If you are not already familiar with how GDAP changes the Secure App Model, read the DAP to GDAP Secure Application Model document.
Prerequisites
- A multi-tenant app created in your partner tenant
- Since the sample script is using the Partner Center Consent API, ensure the app has
user_impersonationpermissions for the Partner Center API (fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd). For more information about Secure App Model permissions, see Create a secure partner application
- Since the sample script is using the Partner Center Consent API, ensure the app has
- ExchangeOnlineManagement 3.1.0 Powershell module
- Partner Center Powershell module
- A GDAP relationship approved by the customer that has one of the following roles:
- Global admin
- Privileged role admin
- Cloud application admin
- User account that is a member of the AdminAgents group as well as a member of the group with the aforementioned GDAP relationship.
Sample script
Below is a simplified sample PowerShell script that sets up a consented application in the customer’s tenant.
Warning
This script is for illustrative purposes. Secrets should be stored in a key vault as outlined in the Secure Application Model framework.
#variables
$AppId = '<AppID in Partner tenant>'
$AppSecret = '<App secret from AppID in partner tenant>'
$CustomerTenantId = '<Customer tenant ID>'
$consentscope = 'https://api.partnercenter.microsoft.com/user_impersonation'
$AppCredential = (New-Object System.Management.Automation.PSCredential ($AppId, (ConvertTo-SecureString $AppSecret -AsPlainText -Force)))
$PartnerTenantid = '<Partner tenant ID>'
$AppDisplayName = '<App name for AppID in Partner tenant>'
# Get PartnerAccessToken token
$PartnerAccessToken = New-PartnerAccessToken -serviceprincipal -ApplicationId $AppId -Credential $AppCredential -Scopes $consentscope -tenant $PartnerTenantid -UseAuthorizationCode
# Connect using PartnerAccessToken token
$PartnerCenter = Connect-PartnerCenter -AccessToken $PartnerAccessToken.AccessToken
#Grants needed
$MSGraphgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant
$MSgraphgrant.EnterpriseApplicationId = "00000003-0000-0000-c000-000000000000"
$MSGraphgrant.Scope = "Directory.Read.All,Directory.AccessAsUser.All"
$ExOgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant
$ExOgrant.EnterpriseApplicationID = "00000002-0000-0ff1-ce00-000000000000"
$ExOgrant.Scope = "Exchange.Manage"
New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgrant, $ExOgrant) -CustomerId $CustomerTenantId -ApplicationId $AppId -DisplayName $appdisplayname
#Connect to customer Exchange via App+User
$token = New-PartnerAccessToken -ApplicationId $AppId -Scopes 'https://outlook.office365.com/.default' -ServicePrincipal -Credential $appcredential -Tenant $CustomerTenantId -RefreshToken $PartnerAccesstoken.refreshToken
Connect-ExchangeOnline -DelegatedOrganization $CustomerTenantId -AccessToken $token.AccessToken