11

Connect to Microsoft Graph PowerShell using an App Registration

 2 years ago
source link: https://helloitsliam.com/2021/11/18/connect-to-microsoft-graph-powershell-using-an-app-registration/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Graph, Microsoft 365, PowerShell, Scripting

Connect to Microsoft Graph PowerShell using an App Registration

man people night dark

Photo by Mikhail Nilov on <a href="https://www.pexels.com/photo/man-people-night-dark-6963098/" rel="nofollow">Pexels.com</a>

Connecting to the Microsoft Graph using PowerShell is simple and easy. The most straightforward approach is to pass the required scopes as part of the “Connect-MgGraph“; however, this means you may have to consent each time, and most will constantly if you adjust the scopes.

Initial Connection

$scopes = @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
)
Connect-MgGraph -Scopes $scopes
Get-MgContext | Select-Object -ExpandProperty Scopes

Updated Connection

$scopes = @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
"Mail.ReadWrite"
"People.Read.All"
"Sites.Manage.All"
"User.Read.All"
"User.ReadWrite.All"
)
Connect-MgGraph -Scopes $scopes
Get-MgContext | Select-Object -ExpandProperty Scopes

Though helpful, this approach may not be the best when you need to execute these types of commands more frequently. To help us, we can utilize a pre-created App Registration with the correctly assigned permissions to connect.

There are a few steps required for this to work.

  • Create the App Registration
  • Assign the required Graph Permissions
  • Upload a Certificate

Create the App Registration

Assign the required Graph Permissions

Now we have the App Registration, click to access the details. Within the Manage navigation, click “API Permissions.”

  • Click “Add a permission
  • Click “Microsoft Graph
  • Click “Application permissions
  • Select the required permissions

For this example, we will use the following:

  • Chat.ReadWrite.All
  • Directory.Read.All
  • Group.Read.All
  • Mail.ReadWrite
  • People.Read.All
  • Sites.Manage.All
  • User.Read.All
  • User.ReadWrite.All

Click “Add permissions

The selected permissions will display on the “API Permissions” page.

For those permissions that require “Admin Consent,” click the “Grant admin consent for {Domain}.”

Upload a Certificate

Within the Manage navigation, now click “Certificates & secrets.”

NOTE: You need a certificate for this. If you do not have a fully purchased certificate, you can generate a self-signed certificate. More details are here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.

  • Click “Upload certificates
  • Browse locally for your certificate
  • Click “Add

We now have all the pieces required to connect to the Microsoft Graph using the App Registration. You need to copy the following values to use:

  • App Registration ID
  • Azure Active Directory Tenant ID
  • Certificate Thumbprint or Name

Once you have these values, you can use the following PowerShell to connect:

Connect-MgGraph `
-ClientId "2f5ab44a-b61a-448e-a47e-ad5f3ad519ff" `
-TenantId "9c7659c3-acfa-42e7-b56a-ebc98f327ec6" `
-CertificateThumbprint "6E442BCB760DEE68D59746CE7D7457EF7EAB33C3"

If the connection is successful, you can execute the following to validate an “App Only” connection, and the “Scopes” are populated. If they are empty, you incorrectly assigned the graph permissions as delegated, not as application.

Get-MgContext

To view just the scopes you can use this command.

Get-MgContext | Select-Object -ExpandProperty Scopes

In our “App registration,” we did not add the “SecurityEvents.ReadWrite.All” graph permission, so any command requiring that should fail.

Get-MgSecurityAlert

We can reissue the command if we go back to the “App registration” and add the required permission.

If you execute the “Get-MgSecurityAlert” command, it will fail as the connection scopes do not reflect this change. You need to reconnect and then issue the command for it to work.

Disconnect-MgGraph
Connect-MgGraph `
-ClientId "2f5ab44a-b61a-448e-a47e-ad5f3ad519ff" `
-TenantId "9c7659c3-acfa-42e7-b56a-ebc98f327ec6" `
-CertificateThumbprint "6E442BCB760DEE68D59746CE7D7457EF7EAB33C3"
Get-MgSecurityAlert
Get-MgSecuritySecureScore

This approach is a perfect way of securely connecting to the Graph, especially if you need to control the allowed scopes.

Like this:

Loading...
c54e2b57fca85d2bf4056ce97f08d90f?s=100&d=identicon&r=g

Published by helloitsliam

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. He is also a Microsoft MVP and Microsoft Certified Trainer, focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots. View all posts by helloitsliam


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK