GDAP Partner Access With M365 PowerShell Modules

GDAP Partner Access With M365 PowerShell Modules

We can utilize our partner delegated access to authenticate to clients directly without the need to use an admin account. We can authenticate as ourselves with delegated access.

Pre-requisites

It is highly recommended to use PowerShell 7+ when using any of the following PowerShell modules. Microsoft has ceased all development on Windows PowerShell (5.1 the “blue” window). All current and future focus is on the cross-platform PowerShell core. While modules may currently and continue to work with Windows PowerShell, the best experience will be had when using the latest version of PowerShell.

To install PowerShell 7+, search the Microsoft store for PowerShell.

You will need the exchange organization name and tenantID of the client tenant to authenticate with delegated access. This can be easily found in the Partner Center customer list Partner Center (microsoft.com) .

Exchange Online

To connect to Exchange Online PowerShell with delegated access:

Connect-ExchangeOnline -DelegatedOrganization domain.onmicrosoft.com 

You will be directed to authenticate inside a web browser. Log in with your o365 credentials.

Purview

Similar to exchange online, we can connect using the DelegatedOrganization parameter, but we must also specify the authorization endpoint:

$TenantID = ‘dac510b8-85bc-43f6-85d4-dc29d0b1bdd7’ 

Connect-IPPSSession -DelegatedOrganization domain.onmicrosoft.com -AzureADAuthorizationEndpointUri https://login.microsoftonline.com/dac510b8-85bc-43f6-85d4-dc29d0b1bdd7/oauth2/authorize 

Microsoft Teams

To connect to Microsoft Teams, specify the TenantID of the client tenant as follows:

Connect-MicrosoftTeams -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Microsoft Graph

Microsoft Graph Module with Pre-Authorization

The Microsoft Graph module uses a EntraID Enterprise Application for sign-in authorization. This application must be added and authorized in the tenant by a global admin before it can be used by a partner account.

Just like the Teams module, specify the tenant ID with Connect-MGGraph

Connect-MGGraph -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Microsoft Graph Module without Pre-Authorization

To connect using the Microsoft Graph PowerShell module, we first need to get a Graph access token. We can leverage the Az module to do this. This will only give limited read permissions.

# Connect as yourself with Connect-AzAccount 

Connect-AzAccount 

# Get a Graph access token for the client tenant 

$GraphToken = Get-AzAccessToken -TenantId dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 -ResourceUrl https://graph.microsoft.com 

# Connect to graph with the access token 

Connect-MGGraph -AccessToken ($GraphToken.Token | ConvertTo-SecureString -AsPlainText -Force) 

Alternatively, you can log into the EntraID portal or Intune Admin portal through the partner center link. Use the browser developer tools to capture and view HTTP calls to graph.microsoft.com

Copy the authorization token from the request header and use this with either the Invoke-RestMethod cmdlet, or with the Connect-MGGraph cmdlet in the Microsoft.Graph.Authentication module.

This will give you the same level of permissions as you have in the web admin portal.

$SecureToken = 'Bearer ' + {JSON Web Token Copied from the browser} | ConvertTo-SecureString -AsPlainText -Force 

Connect-MGGraph -AccessToken $SecureToken 

AzureAD

To connect using the AzureAD module, simply provide the client tenantID

Connect-AzureAD -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

SharePoint Online

With the Microsoft.Online.SharePoint.PowerShell we can connect by specifying the Admin URL and the authentication URL with the client tenantID as follows:

# If using PowerShell 7, import the module with backwards compatibility 

Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell 

$TenantID = ‘dac510b8-85bc-43f6-85d4-dc29d0b1bdd7’ 

Connect-SPOService -Url https://domain-admin.sharepoint.com -AuthenticationUrl https://login.microsoftonline.com/$TenantID/oauth2/authorize 

Conclusion

By leveraging partner delegated access with the appropriate PowerShell modules, we can efficiently manage client tenants without needing admin accounts.