top of page
Writer's pictureWill Francillette

Graph SDK: Authentication



It's always been a challenge to connect to the Graph API and manage your token. One of my preferred benefits of the Graph SDK is the simplicity to connect and enable the required permissions.


Even though, the task has been simplified, there are still some notions to understand to configure your application correctly and securely.


Authentication


The Graph API uses the built-in Microsoft Graph application in your tenant

appid: 14d82eec-204b-4c2f-b7e8-296a70dab67e

You can use this application in 2 modes:


Delegated Access

You are connecting to the Graph API using your credentials. This scenario is best for interactive session and the application supports MFA, passwordless, integrate with Conditional Access policies and all the good stuff you should have deployed in your environment.

As a general rule of thumb, always use the least privileges and segregate your admin account from your standard account.

To connect this way, use:

Connect-MgGraph 
Application Access

Here you are connecting to the Graph API using a Service Principal. It is a registered application in Azure AD used to connect to other applications or APIs. It supports certificate based authentication and client secret. This scenario is best for non-interactive session and perfect for script, scheduled tasks and DSC modules.

I always recommend to use certificate authentication as you don't need to keep your secret/password in clear text.


To connect this way, use:

Connect-MgGraph -ClientId "MyServicePrincipalAppId" `
                -CertificateThumbprint "MyCertificateThumbprint" `
                -TenantId "MyTenantID"

You can also use generate an access token using the ServicePrincipal and ClientSecret and connect this way for interactive sessions:

$tenantId = ''# Paste your tenant ID here
$appId = ''# Paste your Application ID here
$appSecret = ''# Paste your Application secret here
$oAuthUri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token HTTP/1.1"
$authBody = [Ordered] @{
    scope = 'https%3A%2F%2Fgraph.microsoft.com%2F.default'
    client_id = "$appId"    
    client_secret = "$appSecret"    
    grant_type = 'client_credentials' 
 }
$authResponse = Invoke-RestMethod `
    -Method Post `
    -Uri $oAuthUri `
    -Body $authBody `
    -ErrorAction Stop
$token = $authResponse.access_token

Connect-MgGraph -AccessToken $token

New authentication methods using the Graph SDK 2.0 (preview)

The Graph SDK 2.0 (currently in preview) introduced the client secret and Azure managed identity for authentication

Connect-MgGraph -Identity
Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"

Using a client secret

$ClientCredential = Get-Credential -Username "Client_Id"
# Or create a credential object that is identical to the object that Get-Credential returns without prompting the user. This method requires a plain text password, which might violate the security standards in some enterprises. l
# $ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
# Enter client_secret in the password prompt.
Connect-MgGraph -TenantId "Tenant_Id" -ClientSecretCredential $ClientCredential

Always use client secret with extreme caution and never keep them in your code. Use them preferably for interactive sessions.


Bonus

If you are looking at a uniform experience to connect across different workloads ie Graph, ExchangeOnline, Teams, and more (see below) you should have a look at the MSCloudLoginAssistant developed by @NikCharlebois and @BrianLala. This helper is used by the Microsoft365DSC module and allow you to managed authentication using certs, creds, and more with the same command:

Connect-M365Tenant `
	-Workload $Workload `
	-Credential $Credential `
	-ProfileName $ProfileName

With

Workload equal to:

  • ExchangeOnline

  • Intune

  • SecurityComplianceCenter

  • PnP

  • PowerPlatforms

  • MicrosoftTeams

  • MicrosoftGraph

Choose your authentication type using:

  • Credential

  • Certificate (name, thumbprint, password)

  • Identity (Managed identity)

And the ProfileName being

  • v1.0

  • beta

That's a wrap for the authentication - To keep this article short I will speak about permissions in the next blog


Reference:

643 views1 comment

1 Comment


Nate Hutchinson
Nate Hutchinson
Dec 24, 2022

Great article William. I would love to see an article documenting how you create your service principals with a certificate for authentication. Thanks again for a great post!

Like
bottom of page