SharePoint admin consent runbook
The current SharePoint List creation blocker is Microsoft tenant consent for the PnP connection. This page keeps the worker hub draft-safe while giving the owner/admin the exact next step.
Admin consent link
Open this as the tenant admin or owner:
This does not switch worker forms live. It only allows the guarded PnP List creation script to connect.
Graph permission finding
token is missing Sites.Manage.All, which Microsoft Graph requires to create SharePoint Lists
Permission path probe: Azure CLI cannot request Sites.Manage.All directly; use a RaveFocus-owned app registration or PnP consent path
Open the SharePoint Graph permission path report
Official Microsoft Graph create-list permission reference: https://learn.microsoft.com/en-us/graph/api/list-create?view=graph-rest-1.0
Unlock paths
Graph route
Owner: tenant admin / SharePoint admin
Use when: You want the Azure/Graph helper to create the Lists.
Required: Grant/consent Microsoft Graph Sites.Manage.All for the active Microsoft session or an approved app-only setup, and make sure the actor has SharePoint authority on https://ravefocus.sharepoint.com.
npm.cmd run attempt:sharepoint-graph-list
Success proof: outputs/sharepoint-graph-list-creation-report.html shows task requests created or already existed with zero errors.
RaveFocus-owned app-only Graph route
Owner: tenant admin / owner
Use when: Azure CLI cannot request Sites.Manage.All directly, but you can approve a temporary RaveFocus-owned app registration for List creation.
Required: Create or approve a tenant-owned Entra app with Microsoft Graph application permission Sites.Manage.All or Sites.ReadWrite.All, grant admin consent, keep the temporary secret owner-only, and revoke/delete it after Lists are created.
npm.cmd run bootstrap:sharepoint-graph-app -- -Apply
Success proof: outputs/sharepoint-graph-permission-path-report.html shows the app-only token has a SharePoint List-create role, then outputs/sharepoint-graph-list-creation-report.html shows task requests created or already existed with zero errors.
PnP route with tenant-owned app
Owner: tenant admin / owner
Use when: The legacy PnP app ID is not installed or consentable in the tenant.
Required: Register or approve a RaveFocus-owned Entra app for PnP PowerShell interactive/device login, then pass its client ID with -ClientId or PNP_CLIENT_ID.
powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -ClientId "<tenant-owned-pnp-app-client-id>" -Apply
Success proof: outputs/sharepoint-first-list-apply-attempt.html no longer returns AADSTS700016 and task requests exists.
PnP legacy consent route
Owner: tenant admin / owner
Use when: The admin consent page accepts the existing PnP application ID.
Required: Approve admin consent for 31359c7f-bd7e-475c-86db-fdb8c937548e in ravefocus.onmicrosoft.com.
powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -Apply
Success proof: outputs/sharepoint-first-list-apply-attempt.html no longer returns AADSTS700016 and task requests exists.
Safe retry
powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -Apply
Safe retry with tenant-owned PnP client ID
powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -ClientId "<tenant-owned-pnp-app-client-id>" -Apply
Safe retry with RaveFocus-owned app-only Graph token
$env:RAVEFOCUS_GRAPH_CLIENT_ID="<tenant-owned-app-client-id>"; $env:RAVEFOCUS_GRAPH_CLIENT_SECRET="<temporary-client-secret>"; npm.cmd run attempt:sharepoint-graph-list; Remove-Item Env:\RAVEFOCUS_GRAPH_CLIENT_SECRET -ErrorAction SilentlyContinue
Guarded temporary app bootstrapper
npm.cmd run bootstrap:sharepoint-graph-app -- -Apply
After the first List works
npm.cmd run verify:sharepoint-forms npm.cmd run sync:sharepoint-ids npm.cmd run build:microsoft-id-reconciliation npm.cmd run preflight:final-report
Safety
- admin consent must be completed by the Rave Focus tenant admin or owner
- consent only unblocks the SharePoint List creation tool; it does not make worker forms live
- retry only one List first: task requests
- do not upload passwords, recovery codes, ID photos, billing, bank, card, payout, or private customer records
- keep forms draft-safe until live form verification, ID sync, reconciliation, and final preflight pass
Evidence
outputs/sharepoint-first-list-apply-attempt.htmloutputs/sharepoint-admin-list-create-runbook.htmloutputs/sharepoint-admin-tooling-readiness.htmloutputs/sharepoint-go-live-checklist.htmloutputs/final-go-live-preflight.html