Private/PartnerActions/New-CustomPartnerAccessToken.ps1

function New-CustomPartnerAccessToken() {
    param(
        [Parameter(Mandatory)]
        [String]
        $Scopes,
        [Parameter(Mandatory)]
        [String]
        $TenantId,
        [Parameter()]
        [bool]$Retry
    )

    begin {
        if (!$SAMTokens) {
            $SAMTokens = Get-SAMTokens
        }  
    }
    process {

        # Connect to the partner center using our application
        $RequestBody = @{
            client_id     = $SAMTokens.ApplicationId
            client_secret = $SAMTokens.ApplicationSecret
            grant_type    = "refresh_token"
            refresh_token = $SAMTokens.RefreshToken
            scope         = $Scopes
        }
        $authEndpoint = "https://login.microsoftonline.com/$($TenantId)/oauth2/v2.0/token"

        # Get the access token needed for subsequent requests
        try {
            $Response = Invoke-WebRequest -Uri $authEndpoint -Method POST -Body $RequestBody -ContentType 'application/x-www-form-urlencoded'
            $AccessToken = ($Response.Content | ConvertFrom-Json).access_token
        } catch {
            if($_.ErrorDetails.Message -like "*The user or administrator has not consented*" -and !$Retry) {
                Write-Host "Failed to connect due to missing application consent." -ForegroundColor Yellow
                # Check that we have the appropriate GDAP relationship setup
                Connect-CustomerGraph -CustomerTenantId $PartnerTenantId
                $Relationship = Get-MgTenantRelationshipDelegatedAdminRelationship -Filter "customer/tenantId eq '$($TenantId)' and startswith(DisplayName, 'Jysk IT')" -Top 1

                if(!$Relationship) {
                    throw "Failed to find a GDAP relationship for customer with ID $($TenantId)."
                }

                $AccessAssignments = Get-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $Relationship.Id
                if(!$AccessAssignments) {
                    Write-host "Failed to find any access assignments for GDAP relationship with ID $($Relationship.Id)."
                    Write-Host "Creating the access assignments now." -ForegroundColor Yellow
                    New-GDAPAccessAssignments -RelationshipId $Relationship.Id
                }

                if($Scopes -eq "https://outlook.office365.com/.default") {
                    Connect-CustomerGraph -CustomerTenantId $TenantId
                    $ExchangeServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '00000002-0000-0ff1-ce00-000000000000'"
                    if(!$ExchangeServicePrincipal) {
                        throw "Failed to find Exchange Online service principal. The customer does not have Exchange Online - and therefore connection is impossible."
                    } else {
                        Write-Host "Found Exchange Online service principal, so we can try to consent to it."
                    }
                }
                Write-Host "Trying to get consent, and then re-trying connection attempt." -ForegroundColor Yellow
                Set-SAMConsent -CustomerTenantId $TenantId
                New-CustomPartnerAccessToken -Scopes $Scopes -TenantId $TenantId -Retry:$true
            } else {
                throw "Failed to get access token: $_"
            }
        }
        
        return $AccessToken 
    }
}