The Microsoft Graph PowerShell module supports two types of authentication:
- Delegated Access
- App-only Access
Delegated access uses a public client to get an access token and consume Microsoft Graph resources on behalf of the signed-in user.
Microsoft Graph PowerShell module supports the following delegated access scenarios:
Connect-MgGraph -Scopes "User.ReadBasic.All", "Calendars.Read.Shared"Connect-MgGraph -Scopes "User.ReadBasic.All", "Calendars.Read.Shared" -UseDeviceCodeApp-only access uses a confidential client to get an access token and consume Microsoft Graph resources without a user context (uses an app's context).
Microsoft Graph PowerShell module supports the following app-only access scenarios:
Load certificate from store using a certificate's thumbprint.
Connect-MgGraph -ClientId "Client_Id" -TenantId "Tenant_Id" -CertificateThumbprint "Cert_Thumbprint"Load certificate from store using a certificate's subject name.
Connect-MgGraph -ClientId "Client_Id" -TenantId "Tenant_Id" -CertificateSubjectName "Cert_Subject_Name"Load certificate from file.
$Cert = Get-ChildItem Cert:\LocalMachine\My\$CertThumbprint
Connect-MgGraph -ClientId "Client_Id" -TenantId "Tenant_Id" -Certificate $CertUsing environment variables.
# Add environment variables to be used by Connect-MgGraph.
$Env:AZURE_CLIENT_ID = "application id of the client app"
$Env:AZURE_TENANT_ID = "Id of your tenant"
$Env:AZURE_CLIENT_CERTIFICATE_PATH = "path to a PFX or PEM-encoded certificate file including private key"
# Tell Connect-MgGraph to use your environment variables.
Connect-MgGraph -EnvironmentVariableUsing PSCredential object.
$ClientSecretCredential = Get-Credential -Username "Client_Id"
# Enter client_secret in the password prompt.
Connect-MgGraph -TenantId "Tenant_Id" -ClientSecretCredential $ClientSecretCredentialUsing environment variables.
# Add environment variables to be used by Connect-MgGraph.
$Env:AZURE_CLIENT_ID = "application id of the client app"
$Env:AZURE_TENANT_ID = "Id of your tenant"
$Env:AZURE_CLIENT_SECRET = "secret of the client app"
# Tell Connect-MgGraph to use your environment variables.
Connect-MgGraph -EnvironmentVariableSystem-assigned managed identity
Connect-MgGraph -IdentityUser-assigned managed identity
Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"Customers can acquire an access token using their preferred auth library and pass the access token to the Microsoft Graph PowerShell module using -AccessToken parameter on Connect-MgGraph. The module will then use the provided access token to consume Microsoft Graph resources.
The following considerations should be made before using -AccessToken:
When using -AccessToken, we won't have access to the refresh token and the client id needed to refresh an access token when it has expired. Customers should ensure that the task they are running using the provided access token will finish within the access token's exp claim (expiry time). This is typically 60 minutes for most access tokens. The expiry time may vary depending on the CAE policy in place.
Before using the provided -AccessToken to get Microsoft Graph resources, customers should ensure that the access token has the necessary scopes/ permissions needed to access/modify a resource.
WAM is a Windows 10+ component that acts as an authentication broker allowing the users of an app benefit from integration with accounts known to Windows, such as the account already signed into an active Windows session.
Microsoft Graph PowerShell module supports WAM in the following scenario:
- To enable WAM on supported devices
Set-MgGraphOption -EnableLoginByWAM $true- To disable WAM on supported devices
Set-MgGraphOption -EnableLoginByWAM $false