JyskIT.Automation

2.1.1

Public/Configuration/Add-ConsentPolicy.ps1

                                function Add-ConsentPolicy {

    param (

        [Parameter(Mandatory = $true)]

        [string]$TenantId

    )

    try {

        Connect-CustomerGraph -CustomerTenantId $TenantId -FlowType 'Delegated'

        # Step 10: Create support@jyskit.dk guest account without sending invitation

        Write-ModuleLog -Message "Creating support@jyskit.dk guest account for $($customer.DisplayName)" -Level Info -Component 'CustomerInitialization'

        $SupportUser = Get-MgUser -Filter "Mail eq 'support@jyskit.dk'"

        if (!$SupportUser) {

            $Invitation = New-MgInvitation -InvitedUserDisplayName "support@jyskit.dk" -InvitedUserEmailAddress "support@jyskit.dk" -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$false

            do {

                $SupportUser = Get-MgUser -Filter "Mail eq 'support@jyskit.dk'"

                if (!$SupportUser) {

                    Write-ModuleLog -Message "Waiting for support@jyskit.dk to be created..." -Level Info -Component 'CustomerInitialization'

                    Start-Sleep -Seconds 5

                }

            } while (!$SupportUser)

        } else {

            Write-ModuleLog -Message "support@jyskit.dk guest account already exists" -Level Info -Component 'CustomerInitialization'

        }

        # Step 11: Set up admin consent policy            

        $AdminConsentPolicy = Invoke-GraphRequest -Method PUT -Uri "https://graph.microsoft.com/v1.0/policies/adminConsentRequestPolicy" -Body @{

            "isEnabled" = $true

            "notifyReviewers" = $true

            "reviewers" = @(

                @{

                    "query" = "/users/$($SupportUser.Id)";

                    "queryType" = "MicrosoftGraph"

                }

            )

            "remindersEnabled" = $false

            "requestDurationInDays" = 30

        }

        Write-ModuleLog -Message "Admin consent policy updated" -Level Info -Component 'CustomerInitialization'

        # Step 12: Set up admin consent request

        $AuthorizationPolicy = Update-MgPolicyAuthorizationPolicy -AllowUserConsentForRiskyApps:$false -DefaultUserRolePermissions @{

            AllowedToCreateApps = $false

            PermissionGrantPoliciesAssigned =  @(

                "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat",

                "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team"

            )

        }

        Write-ModuleLog -Message "Authorization policy updated" -Level Info -Component 'CustomerInitialization'

    }

    catch {

        Write-ModuleLog -Message "Failed to add consent policy for customer $CustomerTenantId" -Level Error -Component 'CustomerInitialization' -ErrorRecord $_ -ThrowError

    }

}