JanVidarElven/GetTeamsAdminCenterToken.ps1

## GetTeamsAdminCenterToken.ps1

# Connect to Azure AD Organization as Admin
Connect-AzureAD

#region Part 1 - Azure AD App
# Create a new App Registration for Teams Admin Center
$azureAdApp = New-AzureADApplication -DisplayName "Teams Admin Center API" -ReplyUrls "https://localhost", "urn:ietf:wg:oauth:2.0:oob"

$keyStartDate = "{0:s}" -f (get-date).AddHours(-1) + "Z"
$keyEndDate = "{0:s}" -f (get-date).AddYears(1) + "Z"

# Create Password Key Secret
$azureAdAppKeySecret = New-AzureADApplicationPasswordCredential -ObjectId $azureAdApp.ObjectId -CustomKeyIdentifier "Teams Admin Center Secret Key" -StartDate $keyStartDate -EndDate $keyEndDate

# Get the Azure AD SPN
$azureAdSpn = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Skype and Teams Tenant Admin API'"

# Get the Oauth2 permissions for user_impersonation
$azureAdOauth2UserImpersonation = $azureAdSpn | select -expand Oauth2Permissions | ? {$_.value -eq "user_impersonation"}

# Build a Required Resource Access Object with permissions for User.Read + Sign in and Directory Read
$requiredResourceAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
  ResourceAppId=$azureAdSpn.AppId ;
  ResourceAccess=[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
    Id = $azureAdOauth2UserImpersonation.Id ;
    Type = "Scope"
    }
}

# Set the required resources for the Azure AD Application
Set-AzureADApplication -ObjectId $azureAdApp.ObjectId -RequiredResourceAccess $requiredResourceAccess

# Associate a new Service Principal to my Azure AD Application
$appSpn = New-AzureADServicePrincipal -AppId $azureadapp.AppId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")

#endregion

	# Connect to Azure AD Organization as Admin
	Connect-AzureAD

	#region Part 1 - Azure AD App
	# Create a new App Registration for Teams Admin Center
	$azureAdApp = New-AzureADApplication -DisplayName "Teams Admin Center API" -ReplyUrls "https://localhost", "urn:ietf:wg:oauth:2.0:oob"

	$keyStartDate = "{0:s}" -f (get-date).AddHours(-1) + "Z"
	$keyEndDate = "{0:s}" -f (get-date).AddYears(1) + "Z"

	# Create Password Key Secret
	$azureAdAppKeySecret = New-AzureADApplicationPasswordCredential -ObjectId $azureAdApp.ObjectId -CustomKeyIdentifier "Teams Admin Center Secret Key" -StartDate $keyStartDate -EndDate $keyEndDate

	# Get the Azure AD SPN
	$azureAdSpn = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Skype and Teams Tenant Admin API'"

	# Get the Oauth2 permissions for user_impersonation
	$azureAdOauth2UserImpersonation = $azureAdSpn \| select -expand Oauth2Permissions \| ? {$_.value -eq "user_impersonation"}

	# Build a Required Resource Access Object with permissions for User.Read + Sign in and Directory Read
	$requiredResourceAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
	ResourceAppId=$azureAdSpn.AppId ;
	ResourceAccess=[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
	Id = $azureAdOauth2UserImpersonation.Id ;
	Type = "Scope"
	}
	}

	# Set the required resources for the Azure AD Application
	Set-AzureADApplication -ObjectId $azureAdApp.ObjectId -RequiredResourceAccess $requiredResourceAccess

	# Associate a new Service Principal to my Azure AD Application
	$appSpn = New-AzureADServicePrincipal -AppId $azureadapp.AppId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")

	#endregion