Environment Setup

This guide covers the Sitecore-side configuration required before running the XP → SitecoreAI migration recipe in Kajoo Agentic. You'll need to complete both sections — one for your source XP environment and one for your target SitecoreAI (formerly XM Cloud) environment.

📘

Once this is done, share the credentials at the bottom of this page with your Kajoo contact. The Kajoo team handles workspace setup from there — see Workspace Setup.

SitecoreAI (formerly XM Cloud)

1. Create the starter repository

Create a new repo from github.com/Sitecore/xmcloud-starter-js.

2. Enable SPE Remoting

In /authoring/platform/, create App_Config/Include/Spe/zzz.spe.remoting.config with this content:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <powershell>
      <services>
        <fileDownload><patch:attribute name="enabled">true</patch:attribute></fileDownload>
        <mediaDownload><patch:attribute name="enabled">true</patch:attribute></mediaDownload>
        <remoting>
          <patch:attribute name="requireSecureConnection">true</patch:attribute>
          <patch:attribute name="enabled">true</patch:attribute>
        </remoting>
      </services>
    </powershell>
    <pipelines>
      <owin.cookieAuthentication.validateIdentity>
        <processor type="Sitecore.Owin.Authentication.Pipelines.CookieAuthentication.ValidateIdentity.ValidateSiteNeutralPaths, Sitecore.Owin.Authentication">
          <siteNeutralPaths hint="list">
            <path hint="spe">/sitecore%20modules/PowerShell</path>
          </siteNeutralPaths>
        </processor>
      </owin.cookieAuthentication.validateIdentity>
    </pipelines>
    <log4net><logger name="Spe"><level patch:attribute="value" value="DEBUG"/></logger></log4net>
  </sitecore>
</configuration>

3. Deploy the SitecoreAI project

Create the project in the Sitecore Cloud Portal, link your GitHub repo, and trigger the initial deployment.

4. Create automation credentials

In the Cloud Portal go to Credentials → Create New → Automation. Save the Client ID and Client Secret — you'll share these with Kajoo.

5. Set environment variables

Go to Project → Authoring Environment → Variables and add:

Trigger a redeployment after saving — variables don't take effect until the next deploy.

6. Create the SPE Remoting user

In Role Manager, create the role sitecore\PowerShell Extensions Remoting (if it doesn't exist).

Then in User Manager create a user named SpeRemote, assign that role, and tick Administrator. Save the password — you'll share it with Kajoo.

Sitecore XP (Headless)

1. Confirm accessibility

The CM instance must be reachable over HTTPS. If Azure-hosted with restricted access, whitelist the Kajoo Agentic IP 20.51.153.117/32 — confirm the current IP with your Kajoo contact before applying.

2. Verify required modules are installed

You need: Sitecore PowerShell Extensions (SPE), Sitecore Services Client (SSC), Sitecore Management Services, and Headless Services / JSS. If Management Services is missing, download it from developers.sitecore.com/downloads/Sitecore_CLI.

3. Register a non-interactive client

Follow the Sitecore walkthrough for non-interactive client login on your Identity Server. Save the Client ID, Client Secret, and Authority URL — you'll share these with Kajoo.

4. Configure IIS authentication

Apply these settings at both the site level and the /sitecore modules/PowerShell/Services folder level:

🚧

The folder-level step is frequently missed. If SPE Remoting returns 401 Unauthorized, this is almost always the cause.

5. Enable SPE Remoting

Create App_Config/Include/Spe/zzz.spe.remoting.config:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/"
  xmlns:role="http://www.sitecore.net/xmlconfig/role/"
  xmlns:security="http://www.sitecore.net/xmlconfig/security/">
  <sitecore role:require="Standalone or ContentManagement" security:require="Sitecore">
    <powershell>
      <services>
        <fileDownload><patch:attribute name="enabled">true</patch:attribute></fileDownload>
        <mediaDownload><patch:attribute name="enabled">true</patch:attribute></mediaDownload>
        <remoting>
          <patch:attribute name="requireSecureConnection">true</patch:attribute>
          <patch:attribute name="enabled">true</patch:attribute>
        </remoting>
      </services>
    </powershell>
    <pipelines>
      <owin.cookieAuthentication.validateIdentity>
        <processor type="Sitecore.Owin.Authentication.Pipelines.CookieAuthentication.ValidateIdentity.ValidateSiteNeutralPaths, Sitecore.Owin.Authentication">
          <siteNeutralPaths hint="list">
            <path hint="spe">/sitecore%20modules/PowerShell</path>
          </siteNeutralPaths>
        </processor>
      </owin.cookieAuthentication.validateIdentity>
    </pipelines>
    <log4net><logger name="Spe"><level patch:attribute="value" value="DEBUG"/></logger></log4net>
  </sitecore>
</configuration>

The role:require attribute scopes this to CM/Standalone only — intentional on XP topologies that include CD servers.

6. Create the SPE Remoting user

Same as SitecoreAI step 6: create role sitecore\PowerShell Extensions Remoting, create user SpeRemote with that role and Administrator privileges. Save the password.

7. Validate the GraphQL endpoint

Confirm /sitecore/api/graph/items/master returns a valid response before sharing credentials with Kajoo.

Credentials to share with Kajoo

Once setup is complete, send these to your Kajoo contact via a secure channel.

SitecoreAI instance

XP instance

Common issues