Sunday, February 11, 2018

Azure Active Directory App Only Authentication with PnP PowerShell

Why do we need app only authentication? Well, if you want to execute some code without the permissions of a user or without an authentication token of a user, your only option is App Only authentication. In simple terms, if you want to execute a task by a daemon, App Only authentication is your best option.

This post is the 1st post of a series of blog posts, in building a solution which executes some PowerShell code in an Azure Function to manipulate some data which resides in SharePoint Online.

This blog post focuses on creating an Azure Active Directory App and granting permissions to the App to communicate with SharePoint Online.

In your Office 365 Admin Center, select Azure Active Directory. On the left side menu, select Azure Active Directory. Select App Registration and click on "+ New application registration". Provide a meaningful name for the "Name", select Application type as "Web app/API" and a Sign-on URL. The Sign-on URL can be any URL and I will discuss in a future post where it will be used. Also, this can be changed later.

Once the App is created, Azure will provide an Unique Application ID for the App. 
Next, select Settings, Required permissions and Add.
Then you can select the APIs you need to access to. Let's select Office 365 SharePoint Online.
You need to configure the following permissions.

  • Have full control of all site collections (Application permissions)

The required permission level depends on your requirements of the final solution. I'm planning to create new sites within site collections, so I've granted the above permissions. Remember, it's an "Application Permission". Application permissions granted to the applications when running as App Only.
Next, click the Grant Permission button on the required permissions tab. This will provide non-tenant admin users access to the application.
Now we need to create a self signed certificate (or a commercial certificate) and update the Azure AD Application manifest.

Use the below PowerShell script to create a self signed certificate. Make sure you have installed OfficeDev PnP PowerShell.
1
2
3
4
5
6
7
8
9
$certroot = 'C:\Site Creator'
$certname = "IntelAi-Cert-1"
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
$startdate = Get-Date
$enddate = $startdate.AddYears(4)
makecert.exe -r -pe -n "CN=$certname" -b ($startdate.ToString("MM/dd/yyyy")) -e ($enddate.ToString("MM/dd/yyyy")) -ss my -len 2048
$cert = Get-ChildItem Cert:\CurrentUser\My | ? {$_.Subject -eq "CN=$certname"}
Export-Certificate -Type CERT -FilePath "$certroot\$certname.cer" -Cert $cert -Force
Export-PfxCertificate -FilePath "$certroot\$certname.pfx" -Cert $cert -Password $password -Force

Now execute the below script. It will copy a string to your clipboard.
Get-PnPAzureADManifestKeyCredentials -CertPath 'C:\Site Creator\IntelAi-Cert-1.cer' | clip

The copied string would look similar to the below. We need to add this string in to the manifest file of the Azure AD Application. (I've trimmed the value property)
"keyCredentials": [
 {
  "customKeyIdentifier": "5lca+kziogw7T6MB4kUrxseK5m8=",
  "keyId": "84153f1a-90b7-4802-b99a-bb75d4f9a35b",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIDAjCCAe6gAwIBAgIQkawCJU0cWYxH8RamKNuqqTAJBgUrDgMCHQUAMBkx
 }
],

Select you application within App registrations under Azure Active Directory. Replace the "keyCredentials":[], section, as shown below.

Now we can test whether the application has enough permission to connect to the SharePoint Online site. For the ClientID, you need to provide the Application ID of the application you have created.
1
2
3
4
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
Connect-PnPOnline -Url https://intelai.sharepoint.com/ -ClientId 0c01f61e-ba27-4ae7-ab19-174884a949fc -CertificatePath 'C:\Site Creator\IntelAi-Cert-1.pfx' -CertificatePassword $password -Tenant intelai.onmicrosoft.com
$myWeb = Get-PnPWeb
$myWeb.Title


Friday, February 9, 2018

Sri Lanka SharePoint Forum - Feb 2018

I'm happy to invite you all for the "SharePoint Sri Lanka" User Group monthly gathering happening on Wednesday the 14th of February.

As usual there will be two technical sessions; "Office 365 CLI: Managing Office 365 tenant and SharePoint Online" hosted by our new MVP, Suhail Jamaldeen and "Site Design and Site Script" hosted by me.


happy days!! :)

Wednesday, January 10, 2018

SharePoint Online Site Design

If you were thinking of creating templates in Office 365 for SharePoint online, it has staring to become available in Office 365 which is still in preview.
Is this SharePoint PnP Site Provisioning?
No. This is an alternate way of creating templates and creating new instances of sites.

What is site design?
It provides you with reusable lists, pages, layouts, themes and custom actions. In another way it’s a predefined template to create new instances of their sites. The template is collection of actions specified in a JSON script. In execution of the script, each item is actioned.
Once the JSON Script is designed, it must be registered in SharePoint. Then the template is will be available to the users to create new instances.

Prerequisites
Make sure you have installed SharePoint Online Management Shell and you know how to connect to SharePoint Online using PowerShell.

JSON schema
As I mentioned earlier, site design is a set of actions where each action is specified by a verb value. Some actions do have sub actions based on the complexity. Refer to the JSON schema reference. Shown below is the base structure of the JSON script.

 {  
   "$schema": "schema.json",  
     "actions": [  
       ...  
       <your actions goes here>  
       ...  
     ],  
     "bindata": { },  
     "version": 1  
 };  

I will create one List called "Customer Tracking List". List template reference and Field type reference will be helpful to select the base types. You can see the main action "createSPList" and the sub actions "SetDescription" and "addSPField".

 $site_script = @'  
 {  
  "$schema": "schema.json",  
    "actions": [  
      {  
        "verb": "createSPList",  
        "listName": "Customer Tracking",  
        "templateType": 100,  
        "subactions": [  
          {  
            "verb": "SetDescription",  
            "description": "List of Customers and Orders"  
          },  
          {  
            "verb": "addSPField",  
            "fieldType": "Text",  
            "displayName": "Customer Name",  
            "isRequired": false,  
            "addToDefaultView": true  
          },  
          {  
            "verb": "addSPField",  
            "fieldType": "Number",  
            "displayName": "Requisition Total",  
            "addToDefaultView": true,  
            "isRequired": true  
          },  
          {  
            "verb": "addSPField",  
            "fieldType": "User",  
            "displayName": "Contact",  
            "addToDefaultView": true,  
            "isRequired": true  
          },  
          {  
            "verb": "addSPField",  
            "fieldType": "Note",  
            "displayName": "Meeting Notes",  
            "isRequired": false  
          }  
        ]  
      }  
    ],  
      "bindata": { },  
  "version": 1  
 }  
 '@  

Currently site design has a few more actions; add and remove fields and content types, set custom field formatting using JSON, add navigation links, apply a theme a site logo, joining a Hub Site and triggering a Flow. Still Site design is in preview, lets hope there will be more actions added in the future.

PowerShell
Once the JSON script is ready, we need to add the script and create a new site design which is a two step process.

Add Script
 C:\> Add-SPOSiteScript -Title "Create Project Site" -Content $site_script -Description "Creates lists for managing projects"  


Create Site design
 Add-SPOSiteDesign -Title "Contoso Project Management" -WebTemplate "64" -SiteScripts "4a2ef0f9-a1dd-48a1-8703-e73300418eb6" -Description "Peoject management template"  
You need to provide the ID returned from the Add-SPOSiteScript to the Add-SPOSiteDesign cmdlet.

Log in to your SharePoint Online tenant and go to the home page of your SharePoint site. Click "Create Site" and you will be able to see the newly added template.

Once the site is created, it will execute the script call the actions to proceed with the customization.
refer to the link for more info and updates.