Saturday, 10 August 2019

Move SharePoint Online Sites using Powershell

You can now swap your SharePoint Online site with another site using the Invoke-SPOSiteSwap Powershell cmdlet. When the swap is initiated, the target site is moved to the archive location and the source site is moved to the target location.

To use this new cmdlet, you need to use SharePoint Online Powershell version 16.0.8812.1200 or later (Download Link: https://www.microsoft.com/en-us/download/details.aspx?id=35588). You can install the latest SPO Powershell by running below command.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -MinimumVersion "16.0.8812.1200"

Current Limitations :

  • The target site can only be the root site (https://tenant-name.sharepoint.com) or the search center (https://tenant-name.sharepoint.com/search.).
  • The source or target sites can't be associated with an Office 365 Group (team) or a hub site. If the site is a associated to a hub site, you can remove the association, perform the swap and then re enable the association.
  • If the target is the root site at https://tenant-name.sharepoint.com then the source site must be either a Team Site (STS#0), a Modern Team Site (STS#3), or a Communication Site (SITEPAGEPUBLISHING#0).
  • If the target is the search center site at https://tenant-name.sharepoint.com/search then the source site must be either a Search Center Site (SRCHCEN#0) or a Basic Search Center Site (SRCHCENTERLITE#0).
The below commands archives the existing root site and moves the CommunicationSite to root site.
Connect-SPOService -Url "https://<tenant-name>-admin.sharepoint.com"
$SourceSite = "https://<tenant-name>.sharepoint.com/sites/CommunicationSite"
$TargetSite = "https://<tenant-name>.sharepoint.com"
$AcrhiveSite = "https://<tenant-name>.sharepoint.com/sites/Archive"
Invoke-SPOSiteSwap -SourceUrl $SourceSite -TargetUrl $TargetSite -ArchiveUrl $AcrhiveSite
Note: Before proceed replace the parameter "<tenant-name>" with your tenant name in commands.

You can refer this post for more details.

Monday, 5 August 2019

Get Microsoft Graph API Access Token using ClientID and ClientSecret

In some cases, apps or users might want to acquire Microsoft Graph access token by using the ClientID (Azure AD Application ID) and ClientSecret instead of providing their own credentials. In many cases, these are background services or automation jobs which require to authenticate a script without user interaction (Unattended Authentication). I would also recommend you to read the post Get access without a user.

Note: Assume that you have already registered an App in Azure AD through App Registration and you have the Client ID, Client Secret, and your Tenant Domain Name (or Tenant ID).

Required Parameters :

  • ClientID - AppId of your Azure AD Application.
  • ClientSecret - A secret code that you get from the registered app.
  • Tenant - Provide your tenant id or tenant domain name (ex: xxxxx.onmicrosoft.com). Refer this post to find your tenant id.

Get Access Token :

In the OAuth 2.0 client credentials grant flow, you can acquire an access token by sending a POST request to the /token identity platform endpoint with required parameters :
Http Method : POST
Endpoint URL : https://login.microsoftonline.com/Tenant/oauth2/v2.0/token
Content-Type : application/x-www-form-urlencoded
Body : scope=https://graph.microsoft.com/.default&grant_type=client_credentials&client_id=535fb089-9ff3-47b6-9bfb-4f1264799865&client_secret=qWgdYAmab0YSkuL1qKv5bPX

Get Graph Access Token Using Powershell :

In Powershell, you can use the Invoke-RestMethod cmdlet to send the post request to the /token identity endpoint. Use the below commands after replacing your own values for ClientID, ClientSecret and TenantId.
#This is the ClientID (Application ID) of registered AzureAD App
$ClientID = "535fb089-9ff3-47b6-9bfb-4f1264799865"
#This is the key of the registered AzureAD app
$ClientSecret = "qWgdYAmab0YSkuL1qKv5bPX"
#This is your Office 365 Tenant Domain Name or Tenant Id
$TenantId = "m365xxxxx.onmicrosoft.com"
#$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$Body = @{client_id=$ClientID;client_secret=$ClientSecret;grant_type="client_credentials";scope="https://graph.microsoft.com/.default";}
$OAuthReq = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token -Body $Body
$TokenType = $OAuthReq.token_type
$AccessToken = $OAuthReq.access_token

Call Graph API Using Powershell :

The below command retrieves all the Azure AD user details by passing the acquired access token.
$apiUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $apiUrl -Method Get
Note : Before using the above end-point (https://graph.microsoft.com/v1.0/users), you should have added the Application permission User.Read.All (or User.ReadWrite.All) in your Azure AD app and you should have already provided Admin consent for your app.

Fix - AADSTS90002: Tenant 'xxxxxx' not found. This may happen if there are no active subscriptions for the tenant.

Problem :

Recieived the below error when I try to get Microsoft Graph access token with my Azure AD Application using OAuth 2.0 client credentials grant flow.
Token identity endpoint URL : https://login.microsoftonline.com/xxxxxx/oauth2/v2.0/token

"error":"invalid_request","error_description":"AADSTS90002: Tenant 'xxxxxx' not found. This
may happen if there are no active subscriptions for the tenant. Check with your subscription administrator

Fix/Solution :

We need to provide either TenantID (Guid) or Tenant DomainName (ex: xxxxx.onmicrosoft.com) in token identity endpoint URL to get access token. But in my case, I have just provided tenant name alone instead of tenant domain name/tenantId, the problem solved after providing complete tenant domain name.
#Token endpoint URL with tenant domain name
https://login.microsoftonline.com/xxxxxx.onmicrosoft.com/oauth2/v2.0/token

#Token endpoint URL with tenant id (guid)
Token identity endpoint URL : https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token
To find your tenant id, you can refer this post : How to find your Office 365 Tenant ID

How to find your Office 365 Tenant ID

Office 365 Tenant ID is a globally unique identifier (GUID) value for your Azure AD Tenant. You can find your Tenant ID in the following methods.

1. From Azure AD Portal

You can find your tenant ID in the Azure AD portal if you have Azure AD administrator privilege.
  • Log in to Azure AD Portal (https://portal.azure.com).
  • In the Azure portal, click Azure Active Directory in the left-side navigation box.
  • Under Manage, click Properties. You can retrieve the tenant id from the Directory ID box.
How to retrieve your Office 365 Tenant ID


2. Use Azure AD PowerShell

If you have already installed Azure AD Powershell V2 module, then you can get TenantId while running the Connect-AzureAD cmdlet.
PS C:\> Connect-AzureAD | FL

Account      : UserName@DomainName.onmicrosoft.com
Environment  : AzureCloud
Tenant       : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId     : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantDomain : DomainName.onmicrosoft.com

3. Use Azure CLI

If you have Azure CLI setup, you can run the command "azure account show" to get your tenant id.
$ azure account show

data:    Name                        : Subscription Name
data:    ID                          : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
data:    State                       : Enabled
data:    Tenant ID                   : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
data:    Is Default                  : true
data:    Environment                 : AzureCloud
data:    Has Certificate             : No
data:    Has Access Token            : Yes
data:    User name                   : kevin@xxxxxxx.onmicrosoft.com
You can fine tune the result by running below commands.
azure account show --json | jq -r '.[0].tenantId'

or 

az account show --subscription a... | jq -r '.tenantId'
az account list | jq -r '.[].tenantId'

Related Posts :