It's always been a challenge to connect to the Graph API and manage your token. One of my preferred benefits of the Graph SDK is the simplicity to connect and enable the required permissions.
Even though, the task has been simplified, there are still some notions to understand to configure your application correctly and securely.
Authentication
The Graph API uses the built-in Microsoft Graph application in your tenant
appid: 14d82eec-204b-4c2f-b7e8-296a70dab67eYou can use this application in 2 modes:
Delegated Access
You are connecting to the Graph API using your credentials. This scenario is best for interactive session and the application supports MFA, passwordless, integrate with Conditional Access policies and all the good stuff you should have deployed in your environment.
As a general rule of thumb, always use the least privileges and segregate your admin account from your standard account. |
To connect this way, use:
Connect-MgGraph Application Access
Here you are connecting to the Graph API using a Service Principal. It is a registered application in Azure AD used to connect to other applications or APIs. It supports certificate based authentication and client secret. This scenario is best for non-interactive session and perfect for script, scheduled tasks and DSC modules.
I always recommend to use certificate authentication as you don't need to keep your secret/password in clear text.
To connect this way, use:
Connect-MgGraph -ClientId "MyServicePrincipalAppId" `
-CertificateThumbprint "MyCertificateThumbprint" `
-TenantId "MyTenantID"You can also use generate an access token using the ServicePrincipal and ClientSecret and connect this way for interactive sessions:
$tenantId = ''# Paste your tenant ID here
$appId = ''# Paste your Application ID here
$appSecret = ''# Paste your Application secret here
$oAuthUri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token HTTP/1.1"
$authBody = [Ordered] @{
scope = 'https%3A%2F%2Fgraph.microsoft.com%2F.default'
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod `
-Method Post `
-Uri $oAuthUri `
-Body $authBody `
-ErrorAction Stop
$token = $authResponse.access_token
Connect-MgGraph -AccessToken $tokenNew authentication methods using the Graph SDK 2.0 (preview)
The Graph SDK 2.0 (currently in preview) introduced the client secret and Azure managed identity for authentication
Using a System-Assigned managed identity
Connect-MgGraph -IdentityUsing a User-assigned identity
Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"Using a client secret
$ClientCredential = Get-Credential -Username "Client_Id"
# Or create a credential object that is identical to the object that Get-Credential returns without prompting the user. This method requires a plain text password, which might violate the security standards in some enterprises. l
# $ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
# Enter client_secret in the password prompt.
Connect-MgGraph -TenantId "Tenant_Id" -ClientSecretCredential $ClientCredential
Always use client secret with extreme caution and never keep them in your code. Use them preferably for interactive sessions.
Bonus
If you are looking at a uniform experience to connect across different workloads ie Graph, ExchangeOnline, Teams, and more (see below) you should have a look at the MSCloudLoginAssistant developed by @NikCharlebois and @BrianLala. This helper is used by the Microsoft365DSC module and allow you to managed authentication using certs, creds, and more with the same command:
Connect-M365Tenant `
-Workload $Workload `
-Credential $Credential `
-ProfileName $ProfileNameWith
Workload equal to:
ExchangeOnline
Intune
SecurityComplianceCenter
PnP
PowerPlatforms
MicrosoftTeams
MicrosoftGraph
Choose your authentication type using:
Credential
Certificate (name, thumbprint, password)
Identity (Managed identity)
And the ProfileName being
v1.0
beta
That's a wrap for the authentication - To keep this article short I will speak about permissions in the next blog
Reference:
Great article William. I would love to see an article documenting how you create your service principals with a certificate for authentication. Thanks again for a great post!