Connecting to Microsoft Graph using certificate to run scripts without a user present
Blog by: Dmitry Sotnikov
Questions asked during our webinar, “Microsoft Graph Basics for PowerShell Admins”:
- For automating with Microsoft Graph and using PowerShell. When working as a user, you needed to enter the code and then sign-in as your user. How would an automation/service account work, do you make an app password or some other method? –Question asked by: Korey
- How we can connect without attending and use the browser to authorize the device? –Question asked by: Yazan
By default, when you use the connect-graph PowerShell command, it gives you a random nine character code that you then submit at https://microsoft.com/devicelogin to connect to Microsoft Graph from command line on behalf of yourself authenticating to your Azure AD organization in the browser.
In the automation / scheduled script scenario, this is obviously not an option. In that case, you can authenticate the script using a certificate. In that case, the following syntax needs to be used:
Connect-Graph [-ClientId] <string> [[-CertificateName] <string>] [[-CertificateThumbprint] <string>] [[-TenantId] <string>] [[-ForceRefresh]] [<CommonParameters>]
Note that (as of SDK version 0.7):
- The certificate can be self-signed
- You need to register an application with that certificate in Azure AD portal and give it permissions as described at https://docs.microsoft.com/en-us/graph/auth-v2-service
- The certificate needs to be in the user store of the account under which the task will be executed
- CertificateName parameter of the cmdlet needs to contain the Subject of the certificate that you want to use
- For the cmdlet, you need to provide both the subject (CertificateName) and the thumbprint (CertificateThumbprint)
Watch the full on-demand webinar, “Microsoft Graph Basics for PowerShell Admins“.