Additional Steps for Workspaces Low Trust

Prerequisites

  • Please ensure that a current version (1.10.0) of PnP PowerShell is installed.
  • The account used for this process must have Full Control permission over all relevant SharePoint Sites.

Process

Login

There are different ways on how to run the PnP Powershell commandline interface (CLI), in PowerShell Core, PowerShell Classic, Windows- or Linux Docker containers, please consult the PnP PowerShell Documentation for details.

After starting the CLI a login can be performed interactively - a login pop-up will be shown, or via device login - login can be performed in a browser window even on a different machine.

## The Site where "LiveTiles Intranet Hub Workspaces LowTrust" shall be used
## e.g. https://contoso.sharepoint.com/sites/finance/

$siteUrl = "https://<your-tenant>.sharepoint.com/sites/<subsite>"

## Either Interactive login ...

Connect-PnPOnline -Url $siteUrl -Interactive

## ... or, Device login

Connect-PnPOnline -Url $siteUrl -DeviceLogin

Allow reads

During the creation of new Workspaces, SharePoint sites are created using the LiveTiles Intranet Workspaces app. When content is provisioned into the newly created site also SharePoint Apps are being installed. Therefore the LiveTiles apps need to have Read permission on the global app catalog.

Due to a restriction in the SharePoint API it is also necessary to assign Read permissions for the root site of the tenant.

Add the root site

$rootSite = "https://<tenant>.sharepoint.com"
$appCatalogUrl = "https://<tenant>.sharepoint.com/sites/<appcatalog>"

$workspacesAppId = "dfbb24b1-dbec-4c9d-ad00-96656c98276b"
$workspacesAppDisplayName = "LiveTiles Intranet Hub Workspaces LowTrust"

$provisioningAppId = "f7366cbe-9ad5-4c80-8941-e05bd2f0ea86"
$provisioningAppDisplayName = "LiveTiles Intranet Hub Provisioning LowTrust"

Connect-PnPOnline -Url $rootSite -Interactive

# Grant Read Access to the root site

Grant-PnPAzureADAppSitePermission `
    -Permissions "Read" `
    -Site $rootSite `
    -AppId $workspacesAppId `
    -DisplayName  $workspacesAppDisplayName

Grant-PnPAzureADAppSitePermission `
    -Permissions "Read" `
    -Site $rootSite `
    -AppId $provisioningAppId `
    -DisplayName $provisioningAppDisplayName

# Grant Read Access to the app catalog site

Grant-PnPAzureADAppSitePermission `
    -Permissions "Read" `
    -Site $appCatalogUrl `
    -AppId $workspacesAppId `
    -DisplayName  $workspacesAppDisplayName

Grant-PnPAzureADAppSitePermission `
    -Permissions "Read" `
    -Site $appCatalogUrl `
    -AppId $provisioningAppId `
    -DisplayName $provisioningAppDisplayName
Microsoft 365SharePoint 2019