If you want to delegate administration of Office 365 to non-Global-Admins, you need to delegate Admin or User Consent to Microsoft Graph PowerShell for the following scopes:
- User.ReadWrite.All
- Group.ReadWrite.All
- Domain.Read.All
- Directory.ReadWrite.All
- offline_access
If you have not configured Consent for your own global admin account, you can set up Admin Consent by running the following command:
Connect-MgGraph -Scope "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"This will open an Oauth2 authentication dialog where you must click “Consent on behalf of your organization”. This is also referred to as Admin Consent and will allow your non-global admins to use Microsoft Graph PowerShell (they still need proper Azure roles to manage resources):
Configure Admin and User Consent With PowerShell
If your global admin account has already been granted Consent, you’ll not get the option to grant the Admin Consent (read this article to understand why).
In that case, you can run the below script to configure the necessary Microsoft Graph PowerShell Admin or User Consent.
The script preserves any existing Admin Consent already configured on Microsoft Graph PowerShell.
However, if you select option 3 (“Remove all Admin Consent from Microsoft Graph PowerShell”), then all Admin Consent is removed (User Consent is not modified).
You can also use the script to grant User Consent to individual users for improved security.
Remember that admin consent does not grant any resource permissions to users. You still need to delegate the proper Azure roles to your admins:
- User Administrator role
- License Administrator role
- Exchange Recipient Administrator role
Refer to the Easy365Manager documentation for more information.
# This script creates admin consent to let Microsoft PowerShell Graph access Microsoft Graph.
# The consent includes Read/Write to Users, Groups and Directory plus Domain Read access and long lived refresh tokens.
# Feel free to modify the script but include the following line:
# Easy365Manager - The Office 365 Management Tool for Active Directory: https://easy365manager.com
# Feel free to publish the script (with any modifications) but link credits to the following page:
# https://www.easy365manager.com/configure-microsoft-graph-powershell-for-easy365manager-delegation/
$ErrorActionPreference = "Stop"
$Scope = "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"
$MSGraphPS_AppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$MSGraph_AppId = "00000003-0000-0000-c000-000000000000"
$MicrosoftPowerShellGraph_Id = $null
$Microsoftgraph_Id = $null
Function Show-Menu {
Clear-Host
Write-Host "Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management."
Write-Host "Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf."
Write-Host
Write-Host "This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK."
Write-Host "The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights."
Write-Host
Write-Host "If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X')."
Write-Host "If all Easy365Managers are Global Admins, you can skip this step (press 'X')."
Write-Host
Write-Host "Only Global Admin role holders will be able to use Easy365Manager until the Admin Consent has been configured."
Write-Host
Write-Host "Consult the Easy365Manager documentation for more information:"
Write-Host "https://easy365manager.com/microsoft-graph-powershell-admin-consent/"
Write-Host
Write-Host "==================================================================="
Write-Host "=== Configure Admin/User Consent for Microsoft Graph PowerShell ==="
Write-Host "==================================================================="
Write-Host
If (Check-MgContext) {
Write-Host Connected to tenant: ((Get-MgDomain | Where-Object { $_.IsInitial -eq $true }).Id)
Write-Host
}
Write-Host "C: Press 'C' to connect to Microsoft Graph PowerShell."
If (Check-MgContext){
Write-Host " "
Write-Host "1: Press '1' to configure Admin Consent."
Write-Host "2: Press '2' to see the current Admin Consent configuration."
Write-Host "3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell."
Write-Host
Write-Host "4: Press '4' to configure User Consent."
Write-Host "5: Press '5' to see the current User Consent configuration."
Write-Host "6: Press '6' to remove single User Consent from Microsoft Graph PowerShell."
Write-Host
Write-Host "7: Press '7' to view all consent configured for Microsoft Graph PowerShell."
}
Write-Host
Write-Host "X: Press 'X' to exit."
Write-Host
}
Function Write-Consent ($Principal) {
Try {
Write-Host
$ScopeMod = $Scope
$User = "Admin"
$PrincipalID = $null
If ($Principal -ne $null){
$User = "User (" + $Principal + ")"
$PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
}
$ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
If ($ExistingAdminConsent -eq $null) {
Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
Write-Host
Write-Host "Configuring $User Consent for Microsoft Graph PowerShell."
Write-Host
If ($PrincipalID -eq $null){
New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
}
Else {
New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
}
}
Else {
Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
Write-Host
Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
Write-Host
Write-Host "Merging missing scopes to support Easy365Manager administration."
If ($ExistingAdminConsent.Scope.IndexOf("Domain.ReadWrite.All") -ge 0) {
$ScopeMod = $ScopeMod.Replace("Domain.Read.All", "Domain.ReadWrite.All")
}
$NewScope = $ScopeMod.Split(" ") + ($ScopeMod.Split(" ") | Where-Object {$ExistingAdminConsent.Scope.Split(" ") -notcontains $_})
If ($PrincipalID -eq $null){
Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
}
Else {
Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
}
}
Write-Host
Write-Host Configuration succeeded. -ForegroundColor Green
Write-Host
Write-Host "Please allow up to five minutes before the new configuration is visible."
}
Catch {
Write-Host Configuration failed: $Error[0].Exception.Message -ForegroundColor Red
If ($Error[0].Exception.Source -eq "Microsoft.Graph.Authentication") {
Connect-ToGraph
}
}
Write-Host
Read-Host "Press Enter to continue"
}
Function Read-Consent ($Principal) {
Try {
Write-Host
$User = "Admin"
$PrincipalID = $null
If ($Principal -ne $null){
$User = "User (" + $Principal + ")"
$PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
}
$ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
If ($ExistingAdminConsent -eq $null) {
Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
}
Else {
Write-Host Existing $User Consent for Microsoft Graph PowerShell:
Write-Host
Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
}
Write-Host
Write-Host The following $User Consent is missing to support Easy365Manager administration:
Write-Host
If ($ExistingAdminConsent -eq $null){
$ExistingScope = ""
}
Else {
$ExistingScope = $ExistingAdminConsent.Scope
}
If ($ExistingScope.IndexOf("Domain.ReadWrite.All") -ge 0) {
$ExistingScope = $ExistingScope.Replace("Domain.ReadWrite.All", "Domain.Read.All")
}
$MissingScope = ($Scope.Split(" ") | Where-Object {$ExistingScope.Split(" ") -notcontains $_})
If ($MissingScope -eq $null) {
Write-Host All set up! -ForegroundColor Green
}
Else {
Write-Host ($MissingScope -Join "`n") -ForegroundColor Yellow
}
Write-Host
Write-Host "(Recent changes may take up to five minutes before they become visible.)"
}
Catch {
Write-Host Failed to read configuration: $Error[0].Exception.Message -ForegroundColor Red
}
Write-Host
Read-Host "Press Enter to continue"
}
Function Remove-Consent ($Principal) {
Write-Host
$User = "Admin"
$PrincipalID = $null
If ($Principal -ne $null){
$User = "User (" + $Principal + ")"
$PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
}
$ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID}
If ($ExistingAdminConsent -eq $null) {
Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
Write-Host
}
Else {
Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
Write-Host
Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
$ExistingAdminConsent | ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id }
Write-Host
Write-Host "Removed all $User Consent from Microsoft Graph PowerShell."
}
Write-Host
Read-Host "Press Enter to continue"
}
Function View-AllConsent {
$PermGrants = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id }
$GrantList = @()
ForEach ($PermGrant In $PermGrants) {
$Grant = New-Object PSObject -Property @{
User = If ($PermGrant.PrincipalId -ne $null) { (Get-MgUser -UserId $PermGrant.PrincipalId).UserPrincipalName } Else { "*** Admin_Consent ***" }
Scope = $PermGrant.Scope.Trim()
}
$GrantList += $Grant
}
$GrantList | ft -AutoSize
Write-Host
Read-Host "Press Enter to continue"
}
Function Connect-ToGraph {
Write-Host
Write-Host "Connecting to Microsoft PowerShell Graph."
Write-Host
Write-Host "(If asked, you don't need to consent to the permissions requested on behalf of your organization during the login.)"
Write-Host
If ((Get-MgContext) -ne $null){
Disconnect-MgGraph
}
Try{
Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All Directory.AccessAsUser.All Directory.ReadWrite.All"
Write-Host
Write-Host "Connected to Microsoft Graph PowerShell:"
Get-MgContext
}
Catch {
Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
}
Write-Host
Read-Host "Press Enter to continue"
}
Function Check-MgContext {
$Context = Get-MgContext
If ($Context -eq $null){
Return $false
}
Write-Host "Connecting...`r" -NoNewline
If ($Context.Scopes.IndexOf("DelegatedPermissionGrant.ReadWrite.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.AccessAsUser.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.ReadWrite.All") -lt 0){
Return $false
}
If ($Script:MicrosoftPowerShellGraph_Id -eq $null -or $Script:Microsoftgraph_Id -eq $null) {
$Script:MicrosoftPowerShellGraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraphPS_AppId}).Id
$Script:Microsoftgraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraph_AppId}).Id
}
Return $true
}
Function GetUserID($PrincipalID){
Try{
$
}
Catch {
Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
}
}
$Exit = $false
While ($Exit -eq $false) {
Show-Menu
$selection = Read-Host "Enter your selection"
switch ($selection) {
'C' {
Connect-ToGraph
}
'1' {
Write-Consent
}
'2' {
Read-Consent
}
'3' {
Remove-Consent
}
'4' {
Write-Consent (Read-Host "Enter user ID to grant consent to")
}
'5' {
Read-Consent (Read-Host "Enter user ID to read consent for")
}
'6' {
Remove-Consent (Read-Host "Enter user ID to remove consent from")
}
'7' {
View-AllConsent
}
'X' {
$Exit = $true
}
}
}After running the script and connecting to your tenant you will have the following options:
Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management. Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf. This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK. The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights. If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X'). If all Easy365Managers are Global Admins, you can skip this step (press 'X'). Only Global Admin role holders will be able to use Easy365Manager until the Admin/User Consent has been configured. Consult the Easy365Manager documentation for more information: https://easy365manager.com/microsoft-graph-powershell-admin-consent/ =================================================================== === Configure Admin/User Consent for Microsoft Graph PowerShell === =================================================================== Connected to tenant: skrubbeltrang.onmicrosoft.com C: Press 'C' to connect to Microsoft Graph PowerShell. 1: Press '1' to configure Admin Consent. 2: Press '2' to see the current Admin Consent configuration. 3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell. 4: Press '4' to configure User Consent. 5: Press '5' to see the current User Consent configuration. 6: Press '6' to remove single User Consent from Microsoft Graph PowerShell. 7: Press '7' to view all consent configured for Microsoft Graph PowerShell. X: Press 'X' to exit. Enter your selection:
Select ‘1’ to set up Admin Consent to allow (all) non-Global-Admins to run Easy365Manager.
Select ‘4’ to set up User Consent on a per-user basis to run Easy365Manager.