Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Requires -Version 7.2
- #Requires -Modules MSAL.PS, Microsoft.PowerShell.ConsoleGuiTools
- param(
- [Parameter(
- HelpMessage = @"
- This is the list of scopes you'll need for your script or automation. Example:
- Directory.Read.All,AccessReview.Read.All
- "@)]
- [string] $Scope
- )
- $ErrorActionPreference = "stop"
- $PartnerAppId = "{CLIENT_ID}"
- $MsalParams = @{
- ClientId = $PartnerAppId;
- Interactive = $true;
- Scope = "https://api.partnercenter.microsoft.com/user_impersonation";
- }
- $PartnerAccessToken = Get-MsalToken @MsalParams
- $PartnerCustomersParams = @{
- Uri = "https://api.partnercenter.microsoft.com/v1/customers";
- Headers = @{
- "Authorization" = "Bearer $($PartnerAccessToken.AccessToken)"
- };
- Method = "Get";
- }
- $SelectedCustomers = (Invoke-RestMethod @PartnerCustomersParams).items | `
- Select-Object -ExpandProperty companyProfile | `
- Select-Object -Property companyName, tenantId | `
- Out-ConsoleGridView -OutputMode Multiple -Title "Select your tenant"
- <#
- This step is what will add the application to your customer's organization.
- The EnterpriseAppplicationId below is the app you're allowing to use your partner credentials.
- In this example, it's just the Microsoft Graph enterprise application.
- Notice how the scope isn't in our Partner App. You don't need to specify it in the partner app.
- If you change the scope, it should add the ones you didn't include, but I don't see a way to remove any.
- Your user account's permissions through GDAP are what determines what you really have permissions to so if your user
- didn't have Directory.Read.All permissions, this wouldn't work.
- Since there's no way to check or force this to update, it will throw an error-like message if you've already done this.
- #>
- # Forcing a scope selection from the list if one wasn't specified.
- if (!$Scope) {
- $SelectedScopes = Find-MgGraphPermission | `
- Where-Object PermissionType -eq "Delegated" | `
- Select-Object Name, Description | `
- Out-ConsoleGridView -OutputMode Multiple -Title "Select your scopes"
- $Scope = $SelectedScopes.Name -Join ","
- if (!$Scope) {
- throw "Selecting a scope(s) is required to continue."
- }
- }
- $AppConsentHeaders = @{
- "Accept" = "application/json";
- "Content-Type" = "application/json";
- "Authorization" = "Bearer $($PartnerAccessToken.AccessToken)"
- }
- $AppConsentBody = ConvertTo-JSON -InputObject @{
- "applicationid" = $PartnerAppId;
- "applicationGrants" = @(
- @{
- "enterpriseApplicationId" = "00000003-0000-0000-c000-000000000000"; # Microsoft Graph.
- "scope" = $Scope
- },
- @{
- "enterpriseApplicationId" = "00000002-0000-0ff1-ce00-000000000000"; # Exchange Online.
- "scope" = "Exchange.Manage"
- }
- )
- }
- $Index = 0
- ForEach ($Customer in $SelectedCustomers) {
- $Index++
- $PercentComplete = [int][math]::Ceiling(100 / $SelectedCustomers.Count * $Index )
- Write-Progress `
- -Activity $Customer.companyName `
- -Status "$Index out of $($SelectedCustomers.Count)" `
- -PercentComplete $PercentComplete
- $CustomerTenantId = $Customer.tenantId
- # Removing existing consent if it exists. There isn't a way to query or updates, unfortunately.
- $PartnerCustomerRemoveAppConsentParams = @{
- Uri = "https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents/$PartnerAppId";
- Headers = $AppConsentHeaders;
- Method = "DELETE";
- }
- Invoke-RestMethod @PartnerCustomerRemoveAppConsentParams
- # Adding new consents.
- $PartnerCustomerPostAppConsentParams = @{
- Uri = "https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents";
- Headers = $AppConsentHeaders;
- Body = $AppConsentBody
- Method = "POST";
- }
- Invoke-RestMethod @PartnerCustomerPostAppConsentParams | Out-Null
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement