Public/Initialize-Tenant.ps1
|
function Initialize-Tenant { param( [Parameter(Mandatory)] [string]$TenantId) process { # Start by getting consent for our application. Set-SAMConsent -CustomerTenantId $TenantId # Connect to MS Graph Connect-CustomerGraph -CustomerTenantId $TenantId $CustomerOrganization = Get-MgOrganization # Disable Security Defaults Disable-SecurityDefaults -TenantId $TenantId # Create jyskit-adm $AdminUser = New-AdminUser -TenantId $TenantId # Create a GDAP relationship Disconnect-CustomerGraph Connect-CustomerGraph -CustomerTenantId $PartnerTenantId $RelationshipName = "Jysk IT - $($CustomerOrganization.DisplayName)".Replace("æ","ae").Replace("ø","oe").Replace("å","aa").Replace("/","") $RelationshipParams.displayName = $RelationshipName $RelationshipParams.customer.tenantId = $TenantId $RelationshipParams.customer.displayName = $CustomerOrganization.DisplayName try { $Relationship = New-MgTenantRelationshipDelegatedAdminRelationship -BodyParameter $RelationshipParams Write-Host "Created new GDAP relationship: $($Relationship.DisplayName)" -ForegroundColor Green } catch { Write-Error "Failed to create GDAP relationship: $_" } $RelationshipRequestParams = @{ action = "lockForApproval" } try { New-MgTenantRelationshipDelegatedAdminRelationshipRequest -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $RelationshipRequestParams | Out-Null Write-Host "Sucessfully locked relationship for approval" -ForegroundColor Green } catch { Write-Error "Failed to lock relationship for approval: $_" } $InvitationLink = "https://admin.microsoft.com/AdminPortal/Home#/partners/invitation/granularAdminRelationships/$($Relationship.Id)" if($AdminUser) { $LoginUrl = "https://admin.microsoft.com/login?username=$($AdminUser.UserPrincipalName)" Write-Host "Username: $($AdminUser.UserPrincipalName)" if("Password" -in $AdminUser.PSobject.Properties.Name) { Write-Host "Password: $($AdminUser.Password)" Set-Clipboard $($AdminUser.Password) } else { Write-Host "Password: Unknown, since this is an existing admin user." Write-Host "Opened login page in Edge inPrivate. Find the password in O365 DNEA for the admin user. ($($LoginUrl))" } Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($LoginUrl)" Read-Host "Press any key to continue when logged in.." Write-Host "Opened GDAP invitation link in Edge inPrivate. ($($InvitationLink))" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($InvitationLink)" } else { $LoginUrl = "https://admin.microsoft.com/login" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($LoginUrl)" Write-Host "Opened login page in Edge inprivate ($($LoginUrl))" Read-Host "Press any key to continue when logged in.." Write-Host "Opened GDAP invitation link in Edge inPrivate. ($($InvitationLink))" Start-Process -FilePath "msedge.exe" -Argumentlist "-inprivate", "$($InvitationLink)" } # Wait for approval $RelationshipCheck = Get-MgTenantRelationshipDelegatedAdminRelationship -DelegatedAdminRelationshipId $Relationship.Id while($RelationshipCheck.Status -ne "active") { Write-Host "Waiting for approval.." Start-Sleep -Seconds 5 $RelationshipCheck = Get-MgTenantRelationshipDelegatedAdminRelationship -DelegatedAdminRelationshipId $Relationship.Id } Write-Host "GDAP relationship approved!" -ForegroundColor Green New-GDAPAccessAssignments -RelationshipId $Relationship.Id # First access assignment try { New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $FirstAccessAssignmentParams | Out-Null Write-Host "Created first access assignment" -ForegroundColor Green } catch { Write-Error "Failed to create first access assignment: $_" } # Second access assignment try { New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $Relationship.Id -BodyParameter $SecondAccessAssignmentParams | Out-Null Write-Host "Created second access assignment" -ForegroundColor Green } catch { Write-Error "Failed to create second access assignment: $_" } } } |