首页
酷软
游戏
媒体
- 电影
- 剧集
- 动画
- 记录
- 综艺
- MV
- 有声世界
云资源
源码
更多
- 文库
- 系统
- web
- 站长帮
- 玩电脑
- 玩游戏
- 玩手机
- 涨姿势
- 玩软件
- 云图志
- 看漫画
- 微读书
- PS玩家
- 网文网语
- 硬件数码
- 编程开发
- 神秘之旅
- 福利线报
- 商业资源
- 网赚相关
- 健康加油站
赞助专区
云盘专区
资源阁
缘聚岛
BT种子库

[玩转系统] 配置 Microsoft Graph PowerShell 进行委派

作者：精品下载站日期：2024-12-14 13:36:57 浏览：13 分类：玩电脑

配置 Microsoft Graph PowerShell 进行委派

如果要将 Office 365 的管理委派给非全局管理员，则需要针对以下范围将管理员或用户同意委派给 Microsoft Graph PowerShell：

User.ReadWrite.All
Group.ReadWrite.All
Domain.Read.All
Directory.ReadWrite.All
offline_access

如果您没有为自己的全局管理员帐户配置同意，则可以通过运行以下命令来设置管理员同意：

Connect-MgGraph -Scope "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"

这将打开 Oauth2 身份验证对话框，您必须在其中单击“代表您的组织同意”。这也称为管理员同意，将允许非全局管理员使用 Microsoft Graph PowerShell（他们仍然需要适当的 Azure 角色来管理资源）：

使用 PowerShell 配置管理员和用户同意

如果您的全局管理员帐户已获得同意，您将无法获得授予管理员同意的选项（请阅读本文以了解原因）。

在这种情况下，您可以运行以下脚本来配置必要的 Microsoft Graph PowerShell 管理员或用户同意。

该脚本保留 Microsoft Graph PowerShell 上已配置的任何现有管理员同意。

但是，如果您选择选项 3（“从 Microsoft Graph PowerShell 中删除所有管理员同意”），则所有管理员同意都会被删除（用户同意不会被修改）。

您还可以使用该脚本向各个用户授予“用户同意”，以提高安全性。

请记住，管理员同意不会向用户授予任何资源权限。您仍然需要将适当的 Azure 角色委派给管理员：

用户管理员角色
许可证管理员角色
Exchange 收件人管理员角色

有关更多信息，请参阅 Easy365Manager 文档。

# This script creates admin consent to let Microsoft PowerShell Graph access Microsoft Graph.
# The consent includes Read/Write to Users, Groups and Directory plus Domain Read access and long lived refresh tokens.
# Feel free to modify the script but include the following line:
# Easy365Manager - The Office 365 Management Tool for Active Directory: https://easy365manager.com
# Feel free to publish the script (with any modifications) but link credits to the following page:
# https://www.easy365manager.com/configure-microsoft-graph-powershell-for-easy365manager-delegation/

$ErrorActionPreference = "Stop"
$Scope = "User.ReadWrite.All Group.ReadWrite.All Domain.Read.All Directory.ReadWrite.All offline_access"
$MSGraphPS_AppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$MSGraph_AppId = "00000003-0000-0000-c000-000000000000"
$MicrosoftPowerShellGraph_Id = $null
$Microsoftgraph_Id = $null


Function Show-Menu {
    Clear-Host
    Write-Host "Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management."
    Write-Host "Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf."
    Write-Host 
    Write-Host "This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK."
    Write-Host "The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights."
    Write-Host
    Write-Host "If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X')."
    Write-Host "If all Easy365Managers are Global Admins, you can skip this step (press 'X')."
    Write-Host
    Write-Host "Only Global Admin role holders will be able to use Easy365Manager until the Admin Consent has been configured."
    Write-Host
    Write-Host "Consult the Easy365Manager documentation for more information:"
    Write-Host "https://easy365manager.com/microsoft-graph-powershell-admin-consent/"
    Write-Host
    Write-Host "==================================================================="
    Write-Host "=== Configure Admin/User Consent for Microsoft Graph PowerShell ==="
    Write-Host "==================================================================="
    Write-Host
    If (Check-MgContext) {
        Write-Host Connected to tenant: ((Get-MgDomain | Where-Object { $_.IsInitial -eq $true }).Id)
        Write-Host
    }
    Write-Host "C: Press 'C' to connect to Microsoft Graph PowerShell."
    If (Check-MgContext){
        Write-Host "                                        "
        Write-Host "1: Press '1' to configure Admin Consent."
        Write-Host "2: Press '2' to see the current Admin Consent configuration."
        Write-Host "3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell."
        Write-Host
        Write-Host "4: Press '4' to configure User Consent."
        Write-Host "5: Press '5' to see the current User Consent configuration."
        Write-Host "6: Press '6' to remove single User Consent from Microsoft Graph PowerShell."
        Write-Host
        Write-Host "7: Press '7' to view all consent configured for Microsoft Graph PowerShell."
    }
    Write-Host
    Write-Host "X: Press 'X' to exit."
    Write-Host
}

Function Write-Consent ($Principal) {
    Try {
        Write-Host
        $ScopeMod = $Scope
        $User = "Admin"
        $PrincipalID = $null
        If ($Principal -ne $null){
            $User = "User (" + $Principal + ")"
            $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
        }
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
            Write-Host
            Write-Host "Configuring $User Consent for Microsoft Graph PowerShell."
            Write-Host
            If ($PrincipalID -eq $null){
                New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
            }
            Else {
                New-MgOAuth2PermissionGrant -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope $Scope -ErrorAction Stop
            }
        }
        Else {
            Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
            Write-Host
            Write-Host "Merging missing scopes to support Easy365Manager administration."
            If ($ExistingAdminConsent.Scope.IndexOf("Domain.ReadWrite.All") -ge 0) {
                $ScopeMod = $ScopeMod.Replace("Domain.Read.All", "Domain.ReadWrite.All")
            }
            $NewScope = $ScopeMod.Split(" ") + ($ScopeMod.Split(" ") | Where-Object {$ExistingAdminConsent.Scope.Split(" ") -notcontains $_})
            If ($PrincipalID -eq $null){
                Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "AllPrincipals" -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
            }
            Else {
                Update-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $ExistingAdminConsent.Id -ClientId $Script:MicrosoftPowerShellGraph_Id -ConsentType "Principal" -PrincipalId $PrincipalID -ResourceId $Script:MicrosoftGraph_Id -Scope ($NewScope -Join " ") -ErrorAction Stop
            }
        }
        Write-Host
        Write-Host Configuration succeeded. -ForegroundColor Green
        Write-Host
        Write-Host "Please allow up to five minutes before the new configuration is visible."
    }
    Catch {
        Write-Host Configuration failed: $Error[0].Exception.Message -ForegroundColor Red
        If ($Error[0].Exception.Source -eq "Microsoft.Graph.Authentication") {
            Connect-ToGraph
        }
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Read-Consent ($Principal) {
    Try {
        Write-Host
        $User = "Admin"
        $PrincipalID = $null
        If ($Principal -ne $null){
            $User = "User (" + $Principal + ")"
            $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
        }
        $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID } -ErrorAction Stop
        If ($ExistingAdminConsent -eq $null) {
            Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
        }
        Else {
            Write-Host Existing $User Consent for Microsoft Graph PowerShell:
            Write-Host
            Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        }
        Write-Host
        Write-Host The following $User Consent is missing to support Easy365Manager administration:
        Write-Host
        If ($ExistingAdminConsent -eq $null){
            $ExistingScope = ""
        }
        Else {
            $ExistingScope = $ExistingAdminConsent.Scope
        }
        If ($ExistingScope.IndexOf("Domain.ReadWrite.All") -ge 0) {
            $ExistingScope = $ExistingScope.Replace("Domain.ReadWrite.All", "Domain.Read.All")
        }
        $MissingScope = ($Scope.Split(" ") | Where-Object {$ExistingScope.Split(" ") -notcontains $_})
        If ($MissingScope -eq $null) {
            Write-Host All set up! -ForegroundColor Green
        }
        Else {
            Write-Host ($MissingScope -Join "`n") -ForegroundColor Yellow
        }
        Write-Host
        Write-Host "(Recent changes may take up to five minutes before they become visible.)"
    }
    Catch {
        Write-Host Failed to read configuration: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Remove-Consent ($Principal) {
    Write-Host
    $User = "Admin"
    $PrincipalID = $null
    If ($Principal -ne $null){
        $User = "User (" + $Principal + ")"
        $PrincipalID = (Get-MgUser -UserId $Principal -ErrorAction Stop).Id
    }
    $ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id -and $_.PrincipalId -eq $PrincipalID}
    If ($ExistingAdminConsent -eq $null) {
        Write-Host "No existing $User Consent was found for Microsoft Graph PowerShell."
        Write-Host
    }
    Else {
        Write-Host "Existing $User Consent was found for Microsoft Graph PowerShell:"
        Write-Host
        Write-Host ($ExistingAdminConsent.Scope.Replace(" ", "`n`r")) -ForegroundColor Yellow
        $ExistingAdminConsent | ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id }
        Write-Host
        Write-Host "Removed all $User Consent from Microsoft Graph PowerShell."
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function View-AllConsent {
    $PermGrants = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $Script:MicrosoftPowerShellGraph_Id }
    $GrantList = @()
    ForEach ($PermGrant In $PermGrants) {
        $Grant = New-Object PSObject -Property @{
            User = If ($PermGrant.PrincipalId -ne $null) { (Get-MgUser -UserId $PermGrant.PrincipalId).UserPrincipalName } Else { "*** Admin_Consent ***" }
            Scope = $PermGrant.Scope.Trim()
        }
        $GrantList += $Grant
    }
    $GrantList | ft -AutoSize
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Connect-ToGraph {
    Write-Host
    Write-Host "Connecting to Microsoft PowerShell Graph."
    Write-Host
    Write-Host "(If asked, you don't need to consent to the permissions requested on behalf of your organization during the login.)"
    Write-Host
    If ((Get-MgContext) -ne $null){
        Disconnect-MgGraph
    }
    Try{
        Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All Directory.AccessAsUser.All Directory.ReadWrite.All"
        Write-Host
        Write-Host "Connected to Microsoft Graph PowerShell:"
        Get-MgContext
    }
    Catch {
        Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
    }
    Write-Host
    Read-Host "Press Enter to continue"
}

Function Check-MgContext {
    $Context = Get-MgContext
    If ($Context -eq $null){
        Return $false
    }
    Write-Host "Connecting...`r" -NoNewline 
    If ($Context.Scopes.IndexOf("DelegatedPermissionGrant.ReadWrite.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.AccessAsUser.All") -lt 0 -or $Context.Scopes.IndexOf("Directory.ReadWrite.All") -lt 0){
        Return $false
    }
    If ($Script:MicrosoftPowerShellGraph_Id -eq $null -or $Script:Microsoftgraph_Id -eq $null) {
        $Script:MicrosoftPowerShellGraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraphPS_AppId}).Id
        $Script:Microsoftgraph_Id = (Get-MgServicePrincipal -All | Where-Object { $_.AppId -eq $Script:MSGraph_AppId}).Id
    }
    Return $true
}

Function GetUserID($PrincipalID){
    Try{
        $
    }
    Catch {
        Write-Host Failed to connect to Microsoft Graph PowerShell: $Error[0].Exception.Message -ForegroundColor Red
    }
}

$Exit = $false
While ($Exit -eq $false) {
    Show-Menu
    $selection = Read-Host "Enter your selection"
    switch ($selection) {
        'C' {
            Connect-ToGraph
        }
        '1' {
            Write-Consent
        }
        '2' {
            Read-Consent
        }
        '3' {
            Remove-Consent
        }
        '4' {
            Write-Consent (Read-Host "Enter user ID to grant consent to")
        }
        '5' {
            Read-Consent (Read-Host "Enter user ID to read consent for")
        }
        '6' {
            Remove-Consent (Read-Host "Enter user ID to remove consent from")
        }
        '7' {
            View-AllConsent
        }
        'X' {
            $Exit = $true
        }
    }
}

运行脚本并连接到您的租户后，您将有以下选项：

Easy365Manager v. 1.5 uses the Microsoft Graph PowerShell SDK - the future of Office 365 management.
Before you can use the SDK, you must grant consent to the SDK to call the Microsoft Graph on your behalf.

This script allows a Global Admin to configure an Admin or User Consent, enabling non-Global-Admins to call the SDK.
The Admin/User Consent does not grant users any rights. It only enables the SDK to use users' existing rights.

If you already configured Microsoft Graph PowerShell Admin Consent, you can skip this step (press 'X').
If all Easy365Managers are Global Admins, you can skip this step (press 'X').

Only Global Admin role holders will be able to use Easy365Manager until the Admin/User Consent has been configured.

Consult the Easy365Manager documentation for more information:
https://easy365manager.com/microsoft-graph-powershell-admin-consent/

===================================================================
=== Configure Admin/User Consent for Microsoft Graph PowerShell ===
===================================================================

Connected to tenant: skrubbeltrang.onmicrosoft.com

C: Press 'C' to connect to Microsoft Graph PowerShell.

1: Press '1' to configure Admin Consent.
2: Press '2' to see the current Admin Consent configuration.
3: Press '3' to remove all Admin Consent from Microsoft Graph PowerShell.

4: Press '4' to configure User Consent.
5: Press '5' to see the current User Consent configuration.
6: Press '6' to remove single User Consent from Microsoft Graph PowerShell.

7: Press '7' to view all consent configured for Microsoft Graph PowerShell.

X: Press 'X' to exit.

Enter your selection:

选择“1”设置管理员同意，以允许（所有）非全局管理员运行 Easy365Manager。

选择“4”以按用户设置“用户同意”以运行 Easy365Manager。