Public/Graph/Register-GraphApplication.ps1
function Register-GraphApplication { <# .SYNOPSIS Register Apps with preset permissions for quick access to graph endpoints .DESCRIPTION Register Apps with preset permissions for quick access to graph endpoints Use those permissions with the connection script, Connect-PoshGraph Please check the Azure AD app that this app creates to understand the permissions you have prior to running any commands. Make sure you that clearly understand and inspect any script before you run them!!! I am not responsible for any data in your tenant. Please test thoroughly. If you want to add or remove permissions you can find your app here: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps Please see examples! .PARAMETER Tenant Use this to uniquely identify the tenant and permissions. You will use this to connect to graph with "Connect-PoshGraph" Please see examples! .PARAMETER App Currently just Intune and Teams to choose from, but more to follow. Note: The name of the app in Azure AD will be named Intune + the date/time it was added (but you won't need this information to connect) .PARAMETER AddDelegateCredentials A GUI will appear, type username and password and click "Export Tenant Credentials" .EXAMPLE Register-GraphApplication -Tenant Contoso -App Intune # The registration is a one-time thing. # Once it is complete, use the below command each time to connect to Graph Connect-PoshGraph -Tenant Contoso .EXAMPLE Register-GraphApplication -Tenant ContosoIntune -App Intune # The registration is a one-time thing. # Once it is complete, use the below command each time to connect to Graph Connect-PoshGraph -Tenant ContosoIntune .NOTES General notes #> [CmdletBinding(DefaultParameterSetName = 'PlaceHolder')] param ( [Parameter(Mandatory)] $Tenant, [Parameter(Mandatory)] [ValidateSet('EXO', 'Intune', 'Teams', 'IntunePrivileged')] $App, [Parameter()] [switch] $AddDelegateCredentials, [Parameter()] [switch] $ReturnAppObject, [Parameter(ParameterSetName = 'ExchangeCBA')] [switch] $AlsoCreateGraphConnection, [Parameter()] [switch] $GCCHigh ) $PoshPath = Join-Path -Path $Env:USERPROFILE -ChildPath '.Posh365/Credentials/Graph' $ItemSplat = @{ Type = 'Directory' Force = $true ErrorAction = 'SilentlyContinue' } if (-not (Test-Path $PoshPath)) { $null = New-Item $PoshPath @ItemSplat } $TenantPath = Join-Path -Path $PoshPath -ChildPath $Tenant if (Test-Path $TenantPath) { if ($AlsoCreateGraphConnection -or $PSCmdlet.ParameterSetName -notcontains 'ExchangeCBA') { Write-Host "Connect-PoshGraph already has a connection named, $TenantPath" -ForegroundColor Yellow -NoNewline $UsePath = Read-Host ". Type 'YES' to overwrite" if ($UsePath -ne 'YES') { Write-Host "Please rerun your command and choose another name to represent your connection" -ForegroundColor Green Write-Host "Perhaps, try appending the the app's function to the company name" -ForegroundColor Green Write-Host "For example, Contoso-Intune" -ForegroundColor Green continue } } } if (-not (Test-Path $TenantPath)) { $null = New-Item $TenantPath @ItemSplat } if ($AlsoCreateGraphConnection -or $PSCmdlet.ParameterSetName -notcontains 'ExchangeCBA') { Write-Host "`r`nWe will create an Azure AD Application with the " -ForegroundColor Cyan -NoNewline Write-Host "$App" -ForegroundColor Green -NoNewline Write-Host " API permission set. Credentials will be encrypted to $TenantPath. Once complete, connect to Graph with: `r`n" -ForegroundColor Cyan Write-Host "Connect-PoshGraph " -ForegroundColor Yellow -NoNewline Write-Host "-Tenant " -ForegroundColor White -NoNewline Write-Host "$Tenant`r`n`r`n" -ForegroundColor Green } if (-not ($null = Get-Module -Name 'AzureAD', 'AzureADPreview' -ListAvailable)) { Write-Host "Installing AzureAD module" -ForegroundColor Cyan Install-Module -Name AzureAD -Scope CurrentUser -Force -AllowClobber Import-Module -Name AzureAD -Force } $Latest = Find-Module CloneApp -Repository PSGallery $Installed = Get-Module -Name CloneApp -ListAvailable | Sort-Object version -Descending | Select-Object -First 1 if ($Latest.Version -ne $Installed.Version) { Write-Host "Installing CloneApp module" -ForegroundColor Cyan Install-Module -Name CloneApp -Scope CurrentUser -Force -AllowClobber Import-Module -Name CloneApp -Force } Write-Host "Disconnecting any possible connections to Azure AD" -ForegroundColor White try { $null = Disconnect-AzureAD -ErrorAction Stop } catch { } try { Write-Host "In the window that appears, please enter your credentials to login to Azure AD . . . " -ForegroundColor White -NoNewline $AzureAD = Connect-AzureAD -ErrorAction Stop Write-Host "Connected" -ForegroundColor Green Write-Host "Azure AD Tenant: " -ForegroundColor Green -NoNewline Write-Host "$($AzureAD.TenantId)" -ForegroundColor White Write-Host "Azure AD Account: " -ForegroundColor Green -NoNewline Write-Host "$($AzureAD.Account)" -ForegroundColor White } catch { Write-Host "Not connected to Azure AD. " -ForegroundColor Yellow -NoNewline Write-Host "Please run the same command again and connect to Azure AD." -ForegroundColor Cyan return } $Params = @{ Name = $App ConsentAction = 'Both' GithubUsername = 'KevinBlumenfeld' GistFilename = '{0}.xml' -f $App SecretDurationYears = 10 Owner = ($AzureAD.Account).toString() GCCHIGH = $GCCHigh } $NewApp = Import-TemplateApp @Params $ConfigObject = [PSCustomObject]@{ TenantClientID = $NewApp.ApplicationId TenantTenantID = $NewApp.TenantId TenantObjectID = $NewApp.ObjectId TenantSecret = $NewApp.Secret | ConvertTo-SecureString -AsPlainText -Force } if ($AlsoCreateGraphConnection -or $PSCmdlet.ParameterSetName -notcontains 'ExchangeCBA') { $TenantConfig = Join-Path -Path $TenantPath -ChildPath ('{0}Config.xml' -f $Tenant) [PSCustomObject]@{ Cred = [PSCredential]::new($ConfigObject.TenantTenantID, $ConfigObject.TenantSecret) ClientId = $ConfigObject.TenantClientID } | Export-Clixml -Path $TenantConfig Write-Host ('{0}Tenant configuration encrypted to: {1}{0}' -f [Environment]::NewLine, $TenantConfig) } if ($AddDelegateCredentials -or $App -notmatch 'Intune|EXO') { Write-Host "`r`nAlso, the Microsoft Graph Credential Export Tool will now appear. " -ForegroundColor Green Write-Host "In the fields labeled, Username & Password, enter: $($AzureAD.Account) and password." -ForegroundColor Black -BackgroundColor White Write-Host "Then click the button, Export Tenant Credentials" -ForegroundColor Black -BackgroundColor White Export-GraphConfig -Tenant $Tenant } if ($ReturnAppObject) { $ConfigObject } } |