1. Introduction

1.1 Purpose of the Document

This article aims to present the technical and security prerequisites for
the installation, updating, and use of the Jint solution, as well as the installation procedure.

The installation steps must be followed by a person who is an Entra ID administrator and
global administrator.

1.2 Architecture of the Jint Solution

The Jint solution consists of:

• A set of SharePoint packages,
• A management back office, called the Jint Configurator throughout this document,
  in the form of a Web application whose authentication relies on your Microsoft account,
• A set of APIs whose authentication relies on your Microsoft account.

1.3 Deployment of Packages

Jint extends the features of Microsoft SharePoint. To do this, we deploy
packages in your SharePoint environment. These deployments occur automatically
each time we publish a new version of them.

2. List of Prerequisites 

2.1 Summary

Here is a summary of the prerequisites for each component. They are detailed in the following sections.

2.1.1 At the SharePoint Level 

• Administrator access to the app catalog:
  • Approval of an Entra ID application, Jint Deployment, requesting the
    Sites.Selected application permission.
• Approval of necessary Microsoft API calls
• Approval of necessary Jint API calls

2.1.2 At the Entra ID Level 

• Approval of 5 Entra ID applications:
  • Jint Deployment
  • Jint Configurator
  • Jint Administration
  • Jint Site Engine
  • Jint Contribution Center

2.1.2 At Your Network Security Level 

Add the addresses of Jint services to your allowed address list

2.2 Deployment of SharePoint Packages

In order to deploy the SharePoint packages, our deployment automation requires
administrator rights to the app catalog, as Microsoft does not offer more granular rights. These
rights must be granted to our Entra ID application, Jint Deployment.

2.3 Approval of Microsoft API Calls

Furthermore, to function properly, our components call Microsoft APIs on
behalf of the user. Therefore, a set of Microsoft API call permissions must
be approved on your SharePoint tenant:

• Calendars.Read

• Calendars.ReadWrite

• Group.Read.All

• ChannelMessage.Send

• Mail.Read

• Sites.Read.All

• User.Read.All

• User.ReadBasic.All

• Tasks.ReadWrite

• Team.ReadBasic.All

• Access_as_user

If these permissions have not already been approved, they must be approved once the Jint packages are deployed.

3. Installation Steps

Once the previous prerequisites have been validated, the installation steps are as follows:

1. Preparation of the SharePoint tenant,
   Performed by the Global Administrator of the Client
2. Approval of applications necessary for the proper functioning of Jint,
   Performed by the Entra ID Administrator and Global Administrator of the Client
3. Communication of necessary installation information to Jint,
   Performed by the Client or Integrator
4. Deployment of the solution by Jint,
   Performed by Jint
5. Approval of Microsoft API calls.
   Performed by the Global and Entra ID Administrators of the Client
6. Authorization of Jint service addresses 
   Performed by the Network Administrator of the Client

Except for step 4, these steps are to be carried out by the Client. At the end of these steps, the Jint solution
is usable by the Client and their Integrator.

3.1 Preparation of the SharePoint Tenant 

Access level required for this step: Global Administrator. 

Preparing your SharePoint tenant involves ensuring the creation of the global app catalog.

With a SharePoint administrator account, access the SharePoint admin console:

https://www.<your-tenant>-admin.sharepoint.com/

In the "More Features" menu, click the "Open" button in the
"Apps" section:

3.2 Consent for Applications for the Configurator and Jint APIs

Access level required for this step: Entra ID Administrator.

To allow the Configurator and our APIs to authenticate your collaborators, you must approve
the following applications by clicking on the corresponding links:

Here is the description of each application:

• Jint Deployment is the application that performs installations and updates
  of the Jint solution on your Tenant. You will grant it
  administrator rights on the app catalog to deploy the SharePoint packages.
• Jint Configurator is Jint's back office. It allows you
  to administer the solution. It requests delegated permissions to identify
  the user accessing the Configurator and to configure Microsoft audiences:
  • User.Read
  • GroupMember.Read.All
• Jint Administration enables the features of the "Unified
  Experience". It requests the following delegated permissions:
  • User.Read
  • SharePoint AllSites.FullControl
• Jint Site Engine offers to duplicate and create fully populated sharing spaces
  from a template. It requests delegated permissions:
  • User.Read
  • SharePoint AllSites.FullControl
  • SharePoint TermStores.Read.All
• Jint Contribution Center allows you to create and share your content more simply and efficiently
  • User.Read
  • SharePoint AllSites.FullControl

Delegated permissions are permissions that allow an application to access certain
Microsoft365 domains on behalf of a user. They enable Jint to display
all relevant information for each user. More information on permissions
delegated here.

3.3 Granting Permissions to the App Catalog

Granting permissions to our Entra ID application is done only via a set
of Microsoft Graph API calls. We offer you a downloadable PowerShell script here to more easily perform all these calls. This script will grant administrator rights to our Jint Deployment application on your app catalog. During its execution, you will be prompted to log in with a SharePoint administrator account. The script requires the delegated permission Sites.FullControl.All to grant the permission.

Once the archive is downloaded, extract the script to the folder of your choice. Then open a
PowerShell command prompt and drag and drop the extracted file into the command prompt. Copy
and paste the app catalog URL after the script path and press Enter.

The executed command should be in the following form:

CreateAzureAdAppPermissionOnSites.ps1<App catalog site URL>

Reminder: You can find the app catalog URL by going to the SharePoint Admin Center > More Features > Apps (Open).

Common Error When Running the PowerShell Script

When running the CreateAzureAdAppPermissionOnSites.ps1 script, you may encounter the following error:

"cannot be loaded. The file is not digitally signed. You cannot run this script on the current system."

This means that the PowerShell execution policy on your machine blocks unsigned scripts. Here is how to fix it.

Option 1 — Unblock the File Specifically (Recommended)

This method targets only the downloaded script, without changing your system's global settings.

1. Open PowerShell as Administrator
2. Run the following command replacing the path with your script's path:

Unblock-File -Path "C:\path\to\CreateAzureAdAppPermissionOnSites.ps1"

3. Then rerun the script normally.

Option 2 — Temporarily Change the Execution Policy

If option 1 does not work, you can allow the execution of local unsigned scripts for your session only:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Then rerun the script. This change applies only to your user account and does not alter global system settings.

Option 3 — One-time Execution Without Changing the Policy

For a one-time execution without any configuration changes:

powershell.exe -ExecutionPolicy Bypass -File "C:\path\to\CreateAzureAdAppPermissionOnSites.ps1" <App catalog URL>

⚠️ Note: These operations require an account with local administrator rights on the machine. If you do not have these rights, please contact your IT team.

3.4 Communication of Necessary Installation Information to Jint

Access level required for this step: Entra ID Administrator

To proceed with the installation of Jint, we need the following information:

• Information about your Entra ID/SharePoint tenant:
  • Entra ID tenant ID,
  • Initial name of the Entra ID/SharePoint tenant,
• URL of the app catalog site identified in chapter 3.2,
• List of emails of the Jint solution administrator users.

Once this information is collected, it must be communicated to your Jint contact.

In the following chapters, we detail where to find some of this information.

3.4.1 Information About Your Entra ID Tenant

Access the overview section of the Entra ID portal. The tenant ID is named "Client ID" in the interface:

For the initial tenant name, go to the “Custom domain names” menu and look
for the entry ending with “.onmicrosoft.com”. You can use the filter bar. The initial name of
your tenant is what precedes “.onmicrosoft.com”, “Jint” in the example below.

3.5 Deployment of the Solution by Jint

During this step, the Jint teams proceed with the initial deployment of the SharePoint packages,
as well as the initialization of your access to the Jint Configurator.

Once completed, you will be notified by your Jint contact.

3.6 Approval of Microsoft API Calls

Access level required for this step: SharePoint Administrator.

Go to the Advanced > API Access section in the SharePoint admin console, or
directly via the URL:

https://<your-tenant> -admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement 

then approve each pending request:

For more details on this step, please refer to Permission Approval.

3.7 Approval of Jint API Permissions

Allowing access to Jint APIs lets you use our services directly within SharePoint. These permissions are necessary to validate the user's identity and to act with these rights.

Required permission:

• API name: Jint Contribution Center
• Requested permission: Access_as_user

Optional permission:

• API name: Jint Translator
• Requested permission: user_impersonation

This authorization is only necessary for Translator features and is not required if you have not subscribed to this product.

Allow an additional permission: Allow access to Jint Translator to access our translation service. To learn how to authorize the permission, see the article Permission Approval.

3.8 Authorization of Jint Service Addresses

Access level required for this step: Network Administrator

This step is only necessary if you filter the addresses accessible from your Microsoft365 tenant. Using Jint will be impossible if you cannot access our services. If you filter allowed addresses, you need to add the following addresses and all their subdomains to your allowed address list:

Addresses:

• cdn-mozzaik.azureedge.net
• authentication-api-mozzaik.azurewebsites.net
• clientsettings-api-mozzaik.azurewebsites.net
• newshub-api-mozzaik.azurewebsites.net
• mozzaik365.net

Subdomains:

• cdn.mozzaik365.net
• config.mozzaik365.net
• translator.mozzaik365.net
• newshub.mozzaik365.net
• contribcent.mozzaik365.net
• api.mozzaik365.net
• clisettings.mozzaik365.net

Following our name change, you will also need to add the following addresses and subdomains:

Addresses :

• cdn-Jint.azureedge.net
• authentication-api-Jint.azurewebsites.net
• clientsettings-api-Jint.azurewebsites.net
• newshub-api-Jint.azurewebsites.net
• jint.io

Subdomains :

• cdn.jint.io
• config.jint.io
• translator.jint.io
• contribcent.jint.io
• newshub.jint.io
• api.jint.io 
• clisettings.jint.io 

4. Using the Jint Solution

Jint is properly configured and deployed on your Microsoft environment! You can
now build your Digital Workplace experience using our components and
features.

The Jint WebParts components allow you to meet business needs through
configurations. The same component, through its configuration, can cover different needs.

Feel free to consult the Jint documentation on our help center to discover our
features and the various solutions we enable you to implement!