How Can We Help?
< Back
You are here:

Adding and AzureAD Application

To access your customer tenants and automate your license billing, we need to create an AzureAD Application in your Partner tenant.

This is compatible with Delegated Admin Permissions and Granular Delegated Admin Permissions for Partners.

The permissions we need access to are as follows:

  • Microsoft Graph
    • Directory.Read.All
    • MailboxSettings.Read
  • Microsoft Partner Center
    • user_impersonation
  • Office 365 Exchange Online
    • Exchange.ManageAsApp


  • You will need to log in as a Global Admin account of your Microsoft Tenant
    • Creating the app and granting consent
  • You will need the AzureAD Powershell module or run the script as administrator and the script will install the module

Optional – AzureAD Security Group

If you would like to use a custom AzureAD Security Group instead of the default AdminAgents, please ensure you create a group before running the below script.
If you leave the prompt blank, we will add the application to the default AdminAgents group in your tenant.

Creating the Application

We have created a simple powershell script to automatically create the application. This will add the application with the relevant permissions and give you the details required for the Sync 365 License Application.

  1. Copy the below script into either Powershell or notepad
  2. Save the file as s365lapp.ps1
  3. Either right click the saved file and run with powershell, or run it from a powershell window with ./s365lapp.ps1 (in the directory of the saved file).
  4. After the azuread app is created a web page will pop up requesting consent. This needs to be performed by a global admin of your tenant.
  5. In the Sync 365 License application. Select Companies > Delegated Admin > Add an AzureAD Application and enter in the
    1. ApplicationID
    2. Application Secret
    3. Tenant ID
$ErrorActionPreference = "Stop"

# Check if the Azure AD PowerShell module has already been loaded.
if ( ! ( Get-Module AzureAD ) ) {
    # Check if the Azure AD PowerShell module is installed.
    if ( Get-Module -ListAvailable -Name AzureAD ) {
        # The Azure AD PowerShell module is not load and it is installed. This module
        # must be loaded for other operations performed by this script.
        Write-Host -ForegroundColor Green "Loading the Azure AD PowerShell module..."
        Import-Module AzureAD
    } else {
        Install-Module AzureAD

$appname = $DisplayName}else{
$appname = "Sync 365 License"}

try {
    Write-Host -ForegroundColor Green "When prompted please log in as a global administrator..."
        Connect-AzureAD | Out-Null

} catch [Microsoft.Azure.Common.Authentication.AadAuthenticationCanceledException] {
    # The authentication attempt was canceled by the end-user. Execution of the script should be halted.
    Write-Host -ForegroundColor Yellow "The authentication attempt was canceled. Execution of the script will be halted..."
} catch {
    # An unexpected error has occurred. The end-user should be notified so that the appropriate action can be taken.
    Write-Error "An unexpected error has occurred. Please review the following error message and try again." `

$graphAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
    ResourceAppId = "00000003-0000-0000-c000-000000000000";
    ResourceAccess =
            Id = "40f97065-369a-49f4-947c-6a255697ae91";
            Type = "Role"},
            Id = "7ab1d382-f21e-4acd-a863-ba3e13f7da61";
            Type = "Role"}

$partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
    ResourceAppId = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";
    ResourceAccess =
            Id = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";
            Type = "Scope"}

$exchangeappaccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
    ResourceAppId = "00000002-0000-0ff1-ce00-000000000000";
    ResourceAccess =
            Id = "dc50a0fb-09a3-484d-be87-e023b12c6440";
            Type = "Role"}

$SessionInfo = Get-AzureADCurrentSessionInfo

Write-Host -ForegroundColor Green "Creating the Azure AD application and related resources..."

$app = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName $appname -IdentifierUris "https://$($SessionInfo.TenantDomain)/$((New-Guid).ToString())" -RequiredResourceAccess $exchangeappaccess, $graphAppAccess, $partnerCenterAppAccess -ReplyUrls @("urn:ietf:wg:oauth:2.0:oob","")
$startDate = Get-Date
$endDate = $startDate.AddYears(99)
$password = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "S365LApp" -StartDate $startDate -EndDate $endDate
$spn = New-AzureADServicePrincipal -AppId $app.AppId -DisplayName $DisplayName

###Add to group

$group = read-host "Enter the Security Group name to add the app to. Leave blank for the AdminAgents group"



    $adminAgentsGroup = Get-AzureADGroup -Filter "DisplayName eq  `'$($group)`'"

    $group = read-host "We could not retreive the group. Please enter the name again"
    $adminAgentsGroup = Get-AzureADGroup -Filter "DisplayName eq  `'$($group)`'"


    Add-AzureADGroupMember -ObjectId $adminAgentsGroup.ObjectId -RefObjectId $spn.ObjectId
Write-Host -ForegroundColor Green "Adding to the required group. Please wait."

sleep 10

write-host "Please grant consent to this app on the new browser window that has opened" -ForegroundColor yellow
Start-Process -FilePath  "$($app.appid)&response_type=code&redirect_uri="
write-host "Please enter these details into the Sync 365 License Application" -ForegroundColor Yellow
write-host "Tenant ID: $($sessioninfo.Tenantid)" -ForegroundColor green
Write-host "Application ID: $($app.AppId)" -ForegroundColor green
write-host "Client Secret: $($password.Value)" -ForegroundColor green
Table of Contents