Current launch blocker action sheet
This is the shortest owner/admin path from today's blocked state to the next verifiable launch step.
Top blocker: SharePoint List creation permission is still required: Azure CLI cannot request Sites.Manage.All directly; use a RaveFocus-owned app registration or PnP consent path
Sign-in refresh proof: outputs/microsoft-signin-refresh-runbook.html
Retry proof: outputs/microsoft-retry-check-report.html
PnP app ID: 31359c7f-bd7e-475c-86db-fdb8c937548e
Graph List proof: outputs/sharepoint-graph-list-creation-report.html
Graph permission path proof: outputs/sharepoint-graph-permission-path-report.html
Graph token finding: token is missing Sites.Manage.All, which Microsoft Graph requires to create SharePoint Lists
Recommended permission path: Azure CLI cannot request Sites.Manage.All directly; use a RaveFocus-owned app registration or PnP consent path
Action Order
| # | Lane | Status | Action | Link / command | Proof needed | Stop if |
|---|---|---|---|---|---|---|
| 1 | microsoft sign-in tenant admin / owner |
ready | Refresh the Microsoft/Azure tenant session with the guarded helper, then rerun the retry check before admin consent or List creation. | npm.cmd run reauth:microsoft -- -Apply -RunRetryAfter |
outputs/microsoft-signin-refresh-runbook.html and outputs/microsoft-retry-check-report.html show Graph token probe passed and zero failed retry steps. | The tenant is not ravefocus.onmicrosoft.com, the account is not tenant admin/owner, Azure CLI is not signed in, or the helper requests sensitive info. |
| 2 | sharepoint permission tenant admin / owner |
blocked: admin consent required | Approve the PnP SharePoint admin consent request for the RaveFocus tenant, or use the tenant-owned PnP ClientId path in the admin consent runbook if the legacy app ID is not installed. | https://login.microsoftonline.com/ravefocus.onmicrosoft.com/adminconsent?client_id=31359c7f-bd7e-475c-86db-fdb8c937548e |
The next task requests retry no longer returns AADSTS700016 and the task requests List is created or already exists. | The consent screen is not for the listed PnP app ID, the tenant is not ravefocus.onmicrosoft.com, you are not the tenant admin/owner, or the Microsoft retry check still has failed steps. |
| 3 | graph list permission tenant admin / owner |
blocked: Graph create returned 403 | Use the Azure/Graph List creator only with a token that has Microsoft Graph Sites.Manage.All or Sites.ReadWrite.All. Because Azure CLI cannot request Sites.Manage.All directly here, prefer the RaveFocus-owned app-token path or PnP consent path in the admin runbook. | npm.cmd run bootstrap:sharepoint-graph-app -- -Apply |
outputs/sharepoint-graph-permission-path-report.html shows an approved token path, then outputs/sharepoint-graph-list-creation-report.html shows task requests was created or already existed with zero Graph errors. | The report still shows 403 Forbidden, the tenant/account is wrong, or the command would create more than the scoped task requests List. |
| 4 | safe first retry admin |
blocked: admin consent still required | Retry only the task requests List. Do not create every List until this first retry succeeds. | powershell -NoProfile -ExecutionPolicy Bypass -File launch\create-sharepoint-lists-from-templates.ps1 -ListName "task requests" -AuthMode DeviceLogin -Tenant ravefocus.onmicrosoft.com -Apply |
outputs/sharepoint-first-list-apply-attempt.html shows task requests completed, then outputs/sharepoint-after-consent-unblock.csv updates. | The retry still says admin consent required or task requests is not created correctly. |
| 5 | sharepoint lists/forms admin |
0/15 worker Lists found | Create worker-facing Lists first, verify every NewForm URL, then sync IDs. | outputs/sharepoint-list-build-order.html |
live form verification CSV, SharePoint ID sync report, and Microsoft ID reconciliation report update from missing to synced. | Any worker-facing List or NewForm URL is missing. |
| 6 | planner premium admin / Jupiter |
0/7 Premium IDs captured | Create the seven Planner Premium plans and capture actual Premium plan IDs/URLs without replacing dispatch IDs. | outputs/planner-premium-owner-action-sheet.html |
Planner Premium post-setup shows 7/7 Premium IDs and URLs captured. | A Premium plan is missing, fields are wrong, or website dispatch task IDs would be replaced. |
| 7 | power automate admin |
0/9 flow IDs captured | Build the nine proof-safe Power Automate flows after SharePoint Lists exist. | outputs/power-automate-owner-action-sheet.html |
Power Automate post-setup shows 9/9 flow IDs and tested run proof links captured. | A trigger List does not exist or a flow would expose private records. |
| 8 | auth + worker privacy admin |
prepared; not enforced | Keep auth prepared but not enforced until Lists, IDs, flows, and role assignments are ready for testing. | outputs/auth-owner-action-sheet.html |
Worker account can access worker areas only; admin can access setup evidence; signed-out user cannot access operational data. | Workers can see admin-only outputs, private records, or another worker's profile/task information. |
Guardrails
- do not switch forms live until final preflight has zero blocked gates
- do not invite workers while worker-facing Lists are missing
- do not replace preserved Planner dispatch task IDs with Premium plan IDs
- capture setup metadata only; no passwords, payment data, private records, ID photos, recovery codes, or payout settings
- no proof = no payout; no assigned task = not payable