In this article, you will learn how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell. The script will perform the following actions.
- Register a new application in Microsoft Entra ID.
- Configure the required SharePoint permissions.
- Provide admin consent for the permissions.
![Microsoft Entra ID]()
- Install the Microsoft Graph PowerShell SDK.
- Microsoft Entra ID administrator permissions to create and configure app registration.
- Create a self-signed certificate by executing Create-SelfSignedCertificate.ps1.
Steps Involved
Perform the following steps to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.
Open Windows PowerShell ISE. Copy and paste the below script.
HelpMessage="The friendly name of the app registration")]
HelpMessage="The file path to your public key file")]
HelpMessage="Your Azure Active Directory tenant ID")]
$StayConnected = $false
# Display the options for permission
$validOptions = @('F', 'S')
Write-Host "Select the permissions: [F]-sites.FullControl.All [S]-sites.Selected"
# Loop to prompt the user until a valid option is selected
do {
foreach ($option in $validOptions) {
Write-Host "[$option]"
$selectedPermission = Read-Host "Enter your choice (F, or S)"
} while ($selectedPermission -notin $validOptions)
# Map user input to corresponding permissions
$permissionMapping = @{
'F' = '678536fe-1083-478a-9c59-b99265e6b0d3'
'S' = '20d37865-089c-4dee-8c41-6967602d4ac8'
$selectedPermissionValue = $permissionMapping[$selectedPermission]
# Requires an admin
if ($TenantId)
Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All" -TenantId $TenantId
Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read AppRoleAssignment.ReadWrite.All"
# Graph permissions constants
$sharePointResourceId = "00000003-0000-0ff1-ce00-000000000000"
$SitePermission = @{
# Get context for access to tenant ID
$context = Get-MgContext
# Load cert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
Write-Host -ForegroundColor Cyan "Certificate loaded"
# Create app registration
$appRegistration = New-MgApplication -DisplayName $AppName -SignInAudience "AzureADMyOrg" `
-Web @{ RedirectUris="http://localhost"; } `
-RequiredResourceAccess @{ ResourceAppId=$sharePointResourceId; ResourceAccess=$UserReadAll, $GroupReadAll, $SitePermission } `
-AdditionalProperties @{} -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
Write-Host -ForegroundColor Cyan "App registration created with app ID" $appRegistration.AppId
# Create corresponding service principal
$servicePrincipal= New-MgServicePrincipal -AppId $appRegistration.AppId -AdditionalProperties @{} | Out-Null
Write-Host -ForegroundColor Cyan "Service principal created"
Write-Host -ForegroundColor Green "Success"
# Providing admin consent
$scp = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'"
$app = Get-MgServicePrincipal -Filter "AppId eq '$sharePointResourceId'"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $selectedPermissionValue
# Generate Connect-MgGraph command
$connectGraph = "Connect-MgGraph -ClientId """ + $appRegistration.AppId + """ -TenantId """`
+ $context.TenantId + """ -CertificateName """ + $cert.SubjectName.Name + """"
Write-Host $connectGraph
if ($StayConnected -eq $false)
Write-Host "Disconnected from Microsoft Graph"
Write-Host -ForegroundColor Yellow "The connection to Microsoft Graph is still active. To disconnect, use Disconnect-MgGraph"
Save the file as RegisterAppOnly.ps1 and run the PowerShell script.
Note. SharePointResourceId and SitePermissionID are captured, as shown in the screenshot below.
This article describes how to register an app with Microsoft Entra ID and configure SharePoint permissions using PowerShell.