Assigning roles to enterprise applications in Azure B2C

In this post we detail how to assign roles to enterprise applications in Azure B2C, issues with assigning via PowerShell and troubleshooting.

The issue

So this is just a super quick post to document an issue that stumped me recently. I had been asked to assign the Helpdesk Administrator role to a custom enterprise app in an Azure B2C environment. The steps I had been given to follow were from this blog post and got me most of the way there.

I had issues with using MSOL initially, but managed to get around that but every time I ran the Add-MsolRoleMember cmdlet I kept getting the same error:

Error adding Service Principal to Role: This role does not exist. Check the name and try again.

The solution

As always, the simplest solution is often the best and in this case that was true again! I was able to assign the role to the enterprise applications through the Azure B2C AAD GUI. The way I did it was to:

  • Open Azure Active Directory
  • Select Roles and administrators
  • Select the relevant admin role (e.g. Helpdesk Administrator)
  • Under Assignments > press + Add Assignments
Once you have selected the relevant admin role, press Add Assignments.
  • Search for the name of the enterprise app you want to assign the role too > select it > press Add

That’s it, no need for PowerShell you can just assign the roles direct from Azure AD.


How to provision OneDrive for Microsoft 365 users

This blog post describes a scenario where not all users in your Microsoft 365 tenancy have OneDrive and how to provision it where required.

Overview

As a general rule I’ve found that most users who are in your M365 tenancy should have OneDrive irrespective of whether they are using it or not.

During a project I was involved with, we were compiling a list of all our M365 users home drive source locations to migrate the data into their respective OneDrive’s. Completing this exercise we found that not everyone in our organisation actually had OneDrive provisioned.

Information online as to the reasons why was scant, with much of what others describe around licensing issues not being applicable in this situation.

When you look at a user’s OneDrive information within the M365 admin center, you will see this:

If a user in your tenancy doesn’t have OneDrive, you will see this message.

I’m not 100% sure why these users are without OneDrive as the accounts checked hadn’t been blocked. However they have not had any sign in activity for the last 30 days – although we have set our retention for OneDrive to be 90 days before deleting so it’s still a bit of a mystery.

The solution

Microsoft have provided documentation on how to pre-provision OneDrive for users in your organization which is exactly what we needed. The documentation details two ways in which you can approach the problem:

  1. Pre-provision OneDrive for users – Create a list of users who need OneDrive > save as a txt file > run PowerShell to provision OneDrive for those users
  2. Pre-provision many users at the same time – Run PowerShell to provision OneDrive for large numbers of users

In this example we didn’t know how many of our users were without OneDrive so we choose to go with option 2.

How to provision OneDrive for large numbers of users

Prerequisites

  • The account you are using to run the script needs to be  a global or SharePoint administrator and must be assigned a SharePoint license
  • The user accounts that you are provisioning must be allowed to sign in and also have a SharePoint license assigned
  • Make sure you have the latest version of the SharePoint Online Management Shell installed

Run the PowerShell script

  • Open SharePoint Online Management Shell
  • Run the PowerShell script

The script should loop through until it completes for all users in your tenancy. You should see it looping through like in the example screenshot below:

Example of once the PowerShell script has been run, the script looping through each user in your tenancy.

Issues & resolution steps

Before I start describing my experiences of running the script, I am a relative PowerShell novice so forgive my ignorance if some of this is elementary. I had some trouble getting the script to run, which I think was more to do with the cmdlets I had installed (I’ve had a new laptop recently) rather than the script.

Issues with Connect-sposervice

I had issues connecting to the SharePoint admin center, I was receiving an error like this:

Issues connecting with the sposervice cmdlet.

I found this post on koskila.net that is really helpful and may help others with similar issues. In the end I got the script to run by removing the $credential variable at the start of the Microsoft script and connecting to the msolservice and sposervice directly.

With the $credential variable removed, I was prompted to login twice, once for msolservice, and again for sposervice, which then authenticated moved on to the next stage of the script.

Example of my changes to the script to allow me to run properly.

How to provision and deploy the PnP SharePoint Starter Kit part two

Update: The SharePoint Starter Kit is now a solution that’s available to apply from the SharePoint Online Provisioning Service:
https://provisioning.sharepointpnp.com/

This is second part of my two-part series on how to provision and deploy the SharePoint starter kit into your SharePoint tenant. You can read part one below:

How to provision and deploy the SharePoint Starter Kit part one

At this point all the pre-requirement steps should be completed, our Office 365 tenant should have an app catalog site, a dev site collection and a custom user profile service property.

Download the SharePoint Stater Kit

In order to deploy the SharePoint Starter Kit to your tenant you will need to clone or download a copy of the repository. I downloaded a copy of the repository and followed the steps below:

Downloading the SharePoint Starter Kit

Deploy the SharePoint Starter Kit

Now for the fun part…deploying the SharePoint Starter Kit to your tenant! Before you begin, make sure you have run the following cmdlet to connect to your tenant:

Connect-PnPOnline https://contosodemosk.sharepoint.com

  • Change the path in PowerShell to the location where your SP Starter Kit provisioning folder is located

Set-Location -Path C:\sp-starter-kit-master\provisioning

  • Finally, in PowerShell run the following command

Apply-PnPTenantTemplate -Path starterkit.pnp

Deploying the SharePoint Starter Kit in PowerShell

Once the SharePoint Starter Kit has concluded it will provision 3 site collections as well as other tenant level settings like themes, site designs and taxonomy term sets. You will be able to access all the site collections and web parts deployed through the starter kit in your tenant either through the new SharePoint admin center or through the SharePoint app in Office 365.

References

https://github.com/SharePoint/sp-starter-kitSharePoint Starter Kit repository from GitHub

https://docs.microsoft.com/en-us/sharepoint/dev/spfx/set-up-your-development-environmentsteps to install the required developer tools from Microsoft

https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-pnp/sharepoint-pnp-cmdlets?view=sharepoint-pssteps to install PnP PowerShell from Microsoft

https://docs.microsoft.com/en-us/sharepoint/dev/spfx/set-up-your-developer-tenant – setting up your Office 365 tenant to build and deploy client-side web parts using the SharePoint Framework from Microsoft

https://github.com/SharePoint/sp-starter-kit/blob/master/documentation/tenant-settings.mdcreating the new user profile property/ requesting API key to Alpha Vantage from GitHub

https://github.com/SharePoint/sp-starter-kit/tree/master/provisioningPowerShell commands and minimal path to success from GitHub

https://github.com/SharePoint/sp-starter-kit/blob/master/documentation/common-provision-results.mdPre-requirement steps added from general cascading errors from GitHub