Using Microsoft Graph PowerShell authentication commands (2024)

  • Article

Microsoft Graph PowerShell supports two types of authentication: delegated and app-only access. There are a number of cmdlets that can be used to manage the different parameters required during authentication, for example, environment, application ID, and certificate. In this article, we'll look at the different cmdlets that are associated with authentication.

Using Connect-MgGraph

You must invoke Connect-MgGraph before any commands that access Microsoft Graph. This cmdlet gets the access token using the Microsoft Authentication Library.

Delegated access

There are three ways to allow delegated access using Connect-MgGraph:

  • Using interactive authentication, where you provide the scopes that you require during your session:

    Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
  • Using device code flow:

    Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All" -UseDeviceAuthentication
  • Using your own access token:

    Connect-MgGraph -AccessToken $AccessToken

Use delegated access with a custom application for Microsoft Graph PowerShell

Follow the steps below to create custom applications that you can use to connect to Microsoft Graph PowerShell. Use this approach if you need to isolate and limit the consent permissions granted for Microsoft Graph PowerShell usage.

  1. Go to the Azure portal - App registrations > New Registration.
    1. Enter a Name for your application, for example Microsoft Graph PowerShell - High Privilege admin use only.
    2. For Supported account types, select Accounts in this organization directory.
    3. For Redirect URI:
      • Select Public client/native from the drop down
      • URI value: http://localhost
    4. Select Register.
    5. Go to Enterprise applications and select the application you just created.
    6. Under Manage, select Properties and set Assignment required? to Yes.
    7. Select Save.
    8. Under Manage, select Users and groups.
    9. Select Add user/group and add the users and groups permitted to use this application.
    10. Once you've added all the users and groups, select Assign.

You can now use this app instead of the default one by connecting with:

Connect-MgGraph -ClientId <YOUR_NEW_APP_ID> -TenantId <YOUR_TENANT_ID>

App-only access

Using client credential with a certificate

To use app-only access, you can load the certificate from either Cert:\CurrentUser\My\ or Cert:\LocalMachine\My\, when -CertificateThumbprint or -CertificateName is specified. Make sure that the certificate you're using is present in either certificate store before calling Connect-MgGraph. For more info, see Use app-only authentication with the Microsoft Graph PowerShell SDK.

Using client secret credentials

If you need interactions in the background, without a user to sign in, this type of grant will help you. Support for client secret credentials was added by adding -ClientSecretCredential parameter to Connect-MgGraph. See Get-Credential on how to get or create credentials.

$ClientSecretCredential = Get-Credential -Credential "Client_Id"# Enter client_secret in the password prompt.Connect-MgGraph -TenantId "Tenant_Id" -ClientSecretCredential $ClientSecretCredential

Note

It's recommended to use PowerShell 7 and above when using client secret credentials.

Using managed identity

A common challenge when writing automation scripts is the management of secrets, credentials, certificates, and keys used to secure communication between services. Eliminate the need to manage credentials by allowing the module to obtain access tokens for Azure resources that are protected by Microsoft Entra ID. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.

  • System-assigned managed identity:

    Uses an automatically managed identity on a service instance. The identity is tied to the lifecycle of a service instance.

    Connect-MgGraph -Identity
  • User-assigned managed identity:

    Uses a user created managed identity as a standalone Azure resource.

    Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"

Connecting to an environment or cloud

By default, Connect-MgGraph targets the global public cloud. To target other clouds, see Using Get-MgEnvironment.

Connecting to an environment as a different identity

To connect as a different identity other than CurrentUser, specify the -ContextScope parameter with the value Process.

Connect-MgGraph -ContextScope Process

Using passwordless authentication

Passwordless authentication is a method of verifying a user’s identity without the use of a password. Passwords are a primary attack vector and passwordless authentication is a strategy to mitigate attacks where bad actors use social engineering, phishing, and spray attacks to compromise passwords.

Microsoft Graph PowerShell supports the following passwordless authentication methods:

  • Windows Hello for Business
  • Fast ID Online v2.0 (FIDO2)
  • Microsoft Authenticator app
  • Certificate-based authentication (CBA)

Note

FIDO2 security keys option is only supported on PowerShell 7 and above.

For more information, see Passwordless authentication options for Microsoft Entra ID and Microsoft Entra certificate-based authentication.

Using Disconnect-MgGraph

Once you're signed in, you'll remain signed in until you invoke Disconnect-MgGraph. Microsoft Graph PowerShell automatically refreshes the access token for you and sign-in persists across PowerShell sessions because Microsoft Graph PowerShell securely caches the token.

Use Disconnect-MgGraph to sign out.

Disconnect-MgGraph

Using Get-MgEnvironment

When you use Connect-MgGraph, you can choose to target other environments. By default, Connect-MgGraph targets the global public cloud.

To get a list of all clouds that you can choose from, run:

Get-MgEnvironment
Name AzureADEndpoint GraphEndpoint Type---- --------------- ------------- ----China https://login.chinacloudapi.cn https://microsoftgraph.chinacloudapi.cn Built-inGlobal https://login.microsoftonline.com https://graph.microsoft.com Built-inUSGov https://login.microsoftonline.us https://graph.microsoft.us Built-inUSGovDoD https://login.microsoftonline.us https://dod-graph.microsoft.us Built-in

To explicitly target other clouds, for example, US Government and Azure China, use the -Environment parameter.

Connect-MgGraph -Environment USGov

Note

Globally registered apps don't replicate to Azure China. You'll need to register your own applications in Azure China and use them when connecting to Microsoft Graph.

Using Get-MgContext

Get-MgContext is used to retrieve the details about your current session, which include:

  • ClientID
  • TenantID
  • Certificate Thumbprint
  • Scopes consented to
  • AuthType: Delegated or app-only
  • AuthProviderType
  • CertificateName
  • Account
  • AppName
  • ContextScope
  • Certificate
  • PSHostVersion
  • ClientTimeOut.

To retrieve the session details, run:

Get-MgContext
ClientId : 615e6e7c-aa11-4402-91a1-6234967405d5TenantId : 9f32a42e-6782-4b96-a4d3-e0828a292569CertificateThumbprint :Scopes : {AppRoleAssignment.ReadWrite.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, EntitlementManagement.ReadWrite.All...}AuthType : DelegatedAuthProviderType : InteractiveAuthenticationProviderCertificateName :Account : admin@Contoso.comAppName : Microsoft Graph PowerShellContextScope : CurrentUserCertificate :PSHostVersion : 5.1.17763.1ClientTimeout : 00:05:00

To retrieve all the scopes that you've consented to, expand the Scopes property using the -ExpandProperty parameter.

Get-MgContext | Select -ExpandProperty Scopes
AppRoleAssignment.ReadWrite.AllDirectory.AccessAsUser.AllDirectory.ReadWrite.AllEntitlementManagement.ReadWrite.AllGroup.ReadWrite.AllopenidOrganization.Read.AllprofileRoleManagement.ReadWrite.DirectoryUser.ReadUser.ReadWrite.All

Using Invoke-MgGraphRequest

Invoke-MgGraphRequest issues REST API requests to the Graph API. It works for any Graph API if you know the REST URI, method, and optional body parameter. This command is especially useful for accessing APIs for which there isn't an equivalent cmdlet yet.

To retrieve the details of the signed-in user, run:

Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me
Name Value---- -----userPrincipalName admin@Contoso.compreferredLanguage en-USmobilePhone 425-555-0101displayName MOD AdministratorgivenName MODmail admin@contoso.com@odata.context https://graph.microsoft.com/v1.0/$metadata#users/$entityid 694bab60-392a-4f64-9430-c1dea2951f50jobTitleofficeLocationbusinessPhones {425-555-0100}surname Administrator

Next steps

For more information about navigating Microsoft Graph PowerShell, see:

  • Using Find-MgGraphCommand cmdlet
  • Using Find-MgGraphPermission cmdlet
Using Microsoft Graph PowerShell authentication commands (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Kieth Sipes

Last Updated:

Views: 5901

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.