blog.atwork.at

news and infos about microsoft, technology, cloud and more

Gain access as delegated partner to another Office365 tenant with PowerShell

The goal was administer an Office365 tenant as delegated partner. But, currently I had difficulties to access another Office365 tenant in the Microsoft Partner Portal. When selecting a partner and opening the Office 365 admin center, not the partner tenant was opened but instead my own tenant. I didn’t figure out why this no longer was working. Anyway, I tried to use PowerShell instead…

SNAGHTMLbafdb96

The red marked links opened the Microsoft Partner Portal, but not on behalf of the partner tenant, but only showing my own Office 365 tenant…

Calling Microsoft support is… well, you know. So, after some calls, the advice was to open a support case. Great.

After some thinking about the issue, I assume, it could be that my account is a global admins in my own tenant – and the redirect always ends in my own tenant, but that’s just…guessing.

Anyway. As quick workaround I decided to try to create a new user in that partner tenant. So here’s what I did:

There’s an article in TechNet describing how to accomplish such a scenario at
Manage Office 365 tenants with Windows PowerShell for Delegated Access Permissions (DAP) partners

So, after Connect-MsolService (logging in with my personal Office 365 login which is a delegated admin) and loading the Remote Exchange PowerShells here we go:

# Get all tenants with your delegated partner account:
Get-MsolPartnerContract –All

# Get the TenantID of one specific tenant by name (here: contoso):
Get-MsolPartnerContract -DomainName contoso.onmicrosoft.com | Select-Object –TenantId

# Now you get the TenantId as for example 77ac… we try to create a new user in that tenant:
New-MsolUser -UserPrincipalName admin.mycompany@contoso.onmicrosoft.com `
    -DisplayName 'admin.mycompany' -FirstName 'admin' -LastName 'mycompany' `
    -Password 'mysecretpwd' -UsageLocation 'US' `
    -ForceChangePassword:$false -PasswordNeverExpires:$true `
    -TenantId 77ac…

# Ok, now that user should be created. Now let’s see the users who are Global Admins:
$role = Get-MsolRole -RoleName "Company Administrator"
Get-MsolRoleMember -RoleObjectId $role.ObjectId -TenantId 77ac…

# Ok, the last task would be to assign the Global Admin role to that new user as follows:
Add-MsolRoleMember -RoleName "Company Administrator" –RoleMemberEmailAddress admin.mycompany@contoso.onmicrosoft.com

In my opinion, this would have been the solution. Unfortunately, the result was this message:
Add-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet.

I did some research and found this blog post Office 365 Tech Tip: Create a User and Assign a Role in PowerShell, describing exactly what I tried.

Ok, to make it short. The commands above _would (or should)_ have been the solution. But for whatever reason, in that partner tenant it didn’t work. So, I called the customer and asked him to assign a Global Administrator role to my new created user in his tenant. This worked. Winking smile

A pity, that the PowerShell workaround did not work in my case. Anyway, maybe it works in other tenants or scenarios – or someone has a tip for me, why?

Loading