back to worker quest hub

RaveFocus SharePoint launch control

SharePoint admin consent runbook

The current SharePoint List creation blocker is Microsoft tenant consent for the PnP connection. This page keeps the worker hub draft-safe while giving the owner/admin the exact next step.

admin consent required before SharePoint Lists can be created with PnP status
ravefocus.onmicrosoft.com tenant
31359c7f-bd7e-475c-86db-fdb8c937548e PnP app id
admin consent required for PnP SharePoint connection latest attempt
Sites.Manage.All Graph List-create permission
false current token has permission
false scoped Azure token
false app-only token configured

Admin consent link

Open this as the tenant admin or owner:

https://login.microsoftonline.com/ravefocus.onmicrosoft.com/adminconsent?client_id=31359c7f-bd7e-475c-86db-fdb8c937548e

This does not switch worker forms live. It only allows the guarded PnP List creation script to connect.

Graph permission finding

token is missing Sites.Manage.All, which Microsoft Graph requires to create SharePoint Lists

Permission path probe: Azure CLI cannot request Sites.Manage.All directly; use a RaveFocus-owned app registration or PnP consent path

Open the SharePoint Graph permission path report

Official Microsoft Graph create-list permission reference: https://learn.microsoft.com/en-us/graph/api/list-create?view=graph-rest-1.0

Unlock paths

Graph route

Owner: tenant admin / SharePoint admin

Use when: You want the Azure/Graph helper to create the Lists.

Required: Grant/consent Microsoft Graph Sites.Manage.All for the active Microsoft session or an approved app-only setup, and make sure the actor has SharePoint authority on https://ravefocus.sharepoint.com.

npm.cmd run attempt:sharepoint-graph-list

Success proof: outputs/sharepoint-graph-list-creation-report.html shows task requests created or already existed with zero errors.

RaveFocus-owned app-only Graph route

Owner: tenant admin / owner

Use when: Azure CLI cannot request Sites.Manage.All directly, but you can approve a temporary RaveFocus-owned app registration for List creation.

Required: Create or approve a tenant-owned Entra app with Microsoft Graph application permission Sites.Manage.All or Sites.ReadWrite.All, grant admin consent, keep the temporary secret owner-only, and revoke/delete it after Lists are created.

npm.cmd run bootstrap:sharepoint-graph-app -- -Apply

Success proof: outputs/sharepoint-graph-permission-path-report.html shows the app-only token has a SharePoint List-create role, then outputs/sharepoint-graph-list-creation-report.html shows task requests created or already existed with zero errors.

PnP route with tenant-owned app

Owner: tenant admin / owner

Use when: The legacy PnP app ID is not installed or consentable in the tenant.

Required: Register or approve a RaveFocus-owned Entra app for PnP PowerShell interactive/device login, then pass its client ID with -ClientId or PNP_CLIENT_ID.

powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -ClientId "<tenant-owned-pnp-app-client-id>" -Apply

Success proof: outputs/sharepoint-first-list-apply-attempt.html no longer returns AADSTS700016 and task requests exists.

PnP legacy consent route

Owner: tenant admin / owner

Use when: The admin consent page accepts the existing PnP application ID.

Required: Approve admin consent for 31359c7f-bd7e-475c-86db-fdb8c937548e in ravefocus.onmicrosoft.com.

powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -Apply

Success proof: outputs/sharepoint-first-list-apply-attempt.html no longer returns AADSTS700016 and task requests exists.

Safe retry

powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -Apply

Safe retry with tenant-owned PnP client ID

powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -ClientId "<tenant-owned-pnp-app-client-id>" -Apply

Safe retry with RaveFocus-owned app-only Graph token

$env:RAVEFOCUS_GRAPH_CLIENT_ID="<tenant-owned-app-client-id>"; $env:RAVEFOCUS_GRAPH_CLIENT_SECRET="<temporary-client-secret>"; npm.cmd run attempt:sharepoint-graph-list; Remove-Item Env:\RAVEFOCUS_GRAPH_CLIENT_SECRET -ErrorAction SilentlyContinue

Guarded temporary app bootstrapper

npm.cmd run bootstrap:sharepoint-graph-app -- -Apply

After the first List works

npm.cmd run verify:sharepoint-forms
npm.cmd run sync:sharepoint-ids
npm.cmd run build:microsoft-id-reconciliation
npm.cmd run preflight:final-report

Safety

Evidence