Public/Initialize-Tenant.ps1
|
function Initialize-Tenant { param( [Parameter(Mandatory)] [string]$TenantId) process { # Start by getting consent for our application. Set-SAMConsent -CustomerTenantId $TenantId # Connect to MS Graph Connect-CustomerGraph -CustomerTenantId $TenantId $CustomerOrganization = Get-MgOrganization $CustomerInitialDomain = $CustomerOrganization.VerifiedDomains | Where-Object { $_.IsInitial -eq $true } # Disable Security Defaults try { $SecurityDefaults = Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy if($SecurityDefaults.IsEnabled) { Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false | Out-Null Write-Host "Security Defaults has been successfully disabled!" -ForegroundColor Green } else { Write-Host "Security Defaults is already disabled, skipping.." -ForegroundColor Yellow } } catch { Write-Error "Failed to disable Security Defaults: $_" } # Create Jysk IT Administrator try { $Users = Get-MgUser -All if($Users.UserPrincipalName -notcontains "jyskit-adm@$($CustomerInitialDomain.Name)") { Write-Host "Jysk IT Administrator does not exist, creating.." $PasswordProfile = @{ Password = (Get-RandomPassword -PasswordLength 16) ForceChangePasswordNextSignIn = $false ForceChangePasswordNextSignInWithMfa = $false } $AdminUser = New-MgUser -DisplayName "Jysk IT Administrator" -PasswordProfile $PasswordProfile -AccountEnabled -MailNickname "jyskit-adm" -UserPrincipalName "jyskit-adm@$($CustomerInitialDomain.Name)" Write-Host "Created Jysk IT Administrator: $($AdminUser.UserPrincipalName) with password $($PasswordProfile.Password)" -ForegroundColor Green } else { Write-Host "Jysk IT Administrator already exists, skipping.." -ForegroundColor Yellow $AdminUser = $Users | Where-Object { $_.UserPrincipalName -eq "jyskit-adm@$($CustomerInitialDomain.Name)" } } } catch { Write-Error "Failed to create Jysk IT Administrator: $_" } # Assign to Global Administrator group try { $Role = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" } $GlobalAdmins = Get-MgDirectoryRoleMemberAsUser -DirectoryRoleId $Role.Id if($GlobalAdmins.Id -notcontains $AdminUser.Id) { New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($AdminUser.Id)"} Write-Host "Assigned Jysk IT Administrator to Global Administrator group" -ForegroundColor Green } else { Write-Host "Jysk IT Administrator is already a member of Global Administrator group" -ForegroundColor Yellow } } catch { Write-Error "Failed to assign Jysk IT Administrator to Global Administrator group: $_" } # Create a GDAP relationship Disconnect-CustomerGraph Connect-CustomerGraph -CustomerTenantId $PartnerTenantId $RelationshipName = "Jysk IT - $($CustomerOrganization.DisplayName)".Replace("æ","ae").Replace("ø","oe").Replace("å","aa").Replace("/","") $RelationshipParams = @{ displayName = $RelationshipName duration = "P730D" customer = @{ tenantId = $TenantId displayName = $CustomerOrganization.DisplayName } accessDetails = @{ unifiedRoles = @( @{ roleDefinitionId = "44367163-eba1-44c3-98af-f5787879f96a" } @{ roleDefinitionId = "29232cdf-9323-42fd-ade2-1d097af3e4de" } @{ roleDefinitionId = "31392ffb-586c-42d1-9346-e59415a2cc4e" } @{ roleDefinitionId = "45d8d3c5-c802-45c6-b32a-1d70b5e1e86e" } @{ roleDefinitionId = "b5a8dcf3-09d5-43a9-a639-8e29ef291470" } @{ roleDefinitionId = "744ec460-397e-42ad-a462-8b3f9747a02c" } @{ roleDefinitionId = "32696413-001a-46ae-978c-ce0f6b3620d2" } @{ roleDefinitionId = "892c5842-a9a6-463a-8041-72aa08ca3cf6" } @{ roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c" } @{ roleDefinitionId = "a9ea8996-122f-4c74-9520-8edcd192826c" } @{ roleDefinitionId = "69091246-20e8-4a56-aa4d-066075b2a7a8" } @{ roleDefinitionId = "baf37b3a-610e-45da-9e62-d9d1e5e8914b" } @{ roleDefinitionId = "3d762c5a-1b6c-493f-843e-55a3b42923d4" } @{ roleDefinitionId = "eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c" } @{ roleDefinitionId = "31e939ad-9672-4796-9c2e-873181342d2d" } @{ roleDefinitionId = "74ef975b-6605-40af-a5d2-b9539d836353" } @{ roleDefinitionId = "d37c8bed-0711-4417-ba38-b4abe66ce4c2" } @{ roleDefinitionId = "2b745bdf-0803-4d80-aa65-822c4493daac" } @{ roleDefinitionId = "11648597-926c-4cf3-9c36-bcebb0ba8dcc" } @{ roleDefinitionId = "0964bb5e-9bdb-4d7b-ac29-58e794862a40" } @{ roleDefinitionId = "8835291a-918c-4fd7-a9ce-faa49f0cf7d9" } @{ roleDefinitionId = "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" } @{ roleDefinitionId = "75941009-915a-4869-abe7-691bff18279e" } @{ roleDefinitionId = "f70938a0-fc10-4177-9e90-2178f8765737" } @{ roleDefinitionId = "fcf91098-03e3-41a9-b5ba-6f0ec8188a12" } @{ roleDefinitionId = "e3973bdf-4987-49ae-837a-ba8e231c7286" } @{ roleDefinitionId = "6e591065-9bad-43ed-90f3-e9424366d2f0" } @{ roleDefinitionId = "0f971eea-41eb-4569-a71e-57bb8a3eff1e" } @{ roleDefinitionId = "3a2c62db-5318-420d-8d74-23affee5d9d5" } @{ roleDefinitionId = "7698a772-787b-4ac8-901f-60d6b08affd2" } @{ roleDefinitionId = "38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4" } @{ roleDefinitionId = "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f" } @{ roleDefinitionId = "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477" } @{ roleDefinitionId = "9f06204d-73c1-4d4c-880a-6edb90606fd8" } @{ roleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" } @{ roleDefinitionId = "11451d60-acb2-45eb-a7d6-43d0f0125c13" } @{ roleDefinitionId = "c4e39bd9-1100-46d3-8c65-fb160da0071f" } @{ roleDefinitionId = "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9" } @{ roleDefinitionId = "729827e3-9c14-49f7-bb1b-9608f156bbb8" } @{ roleDefinitionId = "4d6ac14f-3453-41d0-bef9-a3e0c569773a" } @{ roleDefinitionId = "966707d0-3269-4727-9be2-8c3a10f19b9d" } @{ roleDefinitionId = "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" } @{ roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814" } @{ roleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1" } @{ roleDefinitionId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" } @{ roleDefinitionId = "cf1c38e5-3621-4004-a7cb-879624dced7c" } @{ roleDefinitionId = "158c047a-c907-4556-b7ef-446551a6b5f7" } @{ roleDefinitionId = "be2f45a1-457d-42af-a067-6ec1fa63bc45" } @{ roleDefinitionId = "95e79109-95c0-4d8e-aee3-d01accf2d47b" } @{ roleDefinitionId = "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2" } @{ roleDefinitionId = "aaf43236-0c0d-4d5f-883a-6955382ac081" } @{ roleDefinitionId = "3edaf663-341e-4475-9f94-5c398ef6c070" } @{ roleDefinitionId = "b0f54661-2d74-4c50-afa3-1ec803f12efe" } @{ roleDefinitionId = "f023fd81-a637-4b56-95fd-791ac0226033" } @{ roleDefinitionId = "d29b2b05-8046-44ba-8758-1e26182fcf32" } @{ roleDefinitionId = "9360feb5-f418-4baa-8175-e2a00bac4301" } @{ roleDefinitionId = "8329153b-31d0-4727-b945-745eb3bc5f31" } @{ roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" } @{ roleDefinitionId = "5d6b6bb7-de71-4623-b4af-96380a352509" } @{ roleDefinitionId = "f2ef992c-3afb-46b9-b7cf-a126ee74c451" } @{ roleDefinitionId = "ac16e43d-7b2d-40e0-ac05-243ff356ab5b" } @{ roleDefinitionId = "790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b" } @{ roleDefinitionId = "4a5d8f65-41da-4de4-8968-e035b65339cf" } @{ roleDefinitionId = "75934031-6c7e-415a-99d7-48dbd49e875e" } @{ roleDefinitionId = "17315797-102d-40b4-93e0-432062caca18" } @{ roleDefinitionId = "e6d1a23a-da11-4be4-9570-befc86d067a7" } @{ roleDefinitionId = "194ae4cb-b126-40b2-bd5b-6091b380977d" } @{ roleDefinitionId = "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f" } @{ roleDefinitionId = "7495fdc4-34c4-4d15-a289-98788ce399fd" } @{ roleDefinitionId = "5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91" } @{ roleDefinitionId = "0526716b-113d-4c15-b2c8-68e3c22b9f80" } @{ roleDefinitionId = "9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f" } @{ roleDefinitionId = "c430b396-e693-46cc-96f3-db01bf8bb62a" } ) } } try { $Relationship = New-MgTenantRelationshipDelegatedAdminRelationship -BodyParameter $RelationshipParams Write-Host "Created new GDAP relationship: $($Relationship.DisplayName)" -ForegroundColor Green } catch { Write-Error "Failed to create GDAP relationship: $_" } $RelationshipRequestParams = @{ action = "lockForApproval" } try { New-MgTenantRelationshipDelegatedAdminRelationshipRequest -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $RelationshipRequestParams | Out-Null Write-Host "Sucessfully locked relationship for approval" -ForegroundColor Green } catch { Write-Error "Failed to lock relationship for approval: $_" } $InvitationLink = "https://admin.microsoft.com/AdminPortal/Home#/partners/invitation/granularAdminRelationships/$($Relationship.Id)" if($AdminUser) { $LoginUrl = "https://admin.microsoft.com/login?username=$($AdminUser.UserPrincipalName)" Write-Host "Username: $($AdminUser.UserPrincipalName)" Write-Host "Password: $($PasswordProfile.Password)" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($LoginUrl)" Set-Clipboard $($PasswordProfile.Password) Write-Host "Opened login page in Edge inPrivate, and copied password to clipboard. ($($LoginUrl))" Read-Host "Press any key to continue when logged in.." Write-Host "Opened GDAP invitation link in Edge inPrivate. ($($InvitationLink))" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($InvitationLink)" } else { $LoginUrl = "https://admin.microsoft.com/login" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($LoginUrl)" Write-Host "Opened login page in Edge inprivate ($($LoginUrl))" Read-Host "Press any key to continue when logged in.." Write-Host "Opened GDAP invitation link in Edge inPrivate. ($($InvitationLink))" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($InvitationLink)" } # Wait for approval $RelationshipCheck = Get-MgTenantRelationshipDelegatedAdminRelationship -DelegatedAdminRelationshipId $Relationship.Id while($RelationshipCheck.Status -ne "active") { Write-Host "Waiting for approval.." Start-Sleep -Seconds 5 $RelationshipCheck = Get-MgTenantRelationshipDelegatedAdminRelationship -DelegatedAdminRelationshipId $Relationship.Id } Write-Host "GDAP relationship approved!" -ForegroundColor Green # First access assignment try { New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $FirstAccessAssignmentParams | Out-Null Write-Host "Created first access assignment" -ForegroundColor Green } catch { Write-Error "Failed to create first access assignment: $_" } # Second access assignment try { New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $SecondAccessAssignmentParams | Out-Null Write-Host "Created second access assignment" -ForegroundColor Green } catch { Write-Error "Failed to create second access assignment: $_" } } } |