![](/style/images/good.png)
![](/style/images/bad.png)
Connect to Microsoft Graph PowerShell using an App Registration
source link: https://helloitsliam.com/2021/11/18/connect-to-microsoft-graph-powershell-using-an-app-registration/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Graph, Microsoft 365, PowerShell, Scripting
Connect to Microsoft Graph PowerShell using an App Registration
![man people night dark](https://i1.wp.com/helloitsliam.com/wp-content/uploads/2021/11/pexels-photo-6963098.jpeg?fit=816%2C544&ssl=1)
Photo by Mikhail Nilov on <a href="https://www.pexels.com/photo/man-people-night-dark-6963098/" rel="nofollow">Pexels.com</a>
Connecting to the Microsoft Graph using PowerShell is simple and easy. The most straightforward approach is to pass the required scopes as part of the “Connect-MgGraph“; however, this means you may have to consent each time, and most will constantly if you adjust the scopes.
Initial Connection
$scopes
= @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
)
Connect-MgGraph
-Scopes
$scopes
Get-MgContext
|
Select-Object
-ExpandProperty
Scopes
Updated Connection
$scopes
= @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
"Mail.ReadWrite"
"People.Read.All"
"Sites.Manage.All"
"User.Read.All"
"User.ReadWrite.All"
)
Connect-MgGraph
-Scopes
$scopes
Get-MgContext
|
Select-Object
-ExpandProperty
Scopes
Though helpful, this approach may not be the best when you need to execute these types of commands more frequently. To help us, we can utilize a pre-created App Registration with the correctly assigned permissions to connect.
There are a few steps required for this to work.
- Create the App Registration
- Assign the required Graph Permissions
- Upload a Certificate
Create the App Registration
- Navigate to the App Registrations page:
- Click “New registration“
- Set the “Name” as required
- Choose “Accounts in this organizational directory only“
- Select “Public client/native” for the redirect URI
- Save the App Registration
Assign the required Graph Permissions
Now we have the App Registration, click to access the details. Within the Manage navigation, click “API Permissions.”
- Click “Add a permission“
- Click “Microsoft Graph“
- Click “Application permissions“
- Select the required permissions
For this example, we will use the following:
- Chat.ReadWrite.All
- Directory.Read.All
- Group.Read.All
- Mail.ReadWrite
- People.Read.All
- Sites.Manage.All
- User.Read.All
- User.ReadWrite.All
Click “Add permissions“
The selected permissions will display on the “API Permissions” page.
For those permissions that require “Admin Consent,” click the “Grant admin consent for {Domain}.”
Upload a Certificate
Within the Manage navigation, now click “Certificates & secrets.”
NOTE: You need a certificate for this. If you do not have a fully purchased certificate, you can generate a self-signed certificate. More details are here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.
- Click “Upload certificates“
- Browse locally for your certificate
- Click “Add“
We now have all the pieces required to connect to the Microsoft Graph using the App Registration. You need to copy the following values to use:
- App Registration ID
- Azure Active Directory Tenant ID
- Certificate Thumbprint or Name
Once you have these values, you can use the following PowerShell to connect:
Connect-MgGraph
`
-ClientId
"2f5ab44a-b61a-448e-a47e-ad5f3ad519ff"
`
-TenantId
"9c7659c3-acfa-42e7-b56a-ebc98f327ec6"
`
-CertificateThumbprint
"6E442BCB760DEE68D59746CE7D7457EF7EAB33C3"
If the connection is successful, you can execute the following to validate an “App Only” connection, and the “Scopes” are populated. If they are empty, you incorrectly assigned the graph permissions as delegated, not as application.
Get-MgContext
To view just the scopes you can use this command.
Get-MgContext
|
Select-Object
-ExpandProperty
Scopes
In our “App registration,” we did not add the “SecurityEvents.ReadWrite.All” graph permission, so any command requiring that should fail.
Get-MgSecurityAlert
We can reissue the command if we go back to the “App registration” and add the required permission.
If you execute the “Get-MgSecurityAlert” command, it will fail as the connection scopes do not reflect this change. You need to reconnect and then issue the command for it to work.
Disconnect-MgGraph
Connect-MgGraph
`
-ClientId
"2f5ab44a-b61a-448e-a47e-ad5f3ad519ff"
`
-TenantId
"9c7659c3-acfa-42e7-b56a-ebc98f327ec6"
`
-CertificateThumbprint
"6E442BCB760DEE68D59746CE7D7457EF7EAB33C3"
Get-MgSecurityAlert
Get-MgSecuritySecureScore
This approach is a perfect way of securely connecting to the Graph, especially if you need to control the allowed scopes.
Like this:
Published by helloitsliam
Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. He is also a Microsoft MVP and Microsoft Certified Trainer, focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots. View all posts by helloitsliam
Recommend
-
6
Unattended authentication against the Microsoft Graph API from PowerShell Oct 30, 2017 Background - Microsoft Graph You can use the Microsoft Graph API to interact with the data of millions of...
-
9
Microsoft 365 Office Microso...
-
8
Authenticating to Microsoft Graph with PowerShell - (2021) Published: 18 Jul 2021 File under:
-
24
PnP Batch versus Microsoft Graph Batch in PowerShell to add/delete 3k items
-
12
Liam Cleary [MVP and MCT] Architecture, Development, Security, Hacking and anything that I deem as important...
-
29
How To, How To Scripting, Microsoft 365,
-
5
Updating your profile photo as Guest via the Microsoft Graph SDK for PowerShell June is a busy month for the authors of the Office 365 for IT Pros book, as not...
-
8
Send Mail with Attachment, PowerShell, and Microsoft Graph API API Reference and Permissions The official documentation is here: Azure App Registratio...
-
2
Create an Azure App Registration with PowerShell and MS GRAPH API API Reference and Permissions Read the following DOCS for more Details
-
35
Microsoft Graph PowerShell v2 is now in public preview, half the size, and will speed up your automations
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK