SOLVED

Look Book Provisioning NOT restricted to tenant admins. HUGE PROBLEM. HELP!

%3CLINGO-SUB%20id%3D%22lingo-sub-2049160%22%20slang%3D%22en-US%22%3ELook%20Book%20Provisioning%20NOT%20restricted%20to%20tenant%20admins.%20HUGE%20PROBLEM.%20HELP!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2049160%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20know%20if%20this%20is%20the%20right%20forum%20for%20this%20but%20I%20have%20just%20learned%20that%2C%20while%20the%20LookBook%20website%20indicates%20that%20only%20tenant%20admins%20are%20to%20be%20able%20to%20create%20sites%20using%20the%20templates%2C%20an%20E3%20licensed%20user%20with%20no%20admin%20roles%20just%20created%20his%20own%20Comm%20site%20without%20any%20issue%20or%20assistance%20and%20I%2C%20as%20the%20SharePoint%20and%20TEAMS%20administrator%20had%20no%20idea%20he%20did%20so.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20company%20has%20strict%20rules%20about%20who%20can%20create%20along%20with%20naming%20conventions%2C%20etc.%20to%20follow%20when%20creating%20and%20he%20was%20able%20to%20bypass%20ALL%20of%20it.%20I'm%20not%20faulting%20the%20user%2C%20I%20am%20faulting%20Microsoft's%20verbiage%20and%2For%20security.%20Either%20the%20website%20is%20erroneous%20when%20it%20says%20only%20admins%20can%20create%2Fuse%20the%20templated%20or%20there%20is%20a%20security%2Fmanagement%20breach%20going%20on%20for%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20VERY%20concerned%20at%20what%20this%20means%20for%20our%20company%3A%20it%20will%20be%20Pandora's%20Box%20is%20a%20blink%20of%20an%20eye.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%2C%20would%20someone%20please%20explain%20what%20is%20going%20on%20and%20how%20I%20can%20stop%20this%20from%20being%20something%20anyone%20in%20my%20tenant%20can%20do%3F%26nbsp%3B%20QUICK!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2049160%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELook%20Book%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2049810%22%20slang%3D%22en-US%22%3ERe%3A%20Look%20Book%20Provisioning%20NOT%20restricted%20to%20tenant%20admins.%20HUGE%20PROBLEM.%20HELP!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2049810%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11513%22%20target%3D%22_blank%22%3E%40Lisa%20Stebbins%3C%2FA%3E%26nbsp%3Byou%20are%20correct%20that%20sites%20created%20with%20the%20Look%20Book%20templates%20need%20tenant%20admin%20permissions(apart%20from%20tbhose%20few%20education%20ones%20that%20don't).%20But%20a%20standard%20communications%20site%20with%20the%20basic%20sections%20and%20web%20parts%20can%20be%20built%20by%20any%20user%2C%20either%20from%20the%20far%20top%20left%20of%20the%20SharePoint%20homepage%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2Fsharepoint.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2Fsharepoint.aspx%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3Eor%20by%20going%20to%20the%20following%20link%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2FCreateGroup.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2FCreateGroup.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERob%3CBR%20%2F%3ELos%20Gallardos%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%20color%3D%22%23006400%22%3EMicrosoft%20Power%20Automate%20Community%20Super%20User%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2049817%22%20slang%3D%22en-US%22%3ERe%3A%20Look%20Book%20Provisioning%20NOT%20restricted%20to%20tenant%20admins.%20HUGE%20PROBLEM.%20HELP!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2049817%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11513%22%20target%3D%22_blank%22%3E%40Lisa%20Stebbins%3C%2FA%3E%26nbsp%3Byou%20are%20correct%20that%20sites%20created%20with%20the%20Look%20Book%20templates%20need%20tenant%20admin%20permissions(apart%20from%20those%20few%20education%20ones%20that%20don't).%20But%20a%20standard%20communications%20site%20with%20the%20basic%20sections%20and%20web%20parts%20can%20be%20built%20by%20any%20user%2C%20either%20from%20the%20far%20top%20left%20of%20the%20SharePoint%20homepage%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2Fsharepoint.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2Fsharepoint.aspx%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22createSite.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F245298iC0C847D21543F2B8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22createSite.png%22%20alt%3D%22createSite.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20by%20going%20to%20the%20following%20link%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2FCreateGroup.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fcapita.sharepoint.com%2F_layouts%2F15%2FCreateGroup.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERob%3CBR%20%2F%3ELos%20Gallardos%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%20color%3D%22%23006400%22%3EMicrosoft%20Power%20Automate%20Community%20Super%20User%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I don't know if this is the right forum for this but I have just learned that, while the LookBook website indicates that only tenant admins are to be able to create sites using the templates, an E3 licensed user with no admin roles just created his own Comm site without any issue or assistance and I, as the SharePoint and TEAMS administrator had no idea he did so. 

 

Our company has strict rules about who can create along with naming conventions, etc. to follow when creating and he was able to bypass ALL of it. I'm not faulting the user, I am faulting Microsoft's verbiage and/or security. Either the website is erroneous when it says only admins can create/use the templated or there is a security/management breach going on for this. 

 

I am VERY concerned at what this means for our company: it will be Pandora's Box is a blink of an eye.

 

Please, would someone please explain what is going on and how I can stop this from being something anyone in my tenant can do?  QUICK!

4 Replies

@Lisa Stebbins you are correct that sites created with the Look Book templates need tenant admin permissions(apart from those few education ones that don't). But a standard communications site with the basic sections and web parts can be built by any user, either from the far top left of the SharePoint homepage at https://capita.sharepoint.com/_layouts/15/sharepoint.aspx 

createSite.png

 

or by going to the following link: https://capita.sharepoint.com/_layouts/15/CreateGroup.aspx


Rob
Los Gallardos
Microsoft Power Automate Community Super User

Thank you for responding Rob. The kicker is that, for our tenant, the ability to create a SP site, TEAM, etc. has been disabled at the tenant level and the ability to create has been assigned to certain users in our IT department.....only. But, it turns out, even with that disable, our users are able to create a website using a Look Book template even though they have not been granted any sort of tenant admin role.

This setting that we've chosen, along with Microsoft's statement that only 'tenant admins' can create via the Look Book should stop everyone from being able to create anything except for the select few. It stops everything except the Look Book. I need the Look Book to only be created by a tenant admin, as it states.

I need a fix asap!

@Lisa Stebbins 

Hi Lisa,
I am not sure if this can solve your issue or opens up even worse issues.
I meant to just publish my own questions on the Lookbook when I saw your post
and i am not yet 100% on top of the topic.

I think you can prohibit your users provisioning apps through the lookbook, by not allowing them to register apps in Azure AD - user settings - Users can register application set to No

To provision a site with the lookbook you need to an app called SharePoint.PnP.ProvisioningApp.

When the first user tried to provision a site from the Lookbook, this App is given permissions in your tennant. Often this is done by a Global Admin, since only he has the role to register this App with the Azure AD. He will get a permission request as shown in the attached picture.

I think if he checks the check box in the bottom, this is now available for all your users.
Also this would allow your users further provision web sites with the lookbook.

the Global Admin should manuall give some SPO Admins these permissions in Azure AD - Enterprise Applications. Here you should find the SharePoint.PnP App.

What really bothers me is the amount of rights, this App requests:

- Have full control of all site collections

- Send mail as you.

- Sign you in and read you profile

- ....

And i cannot even be sure if this App is from Microsoft. This is not signed. The T&Cs are empty....

So currently we only use the Lookbook in our Test Tenant but not in production.PnP.jpgPnP2.PNG

 

 

best response confirmed by Lisa Stebbins (Contributor)
Solution

@franckma 

Here's what worked for me, thanks to Beau Cameron in another post:

 

Sounds like when you or another tenant admin used the Lookbook previously, you consented the application "on behalf of the organization". What this means is essentially a Tenant Admin has approved this application for use and the permissions required by this application. I have attached the image of the check box you checked.

I do not think you meant to click this checkbox. When you provision using a tenant admin account, you do not need to select this box. As a result, the other users in your environment can now provision through the lookbook because you provided the consent. 

What you will need to do is....
1. Go to the Azure Portal to your Azure Active Directory settings
2. Go to Enterprise Applications
3. Locate SharePointPnP.ProvisioningApp.Tenant
4. Select Properties on the left
5. Delete this application

The next time you or a tenant admin use the Lookbook, do not consent on-behalf of your organization.