Connecting to Microsoft Graph using certificate to run scripts without a user present

Blog by: Dmitry Sotnikov

Find him on LinkedIn or Twitter.

Questions asked during our webinar, “Microsoft Graph Basics for PowerShell Admins”:

  • For automating with Microsoft Graph and using PowerShell. When working as a user, you needed to enter the code and then sign-in as your user. How would an automation/service account work, do you make an app password or some other method?  –Question asked by: Korey
  • How we can connect without attending and use the browser to authorize the device?  –Question asked by: Yazan

By default, when you use the connect-graph PowerShell command, it gives you a random nine character code that you then submit at to connect to Microsoft Graph from command line on behalf of yourself authenticating to your Azure AD organization in the browser.

In the automation / scheduled script scenario, this is obviously not an option. In that case, you can authenticate the script using a certificate. In that case, the following syntax needs to be used:

Connect-Graph [-ClientId] <string> [[-CertificateName] <string>] [[-CertificateThumbprint] <string>] [[-TenantId] <string>] [[-ForceRefresh]]  [<CommonParameters>]

Note that (as of SDK version 0.7):

  • The certificate can be self-signed
  • You need to register an application with that certificate in Azure AD portal and give it permissions as described at
  • The certificate needs to be in the user store of the account under which the task will be executed
  • CertificateName parameter of the cmdlet needs to contain the Subject of the certificate that you want to use
  • For the cmdlet, you need to provide both the subject (CertificateName) and the thumbprint (CertificateThumbprint)

Watch the full on-demand webinar, “Microsoft Graph Basics for PowerShell Admins“.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.