JyskIT.Automation

0.0.8

Private/PartnerActions/Set-SAMConsent.ps1

                                function Set-SAMConsent {

    [CmdletBinding()]

    param (

        [Parameter(Mandatory)]

        [String]

        $CustomerTenantId

    )

    # Get SAM tokens if not already available

    begin {

        if (!$SAMTokens) {

            $SAMTokens = Get-SAMTokens

        }  

    }

    process {

        $PartnerAccessToken = New-PartnerAccessToken -ApplicationId $SAMTokens.ApplicationId -Credential $SAMTokens.ApplicationCredential -RefreshToken $SAMTokens.RefreshToken -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation' -ServicePrincipal -Tenant $PartnerTenantId

        Connect-PartnerCenter -AccessToken $PartnerAccessToken.AccessToken | Out-Null

        Write-Host "Connected to Partner Center." -ForegroundColor Green

        # Define all needed permissions that our customers must pre-consent to, to use our application.

        $MSGraphgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $MSgraphgrant.EnterpriseApplicationId = "00000003-0000-0000-c000-000000000000"

        $MSGraphgrant.Scope = "Application.Read.All,Application.ReadWrite.All,AppRoleAssignment.ReadWrite.All,AuditLog.Read.All,BitlockerKey.Read.All,Channel.Create,Channel.Create,Channel.Delete.All,Channel.ReadBasic.All,Channel.ReadBasic.All,ChannelMember.Read.All,ChannelMember.Read.All,ChannelMember.ReadWrite.All,ChannelMember.ReadWrite.All,ChannelMessage.Edit,ChannelMessage.Read.All,ChannelMessage.Send,ChannelSettings.Read.All,ChannelSettings.ReadWrite.All,ConsentRequest.Read.All,CrossTenantInformation.ReadBasic.All,DelegatedAdminRelationship.ReadWrite.All,Device.Command,Device.Read,Device.Read.All,Device.ReadWrite.All,DeviceLocalCredential.Read.All,DeviceManagementApps.ReadWrite.All,DeviceManagementApps.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.Read.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementRBAC.Read.All,DeviceManagementRBAC.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,DeviceManagementServiceConfig.Read.All,DeviceManagementServiceConfig.Read.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,Directory.AccessAsUser.All,Directory.Read.All,Directory.ReadWrite.All,Domain.Read.All,Domain.Read.All,Files.ReadWrite.All,Group.Create,Group.Read.All,Group.ReadWrite.All,Group.ReadWrite.All,GroupMember.ReadWrite.All,GroupMember.ReadWrite.All,Mail.Send,Mail.Send,Mail.Send.Shared,Member.Read.Hidden,offline_access,openid,Organization.ReadWrite.All,Organization.ReadWrite.All,Policy.Read.All,Policy.Read.All,Policy.ReadWrite.ApplicationConfiguration,Policy.ReadWrite.ApplicationConfiguration,Policy.ReadWrite.AuthenticationFlows,Policy.ReadWrite.AuthenticationFlows,Policy.ReadWrite.AuthenticationMethod,Policy.ReadWrite.AuthenticationMethod,Policy.ReadWrite.Authorization,Policy.ReadWrite.ConditionalAccess,Policy.ReadWrite.ConditionalAccess,Policy.ReadWrite.ConsentRequest,Policy.ReadWrite.ConsentRequest,Policy.ReadWrite.CrossTenantAccess,Policy.ReadWrite.DeviceConfiguration,PrivilegedAccess.Read.AzureResources,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureResources,profile,Reports.Read.All,Reports.Read.All,ReportSettings.ReadWrite.All,ReportSettings.ReadWrite.All,RoleManagement.ReadWrite.Directory,SecurityActions.ReadWrite.All,SecurityEvents.Read.All,SecurityEvents.ReadWrite.All,SecurityIncident.Read.All,SecurityIncident.Read.All,SecurityIncident.ReadWrite.All,SecurityIncident.ReadWrite.All,ServiceHealth.Read.All,ServiceMessage.Read.All,SharePointTenantSettings.ReadWrite.All,SharePointTenantSettings.ReadWrite.All,Sites.FullControl.All,Sites.ReadWrite.All,Team.Create,Team.ReadBasic.All,TeamMember.ReadWrite.All,TeamMember.ReadWrite.All,TeamMember.ReadWriteNonOwnerRole.All,TeamMember.ReadWriteNonOwnerRole.All,TeamsActivity.Read,TeamsActivity.Send,TeamsAppInstallation.ReadForChat,TeamsAppInstallation.ReadForTeam,TeamsAppInstallation.ReadForUser,TeamsAppInstallation.ReadWriteForChat,TeamsAppInstallation.ReadWriteForTeam,TeamsAppInstallation.ReadWriteForUser,TeamsAppInstallation.ReadWriteSelfForChat,TeamsAppInstallation.ReadWriteSelfForTeam,TeamsAppInstallation.ReadWriteSelfForUser,TeamSettings.Read.All,TeamSettings.ReadWrite.All,TeamsTab.Create,TeamsTab.Read.All,TeamsTab.ReadWrite.All,TeamsTab.ReadWriteForChat,TeamsTab.ReadWriteForTeam,TeamsTab.ReadWriteForUser,ThreatAssessment.ReadWrite.All,UnifiedGroupMember.Read.AsGuest,User.ManageIdentities.All,User.ReadWrite.All,User.ReadWrite.All,UserAuthenticationMethod.Read.All,UserAuthenticationMethod.ReadWrite,UserAuthenticationMethod.ReadWrite.All,UserAuthenticationMethod.ReadWrite.All"

        $ExOgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $ExOgrant.EnterpriseApplicationID = "00000002-0000-0ff1-ce00-000000000000"

        $ExOgrant.Scope = "Exchange.Manage,Exchange.ManageAsApp"

        $SPGrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $SPGrant.EnterpriseApplicationId = "00000003-0000-0ff1-ce00-000000000000"

        $SPGrant.Scope = "AllSites.FullControl"

        $SkypeTeamsGrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $SkypeTeamsGrant.EnterpriseApplicationId = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239"

        $SkypeTeamsGrant.Scope = "user_impersonation"

        $ManagementAPIGrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $ManagementAPIGrant.EnterpriseApplicationId = "c5393580-f805-4401-95e8-94b7a6ef2fc2"

        $ManagementAPIGrant.Scope = "ActivityFeed.Read"

        $ATPGrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $ATPGrant.EnterpriseApplicationId = "fc780465-2017-40d4-a0c5-307022471b92"

        $ATPGrant.Scope = "Vulnerability.Read,Vulnerability.Read.All"

        $AZADGrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant

        $AZADGrant.EnterpriseApplicationId = "fc780465-2017-40d4-a0c5-307022471b92"

        $AZADGrant.Scope = "Directory.AccessAsUser.All,Directory.Read.All,User.Read"

        try {

            $Customer = Get-PartnerCustomer -CustomerId $CustomerTenantId -ErrorAction Stop

        } catch {

            Write-Error "Failed to find customer with ID $($CustomerTenantId): $_"

        }

        try {

            New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgrant, $ExOgrant, $SPGrant, $SkypeTeamsGrant, $ManagementAPIGrant, $ATPGrant, $AZADGrant) -CustomerId $CustomerTenantId -ApplicationId $SAMTokens.ApplicationId -DisplayName 'Jysk IT - SAM Partner Application' -ErrorAction Stop

            Write-Host "Successfully created consent for $($Customer.Name)" -ForegroundColor Green

        }

        catch {

            if($_.Exception.Message -eq "Permission entry already exists.") {

                Write-Host "Consent already exists for $($Customer.Name)" -ForegroundColor Yellow

            }

            elseif ($_.Exception.Message -like "*exist in customer tenant*") {

                Write-Host "Successfully created consent for $($Customer.Name)" -ForegroundColor Green

            }

            else {

                Write-Error "Failed to create consent for $($Customer.Name): $_"

            }

        }

    }

}