MC718551 - Microsoft SharePoint: New Embedded Admin role impact

Updated May 17, 2024: We have updated the content below with additional information on managing the assigned roles. 

Microsoft SharePoint Embedded, currently in Public Preview, is an API-only solution empowering app developers to leverage the file and document storage in Microsoft 365 to create line-of-business or multitenant applications. Microsoft Loop is an example of a SharePoint Embedded application.

We are introducing the SharePoint Embedded Administrator role, which will have the capability to manage various aspects of SharePoint Embedded Applications and containers. This role will be available in Microsoft 365 admin center. With the introduction of this new role, Global Administrator can continue to create and manage SharePoint Embedded applications. However, as of mid-March 2024, the SharePoint admin role will lose the ability to execute SharePoint Embedded application and container-specific cmdlets (outlined below) as we roll-out the new role integration. After the rollout, only Global Administrators or SharePoint Embedded Administrators will be authorized to execute such cmdlets. Please track this document for the announcement of availability of the new SharePoint Embedded Administrator role in the Microsoft admin center. 

[When this will happen:]

Public Preview: We will begin rolling out early March 2024 and expect to complete by late March 2024.

General Availability:Standard Release: We will begin rolling out mid-April 2024 and expect to complete by lateearly May 2024 (previously early May).2024.

[How this will affect your organization:]

Tenants creating SharePoint Embedded Applications

Admins who want to create a new containertype through PowerShell cmdlets should be assigned the Global Administrator or the SharePoint Embedded Administrator to be able to execute all the available SharePoint Embedded developer admin cmdlets such as.

• New-SPOContainerType 
• Get-SPOContainerType
• Set-SPOContainerType 

Admins who want to run the VS code extension to create SharePoint Embedded ContainerTypes should also be assigned the Global Administrator or the SharePoint Embedded Administrator role.

Tenants Registering SharePoint Embedded Applications for use

Admins who want to manage containers created on their tenants should be assigned the Global Administrator or the SharePoint Embedded Administrator to run the PowerShell execute all SharePoint Embedded consuming tenant admin cmdlets.

• Get-SPOApplication
• Set-SPOApplication (Future)
• Get-SPOContainer
• Set -SPOContainer
• Remove-SPOContainer
• Get-SPODeletedContainer
• Restore-SPODeletedContainer
• Remove-SPODeletedContainer

[What you need to do to prepare:]

ThePlease assign the existing Global Admin role or the new SharePoint Embedded AdministratorAdmin role is now visible on Entra. Assign this new role(available early March) in the Microsoft 365 admin center to yourself to continue to use the container management cmdlets on PowerShell and access containers on the new UX that will be launched shortly. Please note, that Global administrator will continue to have access to the container management cmdlets as well as the UX for containers. 

Alternatively, the Global administrators can assign thecreate or manage SharePoint Embedded Administrator role using the following PowerShell cmdlet: applications.

> Install-Module Microsoft.Graph You may want to notify your users about this change and update any relevant documentation as appropriate.

> Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory,User.Read.All"

> $userId = "6bd30fc4-057c-409e-991b-a76fcd4510ab"

> $roleId = "1a7d78b6-429f-476b-b8eb-35fb715fffd4"

> $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleId

> $roleassignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $userId