000003-0000-0000-c000-000000000000”, “resourceAccess”: [ { “id”: “b633e1c5-b582-4048-a93e-9f11b44c7e96”, “type”: “Role” } ] } ]

Grant API Permissions

Select the API Permissions from the left navigation

Click the Grant admin consent for Contoso to approve the request

11. Click on Yes to confirm and approve the permissions

Grant Consent

Step 3: Configure Notifications App Registration

  1. View the appreg-spark-sendmail application registration
  2. Select the Certificates & secrets from the left navigation
  3. Select the Certificates tab
  4. Click on Upload certificate
Upload Certificate

5. Select the certificate (.cer) file issued for this toolkit

6. Click on Add to upload the certificate

Select Certificate

Step 4: Create SPO Actions App Registration

This application will be used to authenticate managed identities to access SharePoint Online sites and perform actions such as attestation capture, notifications, and reporting.

  1. Select App registrations from the left navigation
  2. Click on + New registration from the top navigation
  3. Set the Name to appreg-spark-spoactions
  4. Click on Register to create the application
New Registration

[!IMPORTANT] Do not change the application name above. A custom SPFx package is required for custom application registration names.

5. Select the API permissions from the left navigation

6. Click on the … ellipsis and remove the default permissions

Remove Default Permissions

API Permissions

Module Name Permission Justification
Microsoft Graph Directory.Read.All Required to read user information from Entra.
Microsoft Graph Group.Read.All Required to read M365 group information from Entra.
Microsoft Graph Sites.FullControl.All Required to make changes to SharePoint sites in the tenant.
Microsoft Graph Users.Read.All Required to extract user information from Entra.
Office 365 Exchange Online Exchange.ManageAs.App Manages the distribution lists associated with this application.
Office 365 SharePoint Online Sites.FullControl.All Required to make changes to SharePoint sites in the tenant.

7. Access the Manifest under the Manage left navigation

Manifest SPO Actions

8. Find the requiredResourceAccess property and paste in the JSON string shown below to add the following properties listed in the table above.

json “requiredResourceAccess”: [ { “resourceAppId”: “00000003-0000-0000-c000-000000000000”, “resourceAccess”: [ { “id”: “7ab1d382-f21e-4acd-a863-ba3e13f7da61”, “type”: “Role” }, { “id”: “5b567255-7703-4780-807c-7be8301ae99b”, “type”: “Role” }, { “id”: “a82116e5-55eb-4c41-a434-62fe8a61c773”, “type”: “Role” }, { “id”: “df021288-bdef-4463-88db-98f22de89214”, “type”: “Role” } ] }, { “resourceAppId”: “00000003-0000-0ff1-ce00-000000000000”, “resourceAccess”: [ { “id”: “678536fe-1083-478a-9c59-b99265e6b0d3”, “type”: “Role” } ] }, { “resourceAppId”: “00000002-0000-0ff1-ce00-000000000000”, “resourceAccess”: [ { “id”: “dc50a0fb-09a3-484d-be87-e023b12c6440”, “type”: “Role” } ] } ]

Grant API Permissions

9. Select the API Permissions from the left navigation

10. Click the Grant admin consent for Contoso to approve the request

11. Click on Yes to confirm and approve the permissions

Grant Consent

Step 5: Configure SPO Actions App Registration

  1. View the appreg-spark-spoactions application registration
  2. Select the Authentication from the left navigation
  3. Select the + Add a platform under Platform configurations
  4. Select Web under Web applications
Platform Configuration

5. Set https://localhost as the Redirect URIs

6. Select ID tokens under Implicit grant and hybrid flows

7. Click on Configure to add the platform

Configure Platform Configuration

[!NOTE] Need to figure out what this is and if it’s needed.

Token Configuration

8. Select the Token configuration from the left navigation

9. Select the + Add group claim under Optional claims

10. Check the Groups assigned to the application option

11. Select Group ID for ID, Access & SAML

12. Click on Add to save the groups claim

Groups Claim

[!NOTE] Need to figure out what this is and if it’s needed.

[!TIP] This is the API url the SPFx solution will use to authenticate with the application registration.

Expose an API - URI

13. Select the Expose an API from the left navigation

14. Select Add next to Application ID URI

15. Append /appreg-spark-spoactions to the end of the api

16. Click on Save to set the application id uri

App ID URI

[!CAUTION] If the app registration name was customized, then you must apply the same value.

Expose an API - Scope

17. Select the Expose an API from the left navigation

18. Select + Add a scope under Scopes defined by the API

19. Set the following properties, and click on Add scope to add the scope

Name Value
Scope name user_impersonation
Who can consent? Admins and users
Admin consent display name Access SPARK SPO Actions as a user
Admin consent description Allow the application to access SharePoint Online on behalf of the user.
User consent display name Access SPARK SPO Actions as a user
User consent description Allow the application to access SharePoint Online on behalf of the user.
State Enabled
Add Scope