Forum Discussion
Look Book Provisioning NOT restricted to tenant admins. HUGE PROBLEM. HELP!
Here's what worked for me, thanks to Beau Cameron in another post:
Sounds like when you or another tenant admin used the Lookbook previously, you consented the application "on behalf of the organization". What this means is essentially a Tenant Admin has approved this application for use and the permissions required by this application. I have attached the image of the check box you checked.
I do not think you meant to click this checkbox. When you provision using a tenant admin account, you do not need to select this box. As a result, the other users in your environment can now provision through the lookbook because you provided the consent.
What you will need to do is....
1. Go to the Azure Portal to your Azure Active Directory settings
2. Go to Enterprise Applications
3. Locate SharePointPnP.ProvisioningApp.Tenant
4. Select Properties on the left
5. Delete this application
The next time you or a tenant admin use the Lookbook, do not consent on-behalf of your organization.
Hi Lisa,
I am not sure if this can solve your issue or opens up even worse issues.
I meant to just publish my own questions on the Lookbook when I saw your post
and i am not yet 100% on top of the topic.
I think you can prohibit your users provisioning apps through the lookbook, by not allowing them to register apps in Azure AD - user settings - Users can register application set to No
To provision a site with the lookbook you need to an app called SharePoint.PnP.ProvisioningApp.
When the first user tried to provision a site from the Lookbook, this App is given permissions in your tennant. Often this is done by a Global Admin, since only he has the role to register this App with the Azure AD. He will get a permission request as shown in the attached picture.
I think if he checks the check box in the bottom, this is now available for all your users.
Also this would allow your users further provision web sites with the lookbook.
the Global Admin should manuall give some SPO Admins these permissions in Azure AD - Enterprise Applications. Here you should find the SharePoint.PnP App.
What really bothers me is the amount of rights, this App requests:
- Have full control of all site collections
- Send mail as you.
- Sign you in and read you profile
- ....
And i cannot even be sure if this App is from Microsoft. This is not signed. The T&Cs are empty....
So currently we only use the Lookbook in our Test Tenant but not in production.
Here's what worked for me, thanks to Beau Cameron in another post:
Sounds like when you or another tenant admin used the Lookbook previously, you consented the application "on behalf of the organization". What this means is essentially a Tenant Admin has approved this application for use and the permissions required by this application. I have attached the image of the check box you checked.
I do not think you meant to click this checkbox. When you provision using a tenant admin account, you do not need to select this box. As a result, the other users in your environment can now provision through the lookbook because you provided the consent.
What you will need to do is....
1. Go to the Azure Portal to your Azure Active Directory settings
2. Go to Enterprise Applications
3. Locate SharePointPnP.ProvisioningApp.Tenant
4. Select Properties on the left
5. Delete this application
The next time you or a tenant admin use the Lookbook, do not consent on-behalf of your organization.