Configure Microsoft Graph PowerShell for Easy365Manager Delegation

Configure Admin Consent for Easy365Manager delegation

If you want to delegate administration of Office 365 to non-Global-Admins you need to delegate admin consent to Microsoft Graph PowerShell for the following scopes:

  • User.ReadWrite.All
  • Group.ReadWrite.All
  • Domain.Read.All
  • Directory.ReadWrite.All
  • offline_access

If you have not configured a personal consent for your own account you can set it up by running the following command and selecting “Consent on behalf of your organization”:

Connect-MgGraph -Scope "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"

If you have already been granted a personal consent you will not get the option to grant the admin consent.

(read this article to understand why.)

In that case you can run the below script to configure the necessary Microsoft Graph PowerShell admin consent.

The script preserves any existing Admin Consent already configured on Microsoft Graph PowerShell.

However, if you select option 3 (“Remove all admin consent from Microsoft Graph PowerShell”) then all admin consent is removed (personal consent is not modified).

Keep in mind, that admin consent does not grant any permissions to users. You still need to delegate the proper rights to your admins:

  • User Administrator role
  • License Administrator role
  • Exchange Recipient Administrator role

Refer to the Easy365Manager documentation for more information.

# This script creates admin consent to let Microsoft PowerShell Graph access Microsoft Graph.
# The consent includes Read/Write to Users, Groups and Directory plus Domain Read access and long lived refresh tokens.
# Feel free to modify the script but include the following line:
# Easy365Manager - The Office 365 Management Tool for Active Directory: https://easy365manager.com
# Feel free to publish the script (with any modifications) but link credits to the following page:
# https://www.easy365manager.com/configure-microsoft-graph-powershell-for-easy365manager-delegation/
$ErrorActionPreference = "Stop"
$Scope = "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"
$MSGraphPS_AppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$MSGraph_AppId = "00000003-0000-0000-c000-000000000000"
$MicrosoftPowerShellGraph_Id = $null
$Microsoftgraph_Id = $null
Function Show-Menu {
    Clear-Host
    Write-Host "Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management."
    Write-Host "Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf."
    Write-Host 
    Write-Host "This script allows a Global Admin to configure an Admin Consent enabling non-Global-Admins to call the SDK."
    Write-Host "The Admin Consent does not grant users any rights. It only enables the SDK to use users' existing rights."
    Write-Host
    Write-Host "If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X')."
    Write-Host "If all Easy365Managers are Global Admins, you can skip this step (press 'X')."
    Write-Host
    Write-Host "Only Global Admin role holders will be able to use Easy365Manager until the Admin Consent has been configured."
    Write-Host
    Write-Host "Consult the Easy365Manager documentation for more information:"
    Write-Host "https://easy365manager.com/microsoft-graph-powershell-admin-consent/"
    Write-Host
    Write-Host "=============================================================="
    Write-Host "=== Configure Admin Consent for Microsoft Graph PowerShell ==="
    Write-Host "=============================================================="
    Write-Host
    If (Check-MgContext) {
        Write-Host Connected to tenant: ((Get-MgDomain | Where-Object { $_.IsInitial -eq $true }).Id)
        Write-Host
    }
    Write-Host "C: Press 'C' to connect to Microsoft Graph PowerShell."
    If (Check-MgContext){
        Write-Host "1: Press '1' to configure Admin Consent."
        Write-Host "2: Press '2' to see the current Admin Consent configuration."
        Write-Host "3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell."
    }
    Write-Host "X: Press 'X' to exit."
    Write-Host
}
Function Write-Consent {
    Try {
        Write-Host
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $null } -ErrorAction Stop
        $ScopeMod = $Scope
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing Admin Consent was found for Microsoft Graph PowerShell."
            Write-Host
            Write-Host "Configuring Admin Consent for Microsoft Graph PowerShell."
            Write-Host
            New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
        }
        Else {
            Write-Host "Existing Admin Consent was found for Microsoft Graph PowerShell:"
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
            Write-Host
            Write-Host "Merging missing scopes to support Easy365Manager administration."
            If ($ExistingAdminConsent.Scope.IndexOf("Domain.ReadWrite.All") -ge 0) {
                $ScopeMod = $ScopeMod.Replace("Domain.Read.All", "Domain.ReadWrite.All")
            }
            $NewScope = ($ScopeMod.Split(" ") | Where-Object {$ExistingAdminConsent.Scope.Split(" ") -notcontains $_}) + $ExistingAdminConsent.Scope.Trim().Split(" ")
            Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
        }
        Write-Host
        Write-Host Configuration succeeded. -ForegroundColor Green
        Write-Host
        Write-Host "Please allow up to five minutes before the new configuration is visible."
    }
    Catch {
        Write-Host Configuration failed: $Error[0].Exception.Message -ForegroundColor Red
        If ($Error[0].Exception.Source -eq "Microsoft.Graph.Authentication") {
            Connect-ToGraph
        }
    }
    Write-Host
    Read-Host "Press Enter to continue"
}
Function Read-Consent {
    Try {
        Write-Host
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $null } -ErrorAction Stop
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing Admin Consent was found for Microsoft Graph PowerShell."
        }
        Else {
            Write-Host Existing Admin Consent for Microsoft Graph PowerShell:
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        }
        Write-Host
        Write-Host The following Admin Consent is missing to support Easy365Manager administration:
        Write-Host
        If ($ExistingAdminConsent -eq $null){
            $ExistingScope = ""
        }
        Else {
            $ExistingScope = $ExistingAdminConsent.Scope
        }
        If ($ExistingScope.IndexOf("Domain.ReadWrite.All") -ge 0) {
            $ExistingScope = $ExistingScope.Replace("Domain.ReadWrite.All", "Domain.Read.All")
        }
        $MissingScope = ($Scope.Split(" ") | Where-Object {$ExistingScope.Split(" ") -notcontains $_})
        If ($MissingScope -eq $null) {
            Write-Host All set up! -ForegroundColor Green
        }
        Else {
            Write-Host ($MissingScope -Join "`n") -ForegroundColor Yellow
        }
        Write-Host
        Write-Host "(Recent changes may take up to five minutes before they become visible.)"
    }
    Catch {
        Write-Host Failed to read configuration: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}
Function Remove-Consent {
    Write-Host
    $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $null}
    If ($ExistingAdminConsent -eq $null) {
        Write-Host "No existing Admin Consent was found for Microsoft Graph PowerShell."
        Write-Host
    }
    Else {
        Write-Host "Existing Admin Consent was found for Microsoft Graph PowerShell:"
        Write-Host
        Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        $ExistingAdminConsent | ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id }
        Write-Host
        Write-Host "Removed all Admin Consent from Microsoft Graph PowerShell."
    }
    Write-Host
    Read-Host "Press Enter to continue"
}
Function Connect-ToGraph {
    Write-Host
    Write-Host "Connecting to Microsoft PowerShell Graph."
    Write-Host
    Write-Host "(If asked, you don't need to consent to the permissions requested on behalf of your organization during the login.)"
    Write-Host
    If ((Get-MgContext) -ne $null){
        Disconnect-MgGraph
    }
    Try{
        Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All Directory.AccessAsUser.All Directory.ReadWrite.All"
        Write-Host
        Write-Host "Connected to Microsoft Graph PowerShell:"
        Get-MgContext
    }
    Catch {
        Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}
Function Check-MgContext {
    $Context = Get-MgContext
    If ($Context -eq $null){
        Return $false
    }
    Write-Host "Connecting...`r" -NoNewline 
    If ($Context.Scopes.IndexOf("DelegatedPermissionGrant.ReadWrite.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.AccessAsUser.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.ReadWrite.All") -lt 0){
        Return $false
    }
    If ($Script:MicrosoftPowerShellGraph_Id -eq $null -or $Script:Microsoftgraph_Id -eq $null) {
        $Script:MicrosoftPowerShellGraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraphPS_AppId}).Id
        $Script:Microsoftgraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraph_AppId}).Id
    }
    Return $true
}
$Exit = $false
While ($Exit -eq $false) {
    Show-Menu
    $selection = Read-Host "Enter your selection"
    switch ($selection) {
        'C' {
            Connect-ToGraph
        }
        '1' {
            Write-Consent
        }
        '2' {
            Read-Consent
        }
        '3' {
            Remove-Consent
        }
        'X' {
            $Exit = $true
        }
    }
}

After running the script and connecting to your tenant you will have the following options:

Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management.
Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf.
This script allows a Global Admin to configure an Admin Consent enabling non-Global-Admins to call the SDK.
The Admin Consent does not grant users any rights. It only enables the SDK to use users' existing rights.
If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X').
If all Easy365Managers are Global Admins, you can skip this step (press 'X').
Only Global Admin role holders will be able to use Easy365Manager until the Admin Consent has been configured.
Consult the Easy365Manager documentation for more information:
https://easy365manager.com/microsoft-graph-powershell-admin-consent/
==============================================================
=== Configure Admin Consent for Microsoft Graph PowerShell ===
==============================================================
Connected to tenant: skrubbeltrang.onmicrosoft.com
C: Press 'C' to connect to Microsoft Graph PowerShell.
1: Press '1' to configure Admin Consent.
2: Press '2' to see the current Admin Consent configuration.
3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell.
X: Press 'X' to exit.
Enter your selection:

Select ‘1’ to set up the Admin Consent to allow non-Global-Admins to run Easy365Manager.

Did you like this post? Maybe your friends will too!