Configure Microsoft Graph PowerShell for Easy365Manager Delegation

Microsoft Graph PowerShell - configure consent for Easy365Manager.

If you want to delegate administration of Office 365 to non-Global-Admins, you need to delegate Admin or User Consent to Microsoft Graph PowerShell for the following scopes:

  • User.ReadWrite.All
  • Group.ReadWrite.All
  • Domain.Read.All
  • Directory.ReadWrite.All
  • offline_access

If you have not configured Consent for your own global admin account, you can set up Admin Consent by running the following command:

Connect-MgGraph -Scope "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"

This will open an Oauth2 authentication dialog where you must click “Consent on behalf of your organization”. This is also referred to as Admin Consent and will allow your non-global admins to use Microsoft Graph PowerShell (they still need proper Azure roles to manage resources):

Consent to Microsoft Graph PowerShell with Easy365Manager

Configure Admin and User Consent With PowerShell

If your global admin account has already been granted Consent, you’ll not get the option to grant the Admin Consent (read this article to understand why).

In that case, you can run the below script to configure the necessary Microsoft Graph PowerShell Admin or User Consent.

The script preserves any existing Admin Consent already configured on Microsoft Graph PowerShell.

However, if you select option 3 (“Remove all Admin Consent from Microsoft Graph PowerShell”), then all Admin Consent is removed (User Consent is not modified).

You can also use the script to grant User Consent to individual users for improved security.

Remember that admin consent does not grant any resource permissions to users. You still need to delegate the proper Azure roles to your admins:

  • User Administrator role
  • License Administrator role
  • Exchange Recipient Administrator role

Refer to the Easy365Manager documentation for more information.

# This script creates admin consent to let Microsoft PowerShell Graph access Microsoft Graph.
# The consent includes Read/Write to Users, Groups and Directory plus Domain Read access and long lived refresh tokens.
# Feel free to modify the script but include the following line:
# Easy365Manager - The Office 365 Management Tool for Active Directory: https://easy365manager.com
# Feel free to publish the script (with any modifications) but link credits to the following page:
# https://www.easy365manager.com/configure-microsoft-graph-powershell-for-easy365manager-delegation/

$ErrorActionPreference = "Stop"
$Scope = "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"
$MSGraphPS_AppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$MSGraph_AppId = "00000003-0000-0000-c000-000000000000"
$MicrosoftPowerShellGraph_Id = $null
$Microsoftgraph_Id = $null


Function Show-Menu {
    Clear-Host
    Write-Host "Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management."
    Write-Host "Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf."
    Write-Host 
    Write-Host "This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK."
    Write-Host "The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights."
    Write-Host
    Write-Host "If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X')."
    Write-Host "If all Easy365Managers are Global Admins, you can skip this step (press 'X')."
    Write-Host
    Write-Host "Only Global Admin role holders will be able to use Easy365Manager until the Admin Consent has been configured."
    Write-Host
    Write-Host "Consult the Easy365Manager documentation for more information:"
    Write-Host "https://easy365manager.com/microsoft-graph-powershell-admin-consent/"
    Write-Host
    Write-Host "==================================================================="
    Write-Host "=== Configure Admin/User Consent for Microsoft Graph PowerShell ==="
    Write-Host "==================================================================="
    Write-Host
    If (Check-MgContext) {
        Write-Host Connected to tenant: ((Get-MgDomain | Where-Object { $_.IsInitial -eq $true }).Id)
        Write-Host
    }
    Write-Host "C: Press 'C' to connect to Microsoft Graph PowerShell."
    If (Check-MgContext){
        Write-Host "                                        "
        Write-Host "1: Press '1' to configure Admin Consent."
        Write-Host "2: Press '2' to see the current Admin Consent configuration."
        Write-Host "3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell."
        Write-Host
        Write-Host "4: Press '4' to configure User Consent."
        Write-Host "5: Press '5' to see the current User Consent configuration."
        Write-Host "6: Press '6' to remove single User Consent from Microsoft Graph PowerShell."
        Write-Host
        Write-Host "7: Press '7' to view all consent configured for Microsoft Graph PowerShell."
    }
    Write-Host
    Write-Host "X: Press 'X' to exit."
    Write-Host
}

Function Write-Consent ($Principal) {
    Try {
        Write-Host
        $ScopeMod = $Scope
        $User = "Admin"
        $PrincipalID = $null
        If ($Principal -ne $null){
            $User = "User (" + $Principal + ")"
            $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
        }
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
            Write-Host
            Write-Host "Configuring $User Consent for Microsoft Graph PowerShell."
            Write-Host
            If ($PrincipalID -eq $null){
                New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
            }
            Else {
                New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
            }
        }
        Else {
            Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
            Write-Host
            Write-Host "Merging missing scopes to support Easy365Manager administration."
            If ($ExistingAdminConsent.Scope.IndexOf("Domain.ReadWrite.All") -ge 0) {
                $ScopeMod = $ScopeMod.Replace("Domain.Read.All", "Domain.ReadWrite.All")
            }
            $NewScope = $ScopeMod.Split(" ") + ($ScopeMod.Split(" ") | Where-Object {$ExistingAdminConsent.Scope.Split(" ") -notcontains $_})
            If ($PrincipalID -eq $null){
                Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
            }
            Else {
                Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
            }
        }
        Write-Host
        Write-Host Configuration succeeded. -ForegroundColor Green
        Write-Host
        Write-Host "Please allow up to five minutes before the new configuration is visible."
    }
    Catch {
        Write-Host Configuration failed: $Error[0].Exception.Message -ForegroundColor Red
        If ($Error[0].Exception.Source -eq "Microsoft.Graph.Authentication") {
            Connect-ToGraph
        }
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Read-Consent ($Principal) {
    Try {
        Write-Host
        $User = "Admin"
        $PrincipalID = $null
        If ($Principal -ne $null){
            $User = "User (" + $Principal + ")"
            $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
        }
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
        }
        Else {
            Write-Host Existing $User Consent for Microsoft Graph PowerShell:
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        }
        Write-Host
        Write-Host The following $User Consent is missing to support Easy365Manager administration:
        Write-Host
        If ($ExistingAdminConsent -eq $null){
            $ExistingScope = ""
        }
        Else {
            $ExistingScope = $ExistingAdminConsent.Scope
        }
        If ($ExistingScope.IndexOf("Domain.ReadWrite.All") -ge 0) {
            $ExistingScope = $ExistingScope.Replace("Domain.ReadWrite.All", "Domain.Read.All")
        }
        $MissingScope = ($Scope.Split(" ") | Where-Object {$ExistingScope.Split(" ") -notcontains $_})
        If ($MissingScope -eq $null) {
            Write-Host All set up! -ForegroundColor Green
        }
        Else {
            Write-Host ($MissingScope -Join "`n") -ForegroundColor Yellow
        }
        Write-Host
        Write-Host "(Recent changes may take up to five minutes before they become visible.)"
    }
    Catch {
        Write-Host Failed to read configuration: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Remove-Consent ($Principal) {
    Write-Host
    $User = "Admin"
    $PrincipalID = $null
    If ($Principal -ne $null){
        $User = "User (" + $Principal + ")"
        $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
    }
    $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID}
    If ($ExistingAdminConsent -eq $null) {
        Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
        Write-Host
    }
    Else {
        Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
        Write-Host
        Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        $ExistingAdminConsent | ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id }
        Write-Host
        Write-Host "Removed all $User Consent from Microsoft Graph PowerShell."
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function View-AllConsent {
    $PermGrants = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id }
    $GrantList = @()
    ForEach ($PermGrant In $PermGrants) {
        $Grant = New-Object PSObject -Property @{
            User = If ($PermGrant.PrincipalId -ne $null) { (Get-MgUser -UserId $PermGrant.PrincipalId).UserPrincipalName } Else { "*** Admin_Consent ***" }
            Scope = $PermGrant.Scope.Trim()
        }
        $GrantList += $Grant
    }
    $GrantList | ft -AutoSize
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Connect-ToGraph {
    Write-Host
    Write-Host "Connecting to Microsoft PowerShell Graph."
    Write-Host
    Write-Host "(If asked, you don't need to consent to the permissions requested on behalf of your organization during the login.)"
    Write-Host
    If ((Get-MgContext) -ne $null){
        Disconnect-MgGraph
    }
    Try{
        Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All Directory.AccessAsUser.All Directory.ReadWrite.All"
        Write-Host
        Write-Host "Connected to Microsoft Graph PowerShell:"
        Get-MgContext
    }
    Catch {
        Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Check-MgContext {
    $Context = Get-MgContext
    If ($Context -eq $null){
        Return $false
    }
    Write-Host "Connecting...`r" -NoNewline 
    If ($Context.Scopes.IndexOf("DelegatedPermissionGrant.ReadWrite.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.AccessAsUser.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.ReadWrite.All") -lt 0){
        Return $false
    }
    If ($Script:MicrosoftPowerShellGraph_Id -eq $null -or $Script:Microsoftgraph_Id -eq $null) {
        $Script:MicrosoftPowerShellGraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraphPS_AppId}).Id
        $Script:Microsoftgraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraph_AppId}).Id
    }
    Return $true
}

Function GetUserID($PrincipalID){
    Try{
        $
    }
    Catch {
        Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
    }
}

$Exit = $false
While ($Exit -eq $false) {
    Show-Menu
    $selection = Read-Host "Enter your selection"
    switch ($selection) {
        'C' {
            Connect-ToGraph
        }
        '1' {
            Write-Consent
        }
        '2' {
            Read-Consent
        }
        '3' {
            Remove-Consent
        }
        '4' {
            Write-Consent (Read-Host "Enter user ID to grant consent to")
        }
        '5' {
            Read-Consent (Read-Host "Enter user ID to read consent for")
        }
        '6' {
            Remove-Consent (Read-Host "Enter user ID to remove consent from")
        }
        '7' {
            View-AllConsent
        }
        'X' {
            $Exit = $true
        }
    }
}

After running the script and connecting to your tenant you will have the following options:

Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management.
Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf.

This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK.
The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights.

If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X').
If all Easy365Managers are Global Admins, you can skip this step (press 'X').

Only Global Admin role holders will be able to use Easy365Manager until the Admin/User Consent has been configured.

Consult the Easy365Manager documentation for more information:
https://easy365manager.com/microsoft-graph-powershell-admin-consent/

===================================================================
=== Configure Admin/User Consent for Microsoft Graph PowerShell ===
===================================================================

Connected to tenant: skrubbeltrang.onmicrosoft.com

C: Press 'C' to connect to Microsoft Graph PowerShell.

1: Press '1' to configure Admin Consent.
2: Press '2' to see the current Admin Consent configuration.
3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell.

4: Press '4' to configure User Consent.
5: Press '5' to see the current User Consent configuration.
6: Press '6' to remove single User Consent from Microsoft Graph PowerShell.

7: Press '7' to view all consent configured for Microsoft Graph PowerShell.

X: Press 'X' to exit.

Enter your selection:

Select ‘1’ to set up Admin Consent to allow (all) non-Global-Admins to run Easy365Manager.

Select ‘4’ to set up User Consent on a per-user basis to run Easy365Manager.