1. Introduction

1.1 Purpose of the article

The purpose of this article is to outline the technical and security requirements for installing, upgrading, and using Jint, as well as to detail the installation process.

This documentation is specifically intended for tenant-level installations.

If you want to consult the guide for site collection–level installation, please consult this guide.

Note: The installation steps require both an Entra ID administrator and a Global administrator.

1.2 Architecture of the Jint solution

The Jint solution consists of:

• A set of SharePoint packages,
• A back-office, called the Jint Configurator in the following document, in the form of a web application whose authentication relies on your Microsoft account,
• A set of APIs that rely on your Microsoft account for authentication.

1.3 Packages deployment

Jint extends the functionality of Microsoft SharePoint. We do this by deploying packages to
your SharePoint environment. These deployments occur automatically each time we release a new
version.

2. List of prerequisites

2.1 Summary

Here is a summary of the requirements for each component. They are detailed in the following
sections.

2.1.1 At the SharePoint level

• Administrator access to the application catalog:
  • Approval of an Entra ID application, Jint Deployment, requesting the
    Sites.Selected application permission. 
• Approval of calls to Microsoft APIs
• Approval of calls to Jint APIS

2.1.2 At Entra ID level 

• Approval of 5 Entra ID applications:
  • Jint Deployment
  • Jint Configurator
  • Jint Administration
  • Jint Site Engine
  • Jint Contribution Center

2.1.2 Regarding your network security

Add the addresses of Jint services to your list of authorized addresses.

2.2 Deployment of SharePoint packages

In order to deploy SharePoint packages, our deployment automaton needs the administrator rights of
the application catalog, as Microsoft does not offer more detailed rights. These rights are to be given
to our Entra ID application, Jint Deployment.

2.3 Approvals for Microsoft API calls

In addition, in order to function properly, our components call Microsoft APIs on behalf of the user. To
do so, a set of permissions to call the Microsoft APIs will have to be approved on your SharePoint
tenant:

• Calendars.Read
• Group.Read.All
• ChannelMessage.Send
• Mail.Read
• Sites.Read.All
• User.Read.All
• User.ReadBasic.All
• Tasks.ReadWrite
• Team.ReadBasic.All
• Access_as_user

These permissions, if not already approved, will need to be approved once the Jint packages
are deployed

3. Installation steps

Once the previous requirements have been validated, the installation steps are as follows:

1. Preparation of the SharePoint tenant, 
   Performed by the Customer's Global Administrator
2. Approval of the applications necessary for Jint to function properly,
   Performed by the Customer's Entra ID Administrator
3. Communication of necessary installation information to Jint,
   Performed by the Customer or the Integrator
4. Deployment of the solution by Jint,
   Performed by Jint
5. Approval of calls to Microsoft APIs.
   Performed by the Customer's Global Administrator
6. Authorization of Jint service addresses 
   Performed by the Customer's Network Administrator.

Except for step 4, these steps are to be performed by the Customer. At the end of these
steps, the Jint solution is usable by the Customer and its Integrator.

3.1 Preparation of the SharePoint tenant

Required access level for this step: Global Administrator.

Preparing your SharePoint tenant consists of ensuring the global application catalog is created.

With a Global administrator account, access the SharePoint administration console:

https://www.<your-tenant>-admin.sharepoint.com/

In the "More Features" menu, click on the "Open" button in the "Applications" section:

The application catalog is created if it did not already exist. 

3.2 Application approval for Jint Configurator and APIs 

Required access level for this step: Entra ID Administrator.

In order to allow Configurator and our APIs to authenticate your collaborators, you must approve the
following applications by clicking on the corresponding links: 

• Jint Deployment is the application that performs installations and updates of
  the Jint solution on your Tenant. You will give it administrator rights to the
  application catalog to deploy SharePoint packages.
• Jint Configurator is the back office of Jint. It allows you to administer
  the solution. It requires delegated permissions to identify the user accessing the
  Configurator and to set up Microsoft audiences:
  • User.Read
  • GroupMember.Read.All
• Jint Administration enables the "Unified Experience" features. It
  requires the following delegated permissions:
  • User.Read
  • SharePoint AllSites.FullControl
• Jint Site Engine offers to duplicate and create full and filled shared spaces from
  a template. It requires delegated permissions:
  • User.Read
  •  SharePoint AllSites.FullControl
  • SharePoint TermStores.Read.All
• Jint Contribution Center allows you to create and share your content more simply and efficiently:
  • User.Read

  •  SharePoint AllSites.FullControl

     

Delegated permissions are permissions that allow an application to access a certain area of Microsoft 365 on behalf of a user. They allow Jint to display all relevant information for each
user. Learn more about delegated permissions.

3.3 Granting permissions to the application catalog 

The granting of permissions to our Entra ID application is only done through a set of calls to the Microsoft Graph API. We propose a PowerShell script that can be downloaded here to make all these calls more easily.

This script will grant administrator rights to our Jint Deployment application on your application catalog. When running it, you will be prompted to log in with a SharePoint administrator account. The script will need the Sites.FullControl.All delegated permission in order to grant permission.

Once you have downloaded the archive, you need to extract the script to the folder of your choice. Then open a PowerShell command prompt and drag and drop the extracted file into the command prompt. Copy and paste the URL to application catalog after the path to the script and press Enter.

The command executed should be of the following form:

CreateAzureAdAppPermissionOnSites.ps1 <App Catalog URL> 

3.4 Communication of the necessary information to Jint

Access level required for this step: Entra ID Administrator. 
In order to proceed with the installation of Jint, we need the following information:

• Information about your Entra ID/SharePoint tenant:
  • Entra ID tenant ID,
  • Initial name of the Entra ID/SharePoint tenant,
• URL of the application catalog site identified in chapter 3.2,
• List of Jint solution administrators' emails.

Once this information has been collected, you must communicate it to your Jint contact.
In the following chapters, we detail where to find some of this information.

3.3.1 Information about your Entra ID tenant 

• Go to the Entra ID administrator center section of the Entra ID portal.
• The tenant ID is named "Tenant ID" in the interface:

For the initial name of the tenant,  go to the "Custom Domain Names" menu and look for the entry
ending in ".onmicrosoft.com". You can use the filter bar. The initial name of your tenant is what comes
before ".onmicrosoft.com". It is “Jint” in the example below. 

3.5 Deployment of the solution by Jint 

During this step, Jint teams proceed with the initial deployment of SharePoint packages, as
well as the initialization of your Jint Configurator. Once completed, you will be notified by your
Jint contact. 

3.6 Approval of calls to Microsoft APIs

Required access level for this step: Global Administrator 
 

Go to Advanced API Access in the SharePoint Admin Console, or directly via the URL: 

https://<your-tenant> -admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement 

Then approve each of the pending requests: 

For more details about this step, consult Permission approval.

3.7 Approval of Jint APIs Calls