Private/PartnerActions/Set-SAMConsent.ps1

function Set-SAMConsent {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [String]
        $CustomerTenantId,
        [Parameter()]
        [bool]$Retry
    )
    # Get SAM tokens if not already available
    begin {
        if (!$SAMTokens) {
            $SAMTokens = Get-SAMTokens
        }  
    }
    process {

        # Connect to the partner center using our application
        $RequestBody = @{
            resource = "https://api.partnercenter.microsoft.com"
            client_id = $SAMTokens.ApplicationId
            client_secret = $SAMTokens.ApplicationSecret
            grant_type = "refresh_token"
            refresh_token = $SAMTokens.RefreshToken
            scope = "openid"
        }
        $authEndpoint = "https://login.microsoftonline.com/$($PartnerTenantId)/oauth2/token"

        # Get the access token needed for subsequent requests
        $AccessToken = ((Invoke-WebRequest -Uri $authEndpoint -Method POST -Body $RequestBody -ContentType 'application/x-www-form-urlencoded').Content | ConvertFrom-Json).access_token
        
        if($AccessToken) {
            Write-Host "Connected to Partner Center." -ForegroundColor Green
        }

        $AuthHeader = @{
            Authorization = "Bearer $($AccessToken)"
            'Accept'      = 'application/json'
        }

        try {
            # Get the relevant customer
            $Customers = (Invoke-RestMethod -Uri "https://api.partnercenter.microsoft.com/v1/customers?size=9999" -Headers $AuthHeader).items
            $Customer = $Customers | Where-Object { $_.companyProfile.tenantId -eq $CustomerTenantId }
        } catch {
            Write-Error "Failed to find customer with ID $($CustomerTenantId): $_"
        }


        $ConsentUri = "https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents"
        $ConsentBody = @{
            applicationGrants = @(
                @{
                    enterpriseApplicationid = "00000003-0000-0000-c000-000000000000"
                    scope = "Application.Read.All,Application.ReadWrite.All,AppRoleAssignment.ReadWrite.All,AuditLog.Read.All,BitlockerKey.Read.All,Channel.Create,Channel.Create,Channel.Delete.All,Channel.ReadBasic.All,Channel.ReadBasic.All,ChannelMember.Read.All,ChannelMember.Read.All,ChannelMember.ReadWrite.All,ChannelMember.ReadWrite.All,ChannelMessage.Edit,ChannelMessage.Read.All,ChannelMessage.Send,ChannelSettings.Read.All,ChannelSettings.ReadWrite.All,ConsentRequest.Read.All,CrossTenantInformation.ReadBasic.All,DelegatedAdminRelationship.ReadWrite.All,Device.Command,Device.Read,Device.Read.All,Device.ReadWrite.All,DeviceLocalCredential.Read.All,DeviceManagementApps.ReadWrite.All,DeviceManagementApps.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.PrivilegedOperations.All,DeviceManagementManagedDevices.Read.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementRBAC.Read.All,DeviceManagementRBAC.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,DeviceManagementServiceConfig.Read.All,DeviceManagementServiceConfig.Read.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,Directory.AccessAsUser.All,Directory.Read.All,Directory.ReadWrite.All,Domain.Read.All,Domain.Read.All,Files.ReadWrite.All,Group.Create,Group.Read.All,Group.ReadWrite.All,Group.ReadWrite.All,GroupMember.ReadWrite.All,GroupMember.ReadWrite.All,Mail.Send,Mail.Send,Mail.Send.Shared,Member.Read.Hidden,offline_access,openid,Organization.ReadWrite.All,Organization.ReadWrite.All,Policy.Read.All,Policy.Read.All,Policy.ReadWrite.ApplicationConfiguration,Policy.ReadWrite.ApplicationConfiguration,Policy.ReadWrite.AuthenticationFlows,Policy.ReadWrite.AuthenticationFlows,Policy.ReadWrite.AuthenticationMethod,Policy.ReadWrite.AuthenticationMethod,Policy.ReadWrite.Authorization,Policy.ReadWrite.ConditionalAccess,Policy.ReadWrite.ConditionalAccess,Policy.ReadWrite.ConsentRequest,Policy.ReadWrite.ConsentRequest,Policy.ReadWrite.CrossTenantAccess,Policy.ReadWrite.DeviceConfiguration,PrivilegedAccess.Read.AzureResources,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureResources,profile,Reports.Read.All,Reports.Read.All,ReportSettings.ReadWrite.All,ReportSettings.ReadWrite.All,RoleManagement.ReadWrite.Directory,SecurityActions.ReadWrite.All,SecurityEvents.Read.All,SecurityEvents.ReadWrite.All,SecurityIncident.Read.All,SecurityIncident.Read.All,SecurityIncident.ReadWrite.All,SecurityIncident.ReadWrite.All,ServiceHealth.Read.All,ServiceMessage.Read.All,SharePointTenantSettings.ReadWrite.All,SharePointTenantSettings.ReadWrite.All,Sites.FullControl.All,Sites.ReadWrite.All,Team.Create,Team.ReadBasic.All,TeamMember.ReadWrite.All,TeamMember.ReadWrite.All,TeamMember.ReadWriteNonOwnerRole.All,TeamMember.ReadWriteNonOwnerRole.All,TeamsActivity.Read,TeamsActivity.Send,TeamsAppInstallation.ReadForChat,TeamsAppInstallation.ReadForTeam,TeamsAppInstallation.ReadForUser,TeamsAppInstallation.ReadWriteForChat,TeamsAppInstallation.ReadWriteForTeam,TeamsAppInstallation.ReadWriteForUser,TeamsAppInstallation.ReadWriteSelfForChat,TeamsAppInstallation.ReadWriteSelfForTeam,TeamsAppInstallation.ReadWriteSelfForUser,TeamSettings.Read.All,TeamSettings.ReadWrite.All,TeamsTab.Create,TeamsTab.Read.All,TeamsTab.ReadWrite.All,TeamsTab.ReadWriteForChat,TeamsTab.ReadWriteForTeam,TeamsTab.ReadWriteForUser,ThreatAssessment.ReadWrite.All,UnifiedGroupMember.Read.AsGuest,User.ManageIdentities.All,User.ReadWrite.All,User.ReadWrite.All,UserAuthenticationMethod.Read.All,UserAuthenticationMethod.ReadWrite,UserAuthenticationMethod.ReadWrite.All,UserAuthenticationMethod.ReadWrite.All"
                },
                @{
                    enterpriseApplicationid = "00000002-0000-0ff1-ce00-000000000000"
                    scope = "Exchange.Manage,Exchange.ManageAsApp"
                },
                @{
                    enterpriseApplicationid = "00000003-0000-0ff1-ce00-000000000000"
                    scope = "AllSites.FullControl"
                },
                @{
                    enterpriseApplicationid = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239"
                    scope = "user_impersonation"
                },
                @{
                    enterpriseApplicationid = "c5393580-f805-4401-95e8-94b7a6ef2fc2"
                    scope = "ActivityFeed.Read"
                },
                @{
                    enterpriseApplicationid = "fc780465-2017-40d4-a0c5-307022471b92"
                    scope = "Vulnerability.Read,Vulnerability.Read.All"
                },
                @{
                    enterpriseApplicationid = "fc780465-2017-40d4-a0c5-307022471b92"
                    scope = "Directory.AccessAsUser.All,Directory.Read.All,User.Read"
                })
                applicationId = "$($SAMTokens.ApplicationId)"
                displayName = 'Jysk IT - SAM Partner Application'
        } | ConvertTo-Json

        try {
            $Request = Invoke-RestMethod -Uri $ConsentUri -Body $ConsentBody -Method POST -ContentType 'application/json' -Headers $AuthHeader
            Write-Host "Successfully created consent for $($Customer.Name)" -ForegroundColor Green
            Write-Host "Waiting 60 seconds for consent to propogate fully..." -foregroundcolor yellow
            Start-Sleep -Seconds 60
        }
        catch {
            switch ($_.Exception.Response.StatusCode.value__) {
                409 { 
                    Write-Host "Consent already exists for $($Customer.companyProfile.companyName)" -ForegroundColor Yellow
                    if(!$Retry) {
                        Write-Host "Trying to delete and recreate, in case customer has gotten new licenses (e.g. Teams, Exchange Online)..." -ForegroundColor Yellow
                        $ConsentUri = "https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents/$($SAMTokens.ApplicationId)"
                        $Request = Invoke-Restmethod -Uri $ConsentUri -Method DELETE -ContentType 'application/json' -Headers $AuthHeader
                        Set-SAMConsent -CustomerTenantId $CustomerTenantId -Retry:$true
                    }
                }
                200 {
                    Write-Host "Successfully created consent for $($Customer.companyProfile.companyName)" -ForegroundColor Green
                }
                201 {
                    Write-Host "Successfully created consent for $($Customer.companyProfile.companyName)" -ForegroundColor Green
                }
                Default {
                    Write-Host "Successfully created consent for $($Customer.companyProfile.companyName)" -ForegroundColor Green
                }
            }
        }
    }
}