Will Francillette
- Dec 22, 2022
- 2 min read

Graph SDK: Authentication

It's always been a challenge to connect to the Graph API and manage your token. One of my preferred benefits of the Graph SDK is the simplicity to connect and enable the required permissions.

Even though, the task has been simplified, there are still some notions to understand to configure your application correctly and securely.

Authentication

The Graph API uses the built-in Microsoft Graph application in your tenant

appid: 14d82eec-204b-4c2f-b7e8-296a70dab67e

You can use this application in 2 modes:

Delegated Access

You are connecting to the Graph API using your credentials. This scenario is best for interactive session and the application supports MFA, passwordless, integrate with Conditional Access policies and all the good stuff you should have deployed in your environment.

As a general rule of thumb, always use the least privileges and segregate your admin account from your standard account.

To connect this way, use:

Connect-MgGraph

Application Access

Here you are connecting to the Graph API using a Service Principal. It is a registered application in Azure AD used to connect to other applications or APIs. It supports certificate based authentication and client secret. This scenario is best for non-interactive session and perfect for script, scheduled tasks and DSC modules.

I always recommend to use certificate authentication as you don't need to keep your secret/password in clear text.

To connect this way, use:

Connect-MgGraph -ClientId "MyServicePrincipalAppId" `
                -CertificateThumbprint "MyCertificateThumbprint" `
                -TenantId "MyTenantID"

You can also use generate an access token using the ServicePrincipal and ClientSecret and connect this way for interactive sessions:

$tenantId = ''# Paste your tenant ID here
$appId = ''# Paste your Application ID here
$appSecret = ''# Paste your Application secret here
$oAuthUri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token HTTP/1.1"
$authBody = [Ordered] @{
    scope = 'https%3A%2F%2Fgraph.microsoft.com%2F.default'
    client_id = "$appId"    
    client_secret = "$appSecret"    
    grant_type = 'client_credentials' 
 }
$authResponse = Invoke-RestMethod `
    -Method Post `
    -Uri $oAuthUri `
    -Body $authBody `
    -ErrorAction Stop
$token = $authResponse.access_token

Connect-MgGraph -AccessToken $token

New authentication methods using the Graph SDK 2.0 (preview)

The Graph SDK 2.0 (currently in preview) introduced the client secret and Azure managed identity for authentication

Using a System-Assigned managed identity

Connect-MgGraph -Identity

Using a User-assigned identity

Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"

Using a client secret

$ClientCredential = Get-Credential -Username "Client_Id"
# Or create a credential object that is identical to the object that Get-Credential returns without prompting the user. This method requires a plain text password, which might violate the security standards in some enterprises. l
# $ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
# Enter client_secret in the password prompt.
Connect-MgGraph -TenantId "Tenant_Id" -ClientSecretCredential $ClientCredential

Always use client secret with extreme caution and never keep them in your code. Use them preferably for interactive sessions.

Bonus

If you are looking at a uniform experience to connect across different workloads ie Graph, ExchangeOnline, Teams, and more (see below) you should have a look at the MSCloudLoginAssistant developed by @NikCharlebois and @BrianLala. This helper is used by the Microsoft365DSC module and allow you to managed authentication using certs, creds, and more with the same command:

Connect-M365Tenant `
	-Workload $Workload `
	-Credential $Credential `
	-ProfileName $ProfileName

With

Workload equal to:

ExchangeOnline
Intune
SecurityComplianceCenter
PnP
PowerPlatforms
MicrosoftTeams
MicrosoftGraph

Choose your authentication type using:

Credential
Certificate (name, thumbprint, password)
Identity (Managed identity)

And the ProfileName being

v1.0
beta

That's a wrap for the authentication - To keep this article short I will speak about permissions in the next blog

Reference:

Microsoft Graph PowerShell v2 is now in public preview, half the size, and will speed up your automations - Microsoft 365 Developer Blog

Using Microsoft Graph PowerShell authentication commands | Microsoft Learn

microsoft/MSCloudLoginAssistant: PowerShell Module Handling Authentication to Cloud Services (github.com)