Now that you know you will have to use Delegated permissions the next logical step would be to identify what is the required setup based on HOW you will be authenticating. For delegated permission scenarios see the table below to help guide you:
| Authentication Experience | Method Used | Azure AD Requirements |
|---|---|---|
| Interactive | Client Credentials | If you’re using the Microsoft Graph PowerShell Enterprise Application you just need to connect with Connect-MgGraph and specify your required scope and ensure your target user will have access to the Microsoft Graph PowerShell Enterprise Application within Azure AD and any applicable Azure Roles. Ex: Connect-MgGraph -Scopes “Device.Read.All” Note: You may need to be a Global Administrator to consent for certain permission scopes. If you’re using an Azure AD App Registration instead, head to the API Permissions blade of your Azure AD App Registration and select:
|
| Non-Interactive | Integrated Windows Authentication | Identical to Interactive / Client Credentials Azure AD setup, with 1 extra step:
Under the Authentication blade of your Azure AD App Registration, under Advanced Settings set Allow public client flows to Yes. |
| Non-Interactive | Client Credentials | Identical to Interactive / Client Credentials Azure AD setup, with 1 extra step:
Under the Authentication blade of your Azure AD App Registration, under Advanced Settings set Allow public client flows to Yes. |
Read on to see code examples for each authentication experience/method used…
Interactive / Client Credentials – How To:
Using delegated permissions with client credentials interactively is the most simple from a code standpoint. Simply run the following command which will automatically pop up a web page where you can authenticate.
Option 1:
#Microsoft Graph PowerShell Enterprise Application Method Connect-MgGraph -Scopes "Device.Read.All"
Option 2:
#Microsoft Graph PowerShell Enterprise Application Method 2 #This will provide you with a unique code that you can use to login from a different device if necessary #Note: Conditional Access may prevent this in some cases Connect-MgGraph -Scopes "Device.Read.All" -UseDeviceAuthentication
Option 3:
#Azure AD App Registration Method $ClientID = "(your client id here)" $TenantID = "(your tenant id here)" Connect-MgGraph -ClientId $ClientID -TenantId $TenantID -Scopes "Device.Read.All"
Note: Only the Microsoft Graph PowerShell module is required for this method.
Non-Interactive / Integrated Windows Authentication – How To:
The Microsoft.Graph PowerShell Module doesn’t provide a way to authenticate with Integrated Windows Authentication, however, the Microsoft Authentication Library does and this method is exposed through the MSAL.PS module. Therefore we can use that module first, then pass that retrieved access token into the Microsoft Graph PowerShell module.
#Specify Client and Tenant IDs $ClientID = "(your client id here)" $TenantID = "(your tenant id here)" #Fetch a token silently using IWA with MSAL.PS $AccessToken = Get-MsalToken -ClientId $ClientID -TenantId $TenantID -IntegratedWindowsAuth -Scopes "Device.Read.All" #Pass the token we just retrieved into the Microsoft.Graph module Connect-MgGraph -AccessToken $AccessToken.AccessToken
Note: MSAL.PS and Microsoft Graph PowerShell are required for this method.
Non-Interactive / Client Credentials – How To:
The Microsoft.Graph PowerShell Module doesn’t provide a way to authenticate with Client Credentials, however, the Microsoft Authentication Library does and this method is exposed through the MSAL.PS module. Therefore we can use that module first, then pass that retrieved access token into the Microsoft Graph PowerShell module.
#Specify Client and Tenant IDs $ClientID = "(your client id here)" $TenantID = "(your tenant id here)" #NOTE: There are many ways to obtain credentials: #Encrypted key/pass files, PowerShell Secrets Management Module, Azure Key Vault, etc. #For simplicity, this guide will list them here (This is NOT a best practice) $Username = "myusername" $UserPassword = "mypassword" $SecureStringPassword = ConvertTo-SecureString $UserPassword -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential ($Username, $SecureStringPassword) #Fetch a token silently using Client Credentials with MSAL.PS $AccessToken = Get-MsalToken -ClientId $ClientID -TenantId $TenantID -UserCredential $Cred -Scopes "Device.Read.All" #Pass the token we just retrieved into the Microsoft.Graph module Connect-MgGraph -AccessToken $AccessToken.AccessToken
Note: MSAL.PS and Microsoft Graph PowerShell are required for this method.
That’s it! Once you’ve authenticated you can use any of the available cmdlets within the Microsoft.Graph module provided you have access to it and the necessary permissions are in place.
Once you’ve retrieved everything you need, you can run the following command to disconnect from Graph:
Disconnect-MgGraph