ehrnst/Azure-graph-partnerCenter-examples.ps1

## Azure-graph-partnerCenter-examples.ps1
        # Connect to partner center via refresh token
        # Considering the refresh token is stored securely. We will have to get a new access token.

        $clientId = {multi tenant app id}
        $secret = {multi tnant app secret}
        $partnerAccessTokenUri = "https://login.windows.net/$partnerTenant/oauth2/token"

        $params = @{
            resource = "https://api.partnercenter.microsoft.com";
            grant_type = "refresh_token";
            client_secret = $secret;
            client_id = $ClientId;
            scope = "openid";
            refresh_token = $refresh.refresh_token
        }
        # Get AAD token
        $cspAccess = Invoke-RestMethod -Uri $partnerAccessTokenUri -Method POST -Body $params
        $customers = Invoke-RestMethod -Uri "https://api.partnercenter.microsoft.com/v1.0/customers" -Headers @{Authorization = "Bearer " + $cspAccess.access_token}


        # use the access token to get a refresh token against a customers tenant
        # first example request token for Microsoft Graph and get tenants users
        $customerAccessTokenUri = "https://login.windows.net/$customerTenant/oauth2/token"

        $params = @{
            resource = "https://graph.microsoft.com";
            grant_type = "refresh_token";
            client_secret = $secret;
            client_id = $ClientId;
            scope = "openid";
            refresh_token = $refresh.refresh_token}

        $graphAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params
        $users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer " + $graphAccess.access_token}


        # second example. Get's information about customers Azure subscriptions using Azure Resource Manager APIs
        $params = @{
            resource = "https://management.azure.com";
            grant_type = "refresh_token";
            client_secret = $secret;
            client_id = $ClientId;
            scope = "openid";
            refresh_token = $refresh.refresh_token}
        $azAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params

        $subscriptions = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2016-06-01" -Headers @{Authorization = "Bearer " + $azAccess.access_token}


## consent.txt
https://login.windows.net/partnertenant.com/oauth2/authorize?client_id={multi tenant appid}
&response_type=code
&response_mode=query
&resource=https://api.partnercenter.microsoft.com&prompt=login

## Get-RefreshToken.ps1
        $code="{code from consent}"
        $clientId = 'multi tenant app id'
        $loginurl = "https://login.windows.net/partnertenant.com/oauth2/token"
        $secret = "secret from multi tenant app"
        $partnerTenant = "{partner tenant}"

        # use the authorization code from consent to create a refresh token.
        # save this to key vault or similar. This is the token you use to generate an access token

        $params = @{resource = "https://api.partnercenter.microsoft.com";
            grant_type = "authorization_code";
            client_id = $clientId;
            client_secret = $secret;
            redirect_uri = 'https://localhost';
            code = $code
        }

        # here's our refresh token
        $refreshToken = Invoke-RestMethod -Uri $loginurl -Method POST -Body $params

## getSecretFromVault.ps1
# get AAD access token
$params = @{
        scope         = 'https://vault.azure.net/.default';
        grant_type    = 'client_credentials';
        client_id     = {single tenant app id};
        client_secret = {single tenant app secret};
}

$AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Body $params
Invoke-RestMethod -Method Get -Uri ($fullURIincludingVersion + "?api-version=7.0") -Headers @{Authorization = "Bearer " + $AADToken.access_token}

## postSecretToVault.ps1
    # This example can be used for everything keyVault. Nothing to do with partner center.

    $secretName = "refreshtoken"
    $KeyvaultFullUrl = $keyVaultUrl + "/secrets/" + $secretName + "?api-version=7.0"

    # get AAD access token
    $params = @{
        scope         = 'https://vault.azure.net/.default';
        grant_type    = 'client_credentials';
        client_id     = {single tenant app id};
        client_secret = {single tenant app secret};
    }

    $AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" -Body $params

    # use token to post new or update existing
    $secretBody = @{
        value = $refreshToken
    } | ConvertTo-Json

    $secret = Invoke-RestMethod -Method Put -Uri $keyVaultfullUrl -Body $secretBody -Headers @{'Authorization' = "Bearer " + $AADToken.access_token; 'Content-Type' = "Application/Json"}
	# Connect to partner center via refresh token
	# Considering the refresh token is stored securely. We will have to get a new access token.

	$clientId = {multi tenant app id}
	$secret = {multi tnant app secret}
	$partnerAccessTokenUri = "https://login.windows.net/$partnerTenant/oauth2/token"

	$params = @{
	resource = "https://api.partnercenter.microsoft.com";
	grant_type = "refresh_token";
	client_secret = $secret;
	client_id = $ClientId;
	scope = "openid";
	refresh_token = $refresh.refresh_token
	}
	# Get AAD token
	$cspAccess = Invoke-RestMethod -Uri $partnerAccessTokenUri -Method POST -Body $params
	$customers = Invoke-RestMethod -Uri "https://api.partnercenter.microsoft.com/v1.0/customers" -Headers @{Authorization = "Bearer " + $cspAccess.access_token}


	# use the access token to get a refresh token against a customers tenant
	# first example request token for Microsoft Graph and get tenants users
	$customerAccessTokenUri = "https://login.windows.net/$customerTenant/oauth2/token"

	$params = @{
	resource = "https://graph.microsoft.com";
	grant_type = "refresh_token";
	client_secret = $secret;
	client_id = $ClientId;
	scope = "openid";
	refresh_token = $refresh.refresh_token}

	$graphAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params
	$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer " + $graphAccess.access_token}


	# second example. Get's information about customers Azure subscriptions using Azure Resource Manager APIs
	$params = @{
	resource = "https://management.azure.com";
	grant_type = "refresh_token";
	client_secret = $secret;
	client_id = $ClientId;
	scope = "openid";
	refresh_token = $refresh.refresh_token}
	$azAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params

	$subscriptions = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2016-06-01" -Headers @{Authorization = "Bearer " + $azAccess.access_token}
	$code="{code from consent}"
	$clientId = 'multi tenant app id'
	$loginurl = "https://login.windows.net/partnertenant.com/oauth2/token"
	$secret = "secret from multi tenant app"
	$partnerTenant = "{partner tenant}"

	# use the authorization code from consent to create a refresh token.
	# save this to key vault or similar. This is the token you use to generate an access token

	$params = @{resource = "https://api.partnercenter.microsoft.com";
	grant_type = "authorization_code";
	client_id = $clientId;
	client_secret = $secret;
	redirect_uri = 'https://localhost';
	code = $code
	}

	# here's our refresh token
	$refreshToken = Invoke-RestMethod -Uri $loginurl -Method POST -Body $params
	# get AAD access token
	$params = @{
	scope = 'https://vault.azure.net/.default';
	grant_type = 'client_credentials';
	client_id = {single tenant app id};
	client_secret = {single tenant app secret};
	}

	$AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Body $params
	Invoke-RestMethod -Method Get -Uri ($fullURIincludingVersion + "?api-version=7.0") -Headers @{Authorization = "Bearer " + $AADToken.access_token}
	# This example can be used for everything keyVault. Nothing to do with partner center.

	$secretName = "refreshtoken"
	$KeyvaultFullUrl = $keyVaultUrl + "/secrets/" + $secretName + "?api-version=7.0"

	# get AAD access token
	$params = @{
	scope = 'https://vault.azure.net/.default';
	grant_type = 'client_credentials';
	client_id = {single tenant app id};
	client_secret = {single tenant app secret};
	}

	$AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" -Body $params

	# use token to post new or update existing
	$secretBody = @{
	value = $refreshToken
	} \| ConvertTo-Json

	$secret = Invoke-RestMethod -Method Put -Uri $keyVaultfullUrl -Body $secretBody -Headers @{'Authorization' = "Bearer " + $AADToken.access_token; 'Content-Type' = "Application/Json"}