0

Thanks in advance.

Quick brief, I work in a team managing multiple Microsoft CSPs (Partner Centers), every now and then somebody asks us to run a script that does specific activities or grab specific info from all 30 CSPs we manage and all customers under them.

Previously we used to keep all usernames, passwords, TenantIDs, WebApp IDs in a CSV file and we create a script that runs on every raw to get the required info for each CSP Automatically without prompting credentials using below command:

$credential = (New-Object –TypeName System.Management.Automation.PSCredential –argumentlist $AdminName ,(ConvertTo-SecureString $AdminPassword –AsPlainText –Force))

And then call it in all modules like the below:

#MSonline
Connect-Msolservice –Credential $Credential

#ExchangeOnline
$session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid?DelegatedOrg=$Customerdomain  –Credential $credential –Authentication Basic –AllowRedirection
Import-PSSession $Session

#Partner Center
Add-PCAuthentication -cspappID $NAtive_clientid -cspDomain $domain -credential $credentials
Connect-MsolService -Credential $credentials

Then MFA was applied on all CSPs, though secure, it presented a problem with automating our scripts. Every time we're asked to run a script we would have to login manually at least 1 time to enter our MFA credentials to be able to run the script on each CSP individually.

The Modules we usually connect to are: PartnerCenter MSOnline CsOnline AzureRM AzureAD

Microsoft provided steps to work around this by using secure API Modules: https://learn.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5

I've created New APPs with new secrets and call backs , managed to get refresh token and integrated it in PartnerCenter module successfully as follows:

Connect-PartnerCenter -ApplicationId $NAtive_clientid -RefreshToken $refresh_token

Now I'm tying to do the same for the other Modules I'm addressing, as per the above document I could do the same for MS Online and for Azure AD simply by getting 3 other tokens (Graph Token , Azure AD token and Azure token)

$credential = Get-Credential
$refreshToken = 'Your-Refresh-Token-Value'

$azureToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://management.azure.com/ -Credential $credential -TenantId '<Your Tenant Id>'
$graphToken =  New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.microsoft.com -Credential $credential -TenantId '<Your Tenant Id>'
$aadGraphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net -Credential $credential -TenantId '<Your Tenant Id>'

#MS Module
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken


# Az Module
Connect-AzAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId '<TenantId>'

# AzureRM Module
Connect-AzureRmAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId '<TenantId>'

When Applying this and running the below command I get an error:

New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://management.azure.com/ -Credential $credential -TenantId '<Your Tenant Id>'
New-PartnerAccessToken : Cannot validate argument on parameter 'RefreshToken'. The argument is null or empty. Provide an argument 
that is not null or empty, and then try the command again.
At line:1 char:38
+ New-PartnerAccessToken -RefreshToken $refreshToken -Resource https:// ...
+                                      ~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-PartnerAccessToken], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Store.PartnerCenter.PowerShell.Commands.NewPartnerAccessT 
   oken

After some investigation I found that the parameter "-resource" no longer exists as per the documentation: https://learn.microsoft.com/en-us/powershell/module/partnercenter/new-partneraccesstoken?view=partnercenterps-3.0

Yet as per the documentation related to MSOnline, it shows I should be able to use it : https://learn.microsoft.com/en-us/powershell/module/msonline/connect-msolservice?view=azureadps-1.0

Now I'm stuck without the resource parameter I can't get the tokens required to use the 3 modules.

My question, is there another way to use App ID, refresh token, secret, Tenant ID to authenticate using powershell without human interference , if not how can I make the above method work for other modules the same way I did with the partner center.

Improve this question

1 Answer 1

Reset to default
3

According to my research. if the version of your PartnerCenter module is larger than 2.0.1909.1, it has rplaced the Resource parameter with the Scopes parameter for the Connect-PartnerCenter and New-PartnerAccessToken cmdlets. So please use the following script to get access token

New-PartnerAccessToken -ApplicationId 'xxxx-xxxx-xxxx-xxxx' -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant 'xxxx-xxxx-xxxx-xxxx'
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Hello Jim,Thanks for your reply I checked and I managed to get access tokens using the below: $GraphAccessToken = (New-PartnerAccessToken -ApplicationId $NAtive_clientid -RefreshToken $Refresh_token -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $TenantID).AccessToken $AzureADToken= (New-PartnerAccessToken -ApplicationId $NAtive_clientid -RefreshToken $Refresh_token -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $TenantID).AccessToken
But Can't get the Azure RM token using below code : $AzureRMToken= (New-PartnerAccessToken -ApplicationId $NAtive_clientid -RefreshToken $Refresh_token -Scopes ' https://management.azure.com/.default' -ServicePrincipal -Tenant $TenantID).AccessToken
Also when using the Graph access token and The Azure AD access token I get below error with MS Online: Connect-MsolService -AdGraphAccessToken $AzureADToken -MsGraphAccessToken $GraphAccessToken Connect-MsolService : Unknown error occurred. At line:2 char:1 + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.LiveTokenExpiredException,Microsoft.Online.Administration .Automation.ConnectMsolService Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.
@YoussefElHemaly Regarding the error, please refer to learn.microsoft.com/en-us/office365/troubleshoot/…
@YoussefElHemaly Regarding how to get Azure token, please change scope as https://management.azure.com//user_impersonation. For more details, please refer to learn.microsoft.com/en-us/powershell/partnercenter/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.