Now that you know you will have to use Application permissions the next logical step would be to identify what is the required setup based on HOW you will be authenticating.
If you’re using an Azure AD App Registration, head to the API Permissions blade of your Azure AD App Registration and select:
-
Add Permission -> Microsoft Graph -> Application Permissions -> Device.Read.All
-
Note: You may need to be a Global Administrator to consent for certain permission scopes.
For application permission scenarios see the table below to help guide you:
| Authentication Experience | Method Used | Azure AD Requirements |
|---|---|---|
| Non-Interactive | Certificate | There are several methods in which you can generate a certificate, one of which is using New-SelfSignedCertificate. The certificate should then be installed in your user’s trusted store on the machine where you’ll run the script.
Back in your Azure AD App Registration: |
| Non-Interactive | Client Secret (App Registrations Only) | On your new Azure AD App Registration navigate to: -Certificates & secrets -> Client Secrets tab -> New client secret -Enter description & set the expiration date (2 year maximum) -Click Add then store the secret ID and value in a secure location. |
Note: The Microsoft Graph PowerShell module will soon work with Managed Identities once it hits v2, this guide will be updated at a later date to include this information.
Update 12/24/2022: Preview 2 for the new module is available here: https://github.com/microsoftgraph/msgraph-sdk-powershell/releases/tag/2.0.0-preview2
Read on to see code examples for each authentication experience/method used…
Certificate Method – How To:
The certificate method for use with application permissions is very simple and straight forward from a code standpoint.
#Specify Client and Tenant IDs $ClientID = "(your client/application id here)" $TenantID = "(your tenant id here)" $CertName = "(certificate name)" #Connect to Graph #Note: Certificate, CertificateSubject, and CertificateThumbprint parameters are also available Connect-MgGraph -ClientID $ClientID -TenantId $TenantID -CertificateName $CertName
Client Secret Method – How To:
The client secret method for use with application permissions is just 1 small extra step. Since the Microsoft.Graph PowerShell module doesn’t currently provide a way to use client secrets, we can use the MSAL.PS module instead since it exposes this method of authentication.
#Specify Client and Tenant IDs with Client Secret #Note: There are many ways to store/retrieve client secrets #Encrypted key files, PowerShell Secrets Management Module, Azure Key Vault, etc. $ClientID = "(your client id here)" $TenantID = "(your tenant id here)" $ClientSecret = "(your client secret here)" $SecureSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force #Retrieve a token using MSAL.PS $AccessToken = Get-MsalToken -TenantId $TenantId -ClientId $ClientId -ClientSecret $SecureSecret #Pass the token we just retrieved into the Microsoft.Graph module Connect-MgGraph -AccessToken $AccessToken.AccessToken
That’s it! Once you’ve authenticated you can use any of the available cmdlets within the Microsoft.Graph module provided you have access to it and the necessary permissions are in place.
Once you’ve retrieved everything you need, you can run the following command to disconnect from Graph:
Disconnect-MgGraph