Zetifi Marshal

SharePoint access setup

For the IT admin / MSP. In your tenant you will:

Grant the Zetifi Marshal app (one Zetifi-hosted, multi-tenant app) Sites.Selected access to a single SharePoint site.
Add the managers who will use Zetifi Marshal to that site.
That single site is the entire footprint Zetifi Marshal can ever have in your tenant.

Marshal Worker Safety · App ID f4338464-42c7-468e-97f5-762060ccf74b · v1.0 · 2026-06-15

Before you start

Role:

An admin, for the app consent (step 3) and the site grant (step 4).

Tools, either:

PowerShell 7 with the PnP.PowerShell module, or
Azure Cloud Shell at shell.azure.com (nothing to install).

Time:

About 15 minutes.

Not in scope here (the customer's managers do these with Zetifi):

The Zetifi Marshal Console, lists, adding and inviting workers.
Telematics and the worker app.

Do this

Create (or pick) a SharePoint site for Zetifi Marshal

A dedicated Team site is cleanest, for example https://YOUR-TENANT.sharepoint.com/sites/marshal. Reusing an existing site is fine. Note the full site URL, you'll need it twice below.
Add the Zetifi Marshal managers to that site as Members (Edit)

The people who will run Zetifi Marshal day to day sign in to the Console with these accounts and need write access to the site. Read-only is not enough.
Grant tenant admin consent to the Zetifi Marshal app

Signed in as an admin, open this consent link (same for every customer) and click Accept:
https://login.microsoftonline.com/organizations/adminconsent?client_id=f4338464-42c7-468e-97f5-762060ccf74b
This grants the app, for your whole org, three Microsoft Graph permissions:
- Sites.Selected (Delegated), for managers in the Console.
- Sites.Selected (Application), for Zetifi's server-to-server writes.
- User.Read, for sign-in.
On its own it reaches no data; the site grant below is what scopes it to one site.
Grant the app access to the one site

In PowerShell 7 or Azure Cloud Shell, run these in order.

4a. Set your site URL.
```
$SiteUrl = "https://YOUR-TENANT.sharepoint.com/sites/marshal"
```
4b. Create the PnP sign-in app (one time per tenant), and note the Client Id it prints.
```
Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP PowerShell" `
  -Tenant ([System.Uri]$SiteUrl).Host.Replace(".sharepoint.com",".onmicrosoft.com")
```
4c. Connect with that Client Id, then grant Zetifi Marshal the Manage role.
```
Connect-PnPOnline -Url $SiteUrl -Interactive -ClientId <PNP-CLIENT-ID>
Grant-PnPAzureADAppSitePermission `
  -AppId f4338464-42c7-468e-97f5-762060ccf74b `
  -DisplayName "Zetifi Marshal" `
  -Site $SiteUrl `
  -Permissions Manage
```
Use Manage, not Write. Zetifi Marshal creates its own lists on first use, which needs Manage; Write would let row data through but fail list creation. The Register-... line is PnP's own sign-in app (a separate community tool that performs the grant), it is not part of what Zetifi Marshal can see, and is only needed once per tenant.
Verify

Confirm exactly one row, the Zetifi Marshal app, role manage:
```
Get-PnPAzureADAppSitePermission -Site $SiteUrl
```
Expect Value

AppId f4338464-42c7-468e-97f5-762060ccf74b

Roles manage
Send it back to Zetifi

Reply with the site URL and the output of the verify command above. That's everything we need, Zetifi finishes the Console, telematics, and worker-app setup with your managers from there.

Expect	Value
AppId	`f4338464-42c7-468e-97f5-762060ccf74b`
Roles	`manage`

What Zetifi Marshal can and can't touch

One SharePoint site, nothing else. Sites.Selected grants access to no data on its own, only the explicit site grant in step 4 scopes it, and only to that one site. Zetifi Marshal cannot widen this itself; any other site needs another admin grant.
Two access modes, both pinned to that one site. The Console acts as the signed-in manager (delegated, never exceeds the user's own access). The Zetifi gateway acts as itself (application) to write incoming worker and vehicle signals server-to-server. Removing the site grant cuts off both at once.
Worker telemetry is de-identified in transit. It carries a device token and a location, not a worker's name. Names live only in records a manager enters in the Console, inside your tenant.
Sign-in is locked to one address. The Console is a Zetifi-hosted SPA using auth-code + PKCE; tokens are only ever delivered to https://console.marshal.zetifi.com. There is no redirect URI for you to configure.
Revoke in one step. Revoke-PnPAzureADAppSitePermission (or remove the app from Enterprise applications) cuts all access immediately, no Zetifi-side switch involved.

Zetifi Marshal never requests anything broader than Sites.Selected. It cannot reach:

TeamsMail / OutlookCalendarsOneDriveThe directoryAny other SharePoint site

If something's off

Symptom	Fix
Verify doesn't show one row with AppId `f4338464-...` / roles `manage`	The grant didn't land or points at a different site. Re-run step 4 against the exact site URL with `-Permissions Manage`.
Managers prompted to approve permissions on sign-in	Admin consent (step 3) hasn't been granted or propagated yet (allow a few minutes). Confirm green Granted in Entra → Enterprise applications → Marshal Worker Safety → Permissions.
`Grant-PnPAzureADAppSitePermission` errors on sign-in	The one-time PnP sign-in app wasn't created or consented. Re-run `Register-PnPEntraIDAppForInteractiveLogin`, accept the prompt, paste its Client Id into `Connect-PnPOnline -ClientId`.
Site URL rejected	Use the full site collection URL ending in `/sites/<name>`, no trailing slash, no sub-path.

Stuck on any of it? Reply to your Zetifi contact, we can run it together on a short call.