Article ID: 126807, created on Sep 4, 2015, last review on Aug 4, 2016

  • Applies to:
  • Operations Automation
  • Business Automation 6.0

This article describes how to configure your account to allow the Office 365 application to use the CREST API and Graph API.

Important: This article can be applied to Office 365 application version 6.2 and later.

To configure your account, perform the following actions:

  1. Prepare the following information:

    • The admin user login and password (they will be used to execute the cmdlets provided below). You can obtain these login and password from the Administrator's login for connecting to Microsoft Online and Administrator's password for connecting to Microsoft Online global settings of the application.

      Important: Make sure Manages your company as is set to Global admin for the admin user in the Microsoft Partner Center (it is required to execute the cmdlets provided below).

    • App ID (it will be used to execute the cmdlets provided below). You can obtain it from the App ID / Client ID global setting of the application. Note, the name of the global setting may vary depending on the version of the application.
  2. Install the Windows Azure AD Management Module on a host using the Microsoft instructions.

  3. Log on to the host as Administrator.

  4. In the Start menu, click Microsoft Online Services Module for Windows PowerShell.

  5. Execute the following cmdlets:

    # Replace this with the AppId of the Application you want to enable PreConsent
    # Request the credentials and connect to the MS Online Service
    # Fetch your TenantId for querying Graph later
    $tenantId = (Get-MsolCompanyInformation).ObjectId.toString()
    # Generate a random guid string
    $random = [Guid]::NewGuid().toString()
    # Create a service principal using the random string as DisplayName and Password
    $servicePrincipal = New-MsolServicePrincipal -DisplayName $random -Type Password -Value $random
    # Assign service principal to Tenant Admin role
    Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId ($servicePrincipal.ObjectId)
    # Sleep for 30 seconds
    Start-Sleep -s 30
    # Construct params for auth request
    $authParams = @{grant_type='client_credentials'; client_id=($servicePrincipal.AppPrincipalId); client_secret=$random; resource=""}
    # Request an auth token for the service principal from Azure AD Token endpoint
    $authResponse = Invoke-RestMethod -Method POST -Uri "$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -body $authParams
    # Extract access token from auth response
    $bearerToken = $authResponse.access_token
    # Make a Graph query to search for the Application object by appId
    $graphResponse = Invoke-RestMethod -Method GET -Uri "$tenantId/applications?api-version=1.6`&`$filter=appId eq '$appId'" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}
    # Get Application's ObjectId
    $appObjectId = $graphResponse.value.ObjectId
    # Write out the Application object data before the change
    (Invoke-WebRequest –Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}).Content
    # Make a Graph query to enable Pre-Consent on the Application object
    $graphResponse = Invoke-RestMethod -Method PATCH -Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/Json" -Headers @{"Authorization" = ($bearerToken)} -Body '{"recordConsentConditions":"SilentConsentForPartnerManagedApp","availableToOtherTenants":true,"requiredResourceAccess":[{"resourceAppId":"00000002-0000-0000-c000-000000000000","resourceAccess":[{"id":"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175","type":"Role, Scope"}, {"id":"5778995a-e1bf-45b8-affa-663a9f3f4d04","type":"Role, Scope"},{"id":"a42657d6-7f20-40e3-b6f0-cee03008a62a","type":"Scope"},{"id":"311a71cc-e848-46a1-bdf8-97ff7156d8e6","type":"Scope"},{"id": "abefe9df-d5a9-41c6-a60b-27b38eac3efb","type": "Role"}]}]}'
    # Write out the Application object data after the change
    (Invoke-WebRequest –Uri "$tenantId/applications/$appObjectId/?api-version=1.6" -ContentType "application/json" -Headers @{"Authorization" = ($bearerToken)}).Content
    # Delete servicePrincipal object
    $servicePrincipal | Remove-MsolServicePrincipal

    Note: If an error is thrown stating that Invoke-RestMethod is not recognised, update the Powershell using the instruction of KB#127707.

  6. Validate that your account has been configured correctly by the cmdlets provided above:

    1. Create a customer account with an Office 365 subscription, and then log in as the customer.
    2. Add a user.
    3. Assign an Office 365 license to the user.
    4. Add a domain to Office 365.

    All of the operations must be successfully completed (no errors, no failed tasks).

Search Words

[POA PROD] Problem provision Office365 in CSP

Upgrade orders for new Resources inside a Subscription is not working in Office365 platform

"message": "The remote server returned an error: (400) Bad Request.",

Waiting for subscriptions provisioning

problem provisioning O365 account

The remote server returned an error: (400) Bad Request

Error: AADSTS70001

Error: AADSTS70001: Application with identifier

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 198398b282069eaf2d94a6af87dcb3ff 3627d36199b8ff577605df76e2fa222b bb7e9177fb03488961a3ea554120f328

Email subscription for changes to this article
Save as PDF