GDAP Partner Access With M365 PowerShell Modules

We can utilize our partner delegated access to authenticate to clients directly without the need to use an admin account. We can authenticate as ourselves with delegated access.


It is highly recommended to use PowerShell 7+ when using any of the following PowerShell modules. Microsoft has ceased all development on Windows PowerShell (5.1 the “blue” window). All current and future focus is on the cross-platform PowerShell core. While modules may currently and continue to work with Windows PowerShell, the best experience will be had when using the latest version of PowerShell.

To install PowerShell 7+, search the Microsoft store for PowerShell.

You will need the exchange organization name and tenantID of the client tenant to authenticate with delegated access. This can be easily found in the Partner Center customer list Partner Center ( .

Exchange Online

To connect to Exchange Online PowerShell with delegated access:

Connect-ExchangeOnline -DelegatedOrganization 

You will be directed to authenticate inside a web browser. Log in with your o365 credentials.


Similar to exchange online, we can connect using the DelegatedOrganization parameter, but we must also specify the authorization endpoint:

$TenantID = dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Connect-IPPSSession -DelegatedOrganization -AzureADAuthorizationEndpointUri 

Microsoft Teams

To connect to Microsoft Teams, specify the TenantID of the client tenant as follows:

Connect-MicrosoftTeams -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Microsoft Graph

Microsoft Graph Module with Pre-Authorization

The Microsoft Graph module uses a EntraID Enterprise Application for sign-in authorization. This application must be added and authorized in the tenant by a global admin before it can be used by a partner account.

Just like the Teams module, specify the tenant ID with Connect-MGGraph

Connect-MGGraph -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Microsoft Graph Module without Pre-Authorization

To connect using the Microsoft Graph PowerShell module, we first need to get a Graph access token. We can leverage the Az module to do this. This will only give limited read permissions.

# Connect as yourself with Connect-AzAccount 


# Get a Graph access token for the client tenant 

$GraphToken = Get-AzAccessToken -TenantId dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 -ResourceUrl 

# Connect to graph with the access token 

Connect-MGGraph -AccessToken ($GraphToken.Token | ConvertTo-SecureString -AsPlainText -Force) 

Alternatively, you can log into the EntraID portal or Intune Admin portal through the partner center link. Use the browser developer tools to capture and view HTTP calls to

Copy the authorization token from the request header and use this with either the Invoke-RestMethod cmdlet, or with the Connect-MGGraph cmdlet in the Microsoft.Graph.Authentication module.

This will give you the same level of permissions as you have in the web admin portal.

$SecureToken = 'Bearer ' + {JSON Web Token Copied from the browser} | ConvertTo-SecureString -AsPlainText -Force 

Connect-MGGraph -AccessToken $SecureToken 


To connect using the AzureAD module, simply provide the client tenantID

Connect-AzureAD -TenantID dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

SharePoint Online

With the Microsoft.Online.SharePoint.PowerShell we can connect by specifying the Admin URL and the authentication URL with the client tenantID as follows:

# If using PowerShell 7, import the module with backwards compatibility 

Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell 

$TenantID = dac510b8-85bc-43f6-85d4-dc29d0b1bdd7 

Connect-SPOService -Url -AuthenticationUrl$TenantID/oauth2/authorize 


By leveraging partner delegated access with the appropriate PowerShell modules, we can efficiently manage client tenants without needing admin accounts.