Search Engine: Elastic

Article ID: 126807, created on Sep 4, 2015, last review on Sep 25, 2017

  • Applies to:
  • Operations Automation
  • Business Automation 7.0
  • Business Automation 7.1
  • Business Automation 6.0
  • APS 2.x

This article describes how to configure your account to allow the Office 365 application to use the Graph API.

Important: This article can be applied to Office 365 application version 6.2 and later.

To configure your account, perform the following actions:

  1. Prepare the following information:

    • The admin user login and password (they will be used to execute the cmdlets provided below). You can obtain these login and password from the Administrator's login for connecting to Microsoft Online and Administrator's password for connecting to Microsoft Online global settings of the application.

      Important: Make sure Manages your company as is set to Global admin for the admin user in the Microsoft Partner Center (it is required to execute the cmdlets provided below).

    • App ID (it will be used to execute the cmdlets provided below). You can obtain it from the App ID / Client ID global setting of the application. Note, the name of the global setting may vary depending on the version of the application.
  2. Install the Windows Azure AD Management Module on a host using the Microsoft instructions.

  3. Log on to the host as Administrator.

  4. In the Start menu, click Microsoft Online Services Module for Windows PowerShell.

  5. Execute the following cmdlets:

    # Replace this with the AppId of the Application you want to enable PreConsent
    # Request the credentials and connect to the MS Online Service
    # Fetch your TenantId for querying Graph later
    $tenantId = (Get-MsolCompanyInformation).ObjectId.toString()
    # Generate a random guid string
    $random = [Guid]::NewGuid().toString()
    # Create a service principal using the random string as DisplayName and Password
    $servicePrincipal = New-MsolServicePrincipal -DisplayName $random -Type Password -Value $random
    # Assign service principal to Tenant Admin role
    Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId ($servicePrincipal.ObjectId)
    # Sleep for 30 seconds
    Start-Sleep -s 30
    # Construct params for auth request
    $authParams = @{grant_type='client_credentials'; client_id=($servicePrincipal.AppPrincipalId); client_secret=$random; resource=""}
    # Request an auth token for the service principal from Azure AD Token endpoint
    $authResponse = Invoke-RestMethod -Method POST -Uri "$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -body $authParams
    # Extract access token from auth response
    $bearerToken = $authResponse.access_token
    # Make a Graph query to search for the Application object by appId
    $graphResponse = Invoke-RestMethod -Method GET -Uri "$tenantId/applications?api-version=1.6`&`$filter=appId eq '$appId'" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}
    # Get Application's ObjectId
    $appObjectId = $graphResponse.value.ObjectId
    # Write out the Application object data before the change
    (Invoke-WebRequest –Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}).Content
    # Make a Graph query to enable Pre-Consent on the Application object
    $graphResponse = Invoke-RestMethod -Method PATCH -Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/Json" -Headers @{"Authorization" = ($bearerToken)} -Body '{"recordConsentConditions":"SilentConsentForPartnerManagedApp","availableToOtherTenants":true,"requiredResourceAccess":[{"resourceAppId":"00000002-0000-0000-c000-000000000000","resourceAccess":[{"id":"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175","type":"Role, Scope"}, {"id":"5778995a-e1bf-45b8-affa-663a9f3f4d04","type":"Role, Scope"},{"id":"a42657d6-7f20-40e3-b6f0-cee03008a62a","type":"Scope"},{"id":"311a71cc-e848-46a1-bdf8-97ff7156d8e6","type":"Scope"},{"id": "abefe9df-d5a9-41c6-a60b-27b38eac3efb","type": "Role"}]}]}'
    # Write out the Application object data after the change
    (Invoke-WebRequest –Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}).Content
    # Delete servicePrincipal object
    $servicePrincipal | Remove-MsolServicePrincipal

    Note: If an error is thrown stating that Invoke-RestMethod is not recognised, update the Powershell using the instruction of KB#127707.

  6. Validate that your account has been configured correctly by the cmdlets provided above:

    1. Create a customer account with an Office 365 subscription, and then log in as the customer.
    2. Add a user.
    3. Assign an Office 365 license to the user.
    4. Add a domain to Office 365.

    All of the operations must be successfully completed (no errors, no failed tasks).

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 198398b282069eaf2d94a6af87dcb3ff 3627d36199b8ff577605df76e2fa222b bb7e9177fb03488961a3ea554120f328 c0f836394088a28cc30dd0e5fe8b600e b2c3b33425dfc50c7d41a2efaa7f84f3 717db81efe94e616312b74fb03a5d474 70bf700e0cdb9d7211df2595ef7276ab 7c0b495571a6c1bec50e4f324a20ec14

Email subscription for changes to this article
Save as PDF