Create PowerSyncPro Entra ID App Registration
Automate your PowerSyncPro Entra ID app registration with the correct permissions for your deployment scenario
Written by Neil Langston
Updated at April 17th, 2026
Table of Contents
Creating the PowerSyncPro Entra ID App Registration
PowerSyncPro uses a Microsoft Entra ID app registration to authenticate and interact with your tenant. This registration defines what PowerSyncPro is permitted to read or modify, and provides the credentials used to establish the connection. Depending on your deployment — whether you are synchronising directories, migrating workstations, or both — the permissions required will differ between your source and target tenants.
The CreatePSPEntraIDApp.ps1 script automates this setup end-to-end. It creates the app registration with the correct permissions for your scenario, grants admin consent, and outputs the credentials you need to configure the Entra ID directory endpoint in PowerSyncPro.
Requirements
- PowerShell 5.1 or later (PowerShell 7 recommended)
- A user account with Global Administrator or Application Administrator rights in the target tenant
- Internet access (the script uses device code authentication — no password is typed into the script)
- The
Microsoft.GraphPowerShell module v2.28.0 or later — installed automatically if missing or out of date
Before You Run
You will need the Tenant ID (GUID) of the tenant you want to create the app registration in. You can find this in the Azure portal under Microsoft Entra ID > Overview.
Usage
Interactive Mode
Run the script without any parameters and it will guide you through the setup:
.\CreatePSPEntraIDApp.ps1
You will be prompted for:
- Tenant ID — the GUID of the tenant to create the app in
- Permission set — determined via a short interview (up to three questions)
-
Confirmation — review a summary of what will be created and type
CREATEto proceed
đź’ˇUtilizing a GCC High Tenant?
For US Government tenants, add -CloudEnvironment GCCHigh to route authentication to the correct government endpoints:
.\CreatePSPEntraIDApp.ps1 -CloudEnvironment GCCHighđź’ˇAdministering PowerSyncPro from outside the server?
If you plan on administering PowerSyncPro from outside the server itself (e.g. not using http://localhost:5000) you should provide the proper URL with the -RedirectURI flag.
.\CreatePSPEntraIDApp.ps1 -RedirectURI "https://psp.contoso.com/redirect"Headless Mode
If you already know the correct permission set, supply -TenantID and -PermissionSet together to skip all prompts. This is useful for automation or repeated deployments.
| Parameter | Required | Default | Description |
|---|---|---|---|
-TenantID |
No | — |
GUID of the target tenant If not set, the script will prompt for a Target Tenant ID. |
-PermissionSet |
No | — |
One of: If not set, the script will ask interview questions to determine the proper set of permissions. |
-CloudEnvironment |
No | Commercial |
One of: Commercial, GCCHigh, DoD
|
-RedirectURI |
No | http://localhost:5000/redirect |
Only change if administering PSP from outside the local server |
Example:
.\CreatePSPEntraIDApp.ps1 -TenantID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -PermissionSet DirSyncHP
.\CreatePSPEntraIDApp.ps1 -TenantID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -PermissionSet DirSyncRO -CloudEnvironment GCCHighChoosing the Right Permission Set
When running interactively, the script asks up to three questions to determine the correct permission set for your deployment:
Is this a SOURCE or TARGET tenant?
│
├── SOURCE
│ └── DirSync or Workstation Migration only?
│ ├── DirSync
│ │ └── Does this source need write permissions?
│ │ ├── Read-only → DirSyncRO
│ │ └── Read/write → DirSyncHP
│ └── Migrations only → MigrationAgentSource
│
└── TARGET
└── DirSync or Workstation Migration only?
├── DirSync → DirSyncHP
└── Migrations only → MigrationAgentTarget
đź’ˇDo you need Read or Write?
If a tenant is used for both DirSync and workstation migration, select DirSync — it is the superset. For source tenants with DirSync, select Read/write only if this tenant also receives changes (bidirectional sync).
Permission Sets
| Profile | App Registration Name | Graph Permissions | Exchange | BPRT |
|---|---|---|---|---|
MigrationAgentSource |
Migration Agent Source (Read Only) |
Device.Read.All Domain.Read.All User.Read.All
|
No | No |
MigrationAgentTarget |
Migration Agent Target (Read Only) |
Domain.Read.All User.Read.All
|
No | Yes |
DirSyncRO |
DirSync (Read Only) |
Device.Read.All Domain.Read.All Group.Read.All GroupMember.Read.All User.Read.All
|
Yes | No |
DirSyncHP |
DirSync (Highly Privileged) |
Domain.Read.All Group.Create Group.ReadWrite.All GroupMember.ReadWrite.All User.Invite.All User.ReadWrite.All
|
Yes | Yes |
All app registration names are prefixed with “PowerSyncPro -”. Exchange indicates full_access_as_app. BPRT indicates the self_service_device_delete delegated scope.
đź’ˇThe Directory.Read.All Permission
By default, our automated application registration script does not include the Directory.Read.All permission. In accordance with the principle of least privilege, we omit this assignment because it is a very wide-reaching privilege (granting read access to policies, settings, applications, and service principals) and the vast majority of deployments will never use it.
When do you need it? You only need to manually add the Directory.Read.All application permission to your Entra App Registration if you specifically require PowerSyncPro to read and sync custom directory extensions within Entra ID. If this applies to your project, you can add it manually and grant admin consent via the Microsoft Entra admin center after the script completes.
What the Script Does
- Checks whether
Microsoft.Graphv2.28.0+ is installed, and installs or updates it automatically if not - Connects to the target tenant using device code authentication (no credentials are stored in the script)
- Resolves Graph permission IDs dynamically from the live tenant
- Checks for an existing app registration with the same name and prompts before creating a duplicate
- Creates the app registration with the correct API permissions, redirect URI, and branding URLs
- Creates the service principal and grants admin consent for all required roles
- For BPRT-enabled profiles, verifies that the Microsoft.Azure.SyncFabric (ID 00000014-0000-0000-c000-000000000000) and Microsoft Intune Enrollment (ID d4ebce55-015a-49b5-a083-c84d1797ae8c) service principals exist in the tenant, creating them if missing
- Generates a client secret
- Applies a service principal lock to protect the app registration's credentials from accidental modification
- Checks whether the authenticated account is from a federated domain and warns you if BPRT generation may be affected
Output
On success, the script displays:
Application Name : PowerSyncPro - DirSync (Highly Privileged)
Permission Set : DirSyncHP
Cloud Environment: Commercial
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Application ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Redirect URI : http://localhost:5000/redirect
Use the Tenant ID, Application ID, and Client Secret to configure the Entra ID directory endpoint in PowerSyncPro.
⚠️Important - Copy the Secret
Copy the Client Secret before closing the window — it cannot be retrieved again after the session ends. Do not share any of these values with PowerSyncPro Support.
Additional Notes for Device Migrations (Bulk Enrollment Token / BPRT)
Permission sets that include BPRT (MigrationAgentTarget, DirSyncHP) enable the bulk device enrolment token feature. When using this feature, be aware of the following:
Access URL: When generating a Bulk Enrolment Token (BPRT) in the PowerSyncPro interface, you must access the application via http://localhost:5000 (or the base URL matching your redirect URI). Using a different URL will cause the BPRT generation to fail. If you are administering PowerSyncPro remotely, ensure you supply the correct URL using the -RedirectURI flag when running the script so that the redirect URI registered in Entra matches the address you are browsing from.
Account requirements: The account used to generate the BPRT must meet the following Microsoft requirements:
- Must not be a federated account — the script will warn you if the account used to run it is federated
- Must not be passwordless or use a Temporary Access Pass (TAP)
- Must be permitted to join devices to Entra AND included in the Intune MDM user scope for automatic enrollment
- Must hold one of: Cloud Device Administrator, Intune Administrator, Password Administrator, or Global Administrator
The app registration itself will be created successfully regardless of federation status — a qualifying non-federated account is only required at the point of generating the BPRT, not for running this script.