The AAD Graph PowerShell SDK allowed you to use a client secret for the Application only ( Service Principal ) login flow – also known as the client_credentials grant flow. The documentation for the new Microsoft Graph PowerShell SDK does not tell you how to use a client secret but instead, uses the more secure certificate method for the flow: Use app-only authentication with the Microsoft Graph PowerShell SDK | Microsoft Docs This post will show you how you can still use a client secret if you want by obtaining an access token and then using the -AccessToken parameter on the Connect-MgGraph command.

Assuming that you already have an app registration configured for this and it has the proper application permissions consented to for the request you want to make, we will use the PowerShell command “Invoke-RestMethod” to obtain an access token using the client_credentials grant flow.

$tenantId = "{your_tenant_id}"
$clientId = "{your_app_id}"
$clientSecret = "{your_client_secret}"

$body = @{
    grant_type="client_credentials";
    client_id=$clientId;
    client_secret=$clientSecret;
    scope="https://graph.microsoft.com/.default";
}

$response = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token -Body $body
$accessToken = $response.access_token

$accessToken

This first part of the script will obtain an access token with any consented Microsoft Graph application permissions. Once the access token is obtained, we can then set the -AccessToken parameter on the Connect-MgGraph request and make our graph requests accordingly.

Connect-MgGraph -AccessToken $accessToken
$user = Get-MgUser -Filter "userPrincipalName eq 'ray@mytesttenant.com'"

$user

Disconnect-MgGraph

Don’t forget to disconnect once you’re done. If you’re performing a long running task ( such as paging through records ) you may need to renew your access token with the same method as in the first part.

Note: You can also use the ROPC flow to get the access token the same way as the client credentials flow. We don’t recommend the ROPC flow and by default, it is disabled for federated users unless you have allow this with a home realm discovery policy.

$body = @{"client_id"="{your_client_id}"
          "scope"="{scopes}"
          "client_secret"="{your_client_secret}"
          "username"="{user upn}"
          "password"="{user password}"
          "grant_type"="password"
          }

$response = Invoke-RestMethod 'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token' -Method 'POST' -Body $body
5 1 vote
Article Rating
Subscribe
Notify of
guest

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Zak
Zak
July 13, 2022 7:02 am

Hello.

You mentioned token renewal for long-running scripts/actions

Can u make a blog post on how to deal with that in powershell. Let’s say we run the script, obtain the token, then after some time token expire. So how to get an new refresh token without script iterruption or the need to re-run the script?

Some loop command?

Zak