Granting permission to Multiple Sites - Powershell Script

Introduction

Granting the correct AnywhereNow permissions to multiple sites at once can be a tedious, repetitive task. To make this a little easier a PowerShell script may be used.

Download

(Remember you may need to "Unblock" the .zip files in the file properties after downloading, but before unzipping)

Prerequisites

• A separate (yes, one more) Microsoft Entra App Registration from your own tenant with the below details, just to run this script:

  • Application (Client) Id

  • Admin consent granted Application Permissions:

    • Microsoft Graph -> Application Permissions -> Sites.FullControl.All
      

      Note

      Sites.FullControl.All is needed when running this script to set the right permissions on your UCC A Unified Contact Center, or UCC, is a queue of interactions (voice, email, IM, etc.) that are handled by Agents. Each UCC has its own settings, IVR menus and Agents. Agents can belong to one or several UCCs and can have multiple skills (competencies). A UCC can be visualized as a contact center “micro service”. Customers can utilize one UCC (e.g. a global helpdesk), a few UCC’s (e.g. for each department or regional office) or hundreds of UCC’s (e.g. for each bed at a hospital). They are interconnected and can all be managed from one central location. sites. After use of the script it is ok to revoke the permissions, as this app is not used in day-to-day operation of a UCC. Until a new (set of) sites will need to be created for new/future UCC's.

      
      

  • Valid Client Secret

Instructions

1. Open PowerShell

   1. No elevated permissions are needed

   2. No specific PowerShell Module is needed

   3. Two ways to start the script:

      1. Right-click ‘EnableSharePointCertBasedAuth.ps1’ and select “Run with PowerShell”

      2. Open PowerShell, navigate to the directory holding ‘EnableSharePointCertBasedAuth.ps1’, and run .\EnableSharePointCertBasedAuth.ps1

2. Specify your Microsoft Tenant Id

   1. Either use a parameter (e.g. .\EnableSharePointCertBasedAuth.ps1 -tenantId '<guid GUID stands for Globally Unique Identifier (format is always like 2ed153b4-f632-4766-b846-5b2a769b36d1) and is a pseudo random number used in software applications that is assumed to be unique. The total number of unique keys (2¹²⁸ of 3.4028×10³⁸) is very large and the probability of the creating the same GUID twice is very small, though not 100% guaranteed. The term GUID is generally used by developers working with Microsoft technologies, while UUID is used everywhere else.>')

   2. If no parameter is used, the script will prompt you to key in the tenant id

3. Specify the Application (client) Id of your Azure App Registration (See prerequisites above)

   1. Either use a parameter (e.g. .\EnableSharePointCertBasedAuth.ps1 -appId '<guid>')

   2. If no parameter is used, the script will prompt you to key in the application id

   If the specified value is not a valid GUID, an error is returned and the script will stop

4. Specify the Application Secret of your Azure App Registration (See prerequisites above)

   1. Either use a parameter (e.g. .\EnableSharePointCertBasedAuth.ps1 -appSecret '<value>')

   2. If no parameter is used, the script will prompt you to key in the application secret

5. Validate authentication using App Credentials

   1. Once the tenant id, application id, and application secret are available, it will be validated if it possible to successfully authenticate.

   If authentication fails, an error is returned and the script will stop

6. Validate token of App Authentication

   1. Once authenticated, the scopes of the token will be checked to see if the permission Sites.FullControl.All are granted to the application.

   If the permission is not present, an error is returned and the script will stop

7. Specify the AnywhereNow region that should be able to access SharePoint

   1. Either use a parameter (e.g. .\EnableSharePointCertBasedAuth.ps1 -region '<value>')

      1. Allowed values are:

         apac-sea

         emea-weu

         nora-cus

         emea-gwc

         apac-aue

         emea-neu

         nora-eu2

      2. If you want to grant access to multiple regions, a comma-separated value can be specified.

   2. If no parameter is used, the script will prompt you to select one or more regions.

      1. If you want to grant access to multiple regions, a comma-separated value can be specified.

8. Specify the SharePoint site collection that AnywhereNow should be able to access

   1. Either use a parameter (e.g. .\EnableSharePointCertBasedAuth.ps1 -siteCollection '<value>')

      1. The value should be a valid URI (e.g. https://tenant.sharepoint.com/sites/sitecollection)

      2. If you want to grant access to multiple site collections, a comma-separated value can be specified.

      3. The script will validate if the provided SharePoint sites are valid URIs, and whether they exist in the tenant. If this is not the case a warning is returned and the script will continue.

   2. If no parameter is used, or no valid SharePoint sites are obtained from the parameter, the script will request all SharePoint site collections, and prompt you to select one or more site collections.

      1. If you want to grant access to multiple SharePoint site collections, a comma-separated value can be specified.

9. For each Region / SharePoint site collection combination, the script will check if permissions are already granted

   1. If this is the case, the script will do a second validation to check if the permissions granted are correctly patched to full control.

      1. If the permissions are already set to full control, the script will continue with the next Region / SharePoint site collection combination.

      2. If the permissions are not set to full control, the script will patch the permissions to full control.

   2. If no permissions are granted, the script will grant permissions, and patch the permissions to full control.