As you might be knowing Microsoft is going to retire Office 365 PowerShell cmdlets. Microsoft developers would like us to use Microsoft.Graph PowerShell SDK in place of Office 365 PowerShell Modules. This article shows how you can create an Azure AD Application with necessary permissions to manage Office 365 Resources.
Note that SmartProfiler for Office 365 Assessment does not use Azure AD Application to get the data from the Office 365 Tenant. Rather it uses a simple Global Administrator account to connect to all Office 365 Services and then run the assessment.
Here are the permissions needed for Exchange Online Services.
However, there are times when you would want to use Microsoft.Graph PowerShell SDK to connect to Office 365. While Microsoft provides Connect-Graph PowerShell cmdlet as part of Microsoft.Graph to connect to Office 365 Services but not all PowerShell cmdlets are capable of fetch all information. However, Graph API using Microsoft.Graph SDK is helpful to collect 99% of the information from the Office 365 Services. You will be required to register an Azure AD Application and assign necessary permissions.
This article explains how to create an Azure AD Application with necessary permissions for all Office 365 Services to be used with the Microsoft.Graph module. However, before we deep dive into creating the Azure AD Application we would like to show you the necessary permissions needed for each Office 365 Service as listed below:
Here are the permissions needed for Office 365 Users and Groups.
Here are the permissions needed for SharePoint Online Services.
Here are the permissions needed for Microsoft Teams Services
Here are the permissions needed for Microsoft Intune Services.
Here are the permissions needed for Microsoft OneDrive Services.
Before executing below script please ensure to meet following requirements or run commands as they are shown below:
• install-Module -Name AureAD
• Import-Module AzureAD
• Read-Host “Enter Password” -AsSecureString | ConvertFrom-SecureString | Out-File D:\Scripts\pass.txt
Note that by running above command you are saving Global Administrator credential or account that has sufficient permission in C:\Scripts\Pass.TXT file. This file contains Global Administrator credential and will be used later in the script to create the Azure AD Application with necessary permissions for Microsoft.Graph module.
One you have met all prerequisites, save below PowerShell script in a PS1 file and then execute it from an elevated prompt. Note that you need to provide “Global Admin Account” UPN in $Owner variable in the script below.
$owner="" ##Enter Username of your Global Admin Account
$appName="AppforPowershell" ##name of the new Powershell App
$pass=Get-Content -Path D:\Scripts\pass.txt| ConvertTo-SecureString
$username="" ##Provide the Admin Account email address to conenct to O365
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username,$pass
Connect-AzureAD -Credential $Credential
$tenantId = (Get-AzureADTenantDetail).ObjectId
$Guid = New-Guid
$startDate = Get-Date
$allowPassthroughUsers = $false
$PasswordCredential = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordCredential
$PasswordCredential.StartDate = $startDate
$PasswordCredential.EndDate = $startDate.AddYears(20)
$PasswordCredential.KeyId = $Guid
$PasswordCredential.Value = ([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(($Guid))))
if(!($myApp = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'" -ErrorAction SilentlyContinue))
{
$myApp = New-AzureADApplication -DisplayName $appName -PasswordCredentials $PasswordCredential #-AllowPassthroughUsers $false
# Write-Host $myApp | Out-String | ConvertFrom-Json
}
$appObjectId=$myapp.ObjectId
$appid=$myapp.AppId
<# ************** The Below Code Assigns Owner to the Application created above ****************** #>
$currentUser= (get-azureaduser -ObjectId $owner)
Add-AzureADApplicationOwner -ObjectId $myapp.ObjectId -RefObjectId $currentUser.ObjectId
<# ************** The Below Code Assigns API Permissions to the Application ****************** #>
#Get Service Principal of Microsoft Graph Resource API
$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
#Initialize RequiredResourceAccess for Microsoft Graph Resource API
$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredGraphAccess.ResourceAppId = $graphSP.AppId
$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
#Set Application Permissions
$ApplicationPermissions = @('User.Read.All','Reports.Read.All')
#Add app permissions
ForEach ($permission in $ApplicationPermissions) {
$reqPermission = $null
#Get required app permission
$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $permission}
if($reqPermission)
{
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Role"
$resourceAccess.Id = $reqPermission.Id
#Add required app permission
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
}
else
{
Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
}
}
#Set Delegated Permissions
$DelegatedPermissions = @('Organization.Read.All','Reports.Read.All','Directory.Read.All','Group.Read.All','GroupMember.Read.All','Calendars.Read','Mail.Read','MailboxSettings.Read','Contacts.Read','Sites.Read.All','Files.Read.All','Team.ReadBasic.All','TeamSettings.Read.All','TeamMember.Read.All','User.Read.All','Channel.ReadBasic.All','ChannelSettings.Read.All','TeamsAppInstallation.ReadForChat','TeamsAppInstallation.ReadForTeam','TeamsAppInstallation.ReadForUser','DeviceManagementConfiguration.Read.All','DeviceManagementApps.Read.All','DeviceManagementConfiguration.Read.All','DeviceManagementServiceConfig.Read.All','DeviceManagementManagedDevices.Read.All','User.Read.All') ##This is the part where you can add permissions
#Add delegated permissions
ForEach ($permission in $DelegatedPermissions) {
$reqPermission = $null
#Get required delegated permission
$reqPermission = $graphSP.Oauth2Permissions | Where-Object {$_.Value -eq $permission}
if($reqPermission)
{
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Scope"
$resourceAccess.Id = $reqPermission.Id
#Add required delegated permission
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
}
else
{
Write-Host "Delegated permission $permission not found in the Graph Resource API" -ForegroundColor Red
}
}
#Add required resource accesses
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
$requiredResourcesAccess.Add($requiredGraphAccess)
#Set permissions in existing Azure AD App
Set-AzureADApplication -ObjectId $appObjectId -RequiredResourceAccess $requiredResourcesAccess
$appPassword = New-AzureADApplicationPasswordCredential -ObjectId $appObjectId -CustomKeyIdentifier "AppAccessKey" -EndDate (Get-Date).AddYears(2)
$value=$appPassword.Value
write-host " Please note this value and save the notepad file as this will not be displayed again: $Value "
##Create Enterprise Application (Service Principal) for the Azure AD Application
$servicePrincipal = New-AzureADServicePrincipal -AppId $appId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")
## Grant Admin Consent
$requiredResourcesAccess=(Get-AzureADApplication -ObjectId $appObjectId).RequiredResourceAccess
$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $appId}
ForEach ($resourceAppAccess in $requiredResourcesAccess)
{
$resourceApp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $resourceAppAccess.ResourceAppId}
ForEach ($permission in $resourceAppAccess.ResourceAccess)
{
if ($permission.Type -eq "Role")
{
New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $resourceApp.ObjectId -Id $permission.Id
}
}
}