pnp · alexc-MSFT · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
diff --git a/Architecture.md b/Architecture.md
@@ -6,7 +6,7 @@ The diagram below details the architecture of the Provision Assist solution and
 graph TD
     A(Canvas Power App) --> | Submit data | B[(SharePoint List)] --> C(Power Automate Approval Flow) --> D(Logic App) --> E(Entra ID App) <--> | Secret stored in Key Vault | F(Azure Key Vault) --> G{Type of collaboration space} --> |SharePoint Site| H[SharePoint REST API] 
     G --> | Office 365 Group | I(Microsoft Graph)
-    G --> | Viva Engage Community | J(Yammer REST API) 
+    G --> | Viva Engage Community | J(Microsoft Graph) 
     I --> K(Azure Automation)
     H --> K
     J --> K

diff --git a/Data-access-security.md b/Data-access-security.md
@@ -1,6 +1,6 @@
 # Data Access & Security
 
-The Provision Assist solution uses the **Microsoft Graph API**, **Yammer REST API** and the **SharePoint REST API** to perform provisioning of Groups, Sites, Teams and Yammer Communities.
+The Provision Assist solution uses the **Microsoft Graph API** and the **SharePoint REST API** to perform provisioning of Groups, Sites, Teams and Viva Engage Communities.
 
 Provisioning is carried out using an **Entra ID App Registration** which has the required permissions to the Microsoft Graph API assigned to it. For the most part **Application Permissions** are used with one exception - the application of sensitivity labels.
 
@@ -27,6 +27,7 @@ The API permissions required for the Entra ID app are as follows:
 | InformationProtectionPolicy.Read.All | Application | Read all published labels and label policies for an organization. |Used to syncronize sensivity labels in the tenant to a SharePoint list.|
 | Sites.FullControl.All | Application | Have full control of all site collections. |Update the properties of provisioned SharePoint sites.|
 | TeamsTemplates.Read.All | Application | Read all available Teams Templates |Used to read the teams templates in the tenant and syncronize them to a SharePoint list.|
+| Community.ReadWrite.All | Application | Read and write all Viva Engage communities. |Used to create Viva Engage communities.| 
 | User.Invite.All | Application | Invite guest users to the organization |Used to invite guest users in Entra ID if they are requested.|
 | User.ReadWrite.All | Application | Read and write to all users' full profiles |Used to update guest users in Entra ID if they are requested.|
 
@@ -38,10 +39,4 @@ The API permissions required for the Entra ID app are as follows:
 
 In addition to the above, the Entra ID App must be registered as a **SharePoint add-in** and granted **Full Control permissions** to the SharePoint tenant. 
 
-This is required because, as part of the provisioning there is a check to see if a SharePoint site matching the URL already exists both as an active site but also in the tenant recycle bin. 
-
-### Viva Engage
-
-For the Viva Engage functionality, an 'App' must be created in the Yammer 'Registered applications' page and a developer token generated.
-
-The developer token is then stored in a variable in the main Logic App which is used for provisioning. 
+This is required because, as part of the provisioning there is a check to see if a SharePoint site matching the URL already exists both as an active site but also in the tenant recycle bin. 
diff --git a/Deployment-guide.md b/Deployment-guide.md
@@ -13,7 +13,7 @@ To begin, you will need:
 - PowerShell 7 downloaded and installed - https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4.
 - Azure CLI (Command Line Interface) - https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.
 - Firewall/Proxy configured to allow connectivity using the Azure CLI - please test the 'az login' cmdlet works before proceeding.
- - Global Administrator (to execute the `createazureadapp.ps1` script and create/authorize the PnP app registration).
+ - Global Administrator (to execute the `createentraidapp.ps1` script and create/authorize the PnP app registration).
  - A user account with **Owner** rights to the Azure Subscription that is also a SharePoint, Power Platform and Teams Administrator. 
  - A certificate (self-signed is ok) to use for Microsoft Graph and SharePoint REST API authentication (**Optional** as the deployment script will create a self-signed cert for you if preffered). 
  - App Registration for PnP PowerShell (see below).
@@ -122,7 +122,7 @@ The first step is to execute the dedicated script responsible for creating the E
 
 1. Launch a PowerShell 7 window as an Administrator.
 2. Navigate to the 'Scripts' folder.
-3. Execute the createazureadapp script in the PowerShell window - ```.\createentraidapp.ps1```
+3. Execute the createentraidapp script in the PowerShell window - ```.\createentraidapp.ps1```
 4. Enter a name for the Entra ID app when prompted (**This must be the same name as the 'appName' parameter in the parameters.json file**).
 5. Wait for the script to complete.
 
@@ -186,7 +186,7 @@ Approvals are now configured to use Power Automate Approvals tasks.
 1. Create (OR use an existing) Microsoft Teams Team to use for the approval adaptive cards. You may wish to connect the **Provision Assist** SharePoint site (group) to a new Teams Team.
 2. Create (OR use an existing) channel in the same team for the approval cards. This is where they will be posted.
 3. Add the appropriate users that will approve requests to the team.
-4. In the Teams client, click on the epilsis and select 'Get link to channel'.
+4. In the Teams client, click on the elipsis and select 'Get link to channel'.
 
 ![Microsoft Teams get link to channel screenshot](/Images/LinkToChannel.png)
 
@@ -238,62 +238,42 @@ The approvals will now use adaptive cards in Teams. Please revisit this section
 
 ![Power Apps solution import success message screenshot](/Images/PASolutionImportSuccess.png)
 
-The solution has now been imported, please proceed to the next step to configure the Power App.
+The solution has now been imported.
 
-## Step 6: Configure Provision Assist Power App
-
-**At the time of writing there is known bug with Environment Variables in the Power Platform which causes them to remain connected to the source tenant. The Power App needs to be edited and re-pointed at the variables.**
-
-Therefore this step of the deployment guide is only required while the bug remains, once the bug is fixed by the product team, this deployment guide will be updated. 
-
-1. Navigate to the Power Apps portal as the service account and click 'Apps' in the left pane, you should see the Provision Assist Power App.
-2. Open the Power App in **Edit** mode.
-3. Click 'Allow' to consent to the connections.
-4. When the app opens in the studio, click the 'Data' icon in the left pane to bring up the data sources.
-5. Click the elipsis next to each SharePoint list and click 'Remove'. Repeat this process for all SharePoint lists.
-
-![Power App remove data sources screenshot](/Images/PARemoveDataSources.png)
-
-6. Click the 'Add data' option from the Data pane and search for the SharePoint data sources.
-
-![Power App add data source screenshot](/Images/PAAddDataSources.png)
-
-7. Click on the SharePoint data source.
-8. Select the SharePoint connection you created earlier.
-
-![Power App select SPO data source screenshot](/Images/PASelectSPODataSource.png)
-
-9. On the 'Connect to a SharePoint site' pane that appears, click 'Advanced' and select the 'Provision Assist SPO Site' environment variable.
-
- ![Power App connect to SPO site screenshot](/Images/PAConnectSPOSite.png)  
-
- 10. In the 'Choose a list' pane, click 'Advanced' and select all list environment variables.
-
-![Power App connect SPO lists screenshot](/Images/PAConnectLists.png)
-
-11. Click 'Connect'.
-12. Wait for the data sources to appear in the Data pane.
-13. Save and publish the Power App using the icons in the top right. 
-14. Close the app. 
-
-## Step 7: Configure 'Run only users' for 'Check Space Availability' flow
+## Step 6: Configure 'Run only users' for 'Check Space Availability' flow
 
 In order for this flow to be executed from the Power App (when users are checking to ensure the availability of their desired collaboration space) by users, the 'Provisioning Requests' list needs to be added as a 'Run only user' for the flow.
 
 This ensures that all users who have access to the list can execute this flow through the app. 
 
+**At the time of writing there is a known bug that prevents the selection of your SharePoint site and list UNTIL the flow is edited for the first time, please ensure you follow all the steps below.**
+
 Follow the steps below to do this.
 
 1. Navigate to the Power Apps portal as the service account.
 2. Click 'Flows' in the left hand pane and locate the **Check Space Availability** flow.
 3. Click on the flow.
-4. Click 'Edit' next to 'Run only users'.
-5. In the pane that appears, select the 'SharePoint' tab.
-6. Select the Provision Assist site and 'Provisioning Requests' list in the drop downs beneath.
-7. Set the values in the 'Connections Used' drop downs to use the connection from the owner of the flow.
+4. Click 'Edit' in the top menu.
+5. Click 'Save' in the top menu without making any changes.
+6. Click the back arrow.
+7. Click 'Edit' next to 'Run only users'.
+8. In the pane that appears, select the 'SharePoint' tab.
+9. Select the Provision Assist site and 'Provisioning Requests' list in the drop downs beneath.
+10. Set the values in the 'Connections Used' drop downs to use the connection from the owner of the flow.
 
 ![Run only users screenshot](/Images/RunOnlyUsers.png)
 
+## Step 7: Turn on 'Provisioning Request Approval' flow
+
+The **Provisioning Request Approval** is turned off by default and needs to be turned on. 
+
+Follow the steps below to turn it on.
+
+1. Navigate to the Power Apps portal as the service account.
+2. Click 'Flows' in the left hand pane and locate the **Provisioning Request Approval** flow.
+3. Click on the flow.
+4. Click 'Turn on' in the top menu.
+
 ## Step 8: Share Power App, Flows and SharePoint site
 
 Before Provision Assist can be rolled out, the Power App and SharePoint site need to be shared with all users to will submit requests.
@@ -313,6 +293,8 @@ If you don't have a group you can add users individually or share with everyone
 4. Choose whether or not to send an email invitation and click 'Share'. 
 5. The users will now have access to the Power App. 
 
+**Note:** Every user accessing the app for the first time will be prompted to consent to accessing the data sources. The user should click on 'Allow' to proceed. This can be bypassed by using the Power Apps admin PowerShell module. See [this documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/set-adminpowerappapistobypassconsent?view=pa-ps-latest) for more details. It is recommended to disable the consent popup using PowerShell before production deployment.
+
 ### Flows
 
 Next, we will share the flows that are used by Provision Assist with admins that wish to view flow runs/edit the flows. This step is optional but will avoid the need to sign in with the service account when viewing flow runs. Repeat these steps for each flow.
@@ -416,39 +398,7 @@ The admins group is now set up and configured.
 
 ## Deployment of the solution is now complete and the app should be accessible in Teams.
 
-## Step 13 (Optional): Enable provisioning of Viva Engage Communities
-
-Provision Asssist includes the ability to provision Viva Engage Communities, this is disabled upon deployment because it requires an App to be registered through the Yammer Developer Center and a developer token to be generated.
-
-To enable this functionality, please perform the following steps:
-
-1. Ensure that Viva Engage is in Native mode. **Non-Native mode or Hybrid mode are not supported**.
-2. Sign in with the service account.
-3. Navigate to `https://www.yammer.com/client_applications` and click **Register New App** (You may need to sign into Viva Engage first).
-4.  Complete the required details, tick the box and click 'Continue'.
-
-- Application Name: e.g. Provision Assist
-- Organization: Your organization name
-- Support e-amil: Email address of an appropriate person
-- Website: Not used but requires a value e.g. Your public facing website address
-- Redirect URI: Not used but requires a value e.g. Your public facing website address
-
-![Register Viva Engage app screenshot](/Images/RegisterVEApp.png)
-
-5. Once the app has been registered, click the 'Generate a developer token for this application' link.
-6. Copy the token that is displayed as you will need it shortly.
-7. Navigate to the Azure Portal (as a user with appropriate rights) and locate the **ProcessProvisionRequest** logic app.
-8. Edit the logic app and update the value of the **VIvaEngageAppToken** variable with the token you copied earlier.
-
-![Update logic app with Viva Engage token screenshot](/Images/UpdateLogicAppVEApp.png)
-
-9. Save and close the logic app.
-10. Navigate to the SharePoint site created as part of the deployment and locate the **Provisioning Types** list.
-11. Edit the list item entitled **Viva Engage Community** and set the **Allowed** column to **Yes**.
-12. Launch the Provision Assist Power App and complete a test request. Observe that the **Recommendation** step now displays an option to select a Viva Engage Community.
-13. Viva Engage Community provisioning is now enabled.
-
-## Step 14 (Optional): Enable auto approval (disabling approval process)
+## Step 13 (Optional): Enable auto approval (disabling approval process)
 
 If you do not wish to use the provided Power Automate approval process, you can enable 'Auto approval' through the 'Provisioning Request Settings' list.