Connect to Microsoft Graph PowerShell

After you install the Microsoft Graph module, you can connect to Microsoft Graph PowerShell. There are different methods to connect to Microsoft Graph PowerShell. In this article, we will show you how to connect to Microsoft Graph with interactive mode, self-signed certificate, and client secret.

Table of contents

Microsoft Graph

The Azure Active Directory Graph API has been deprecated since June 30, 2023, so now you must migrate your apps to Microsoft Graph. Once you connect to Microsoft Graph, you can access Azure AD services and Microsoft 365 services.

Microsoft Graph has all the capabilities available in Azure AD Graph and new APIs like identity protection and authentication methods.

Install Microsoft Graph PowerShell module

First, you need to install the Microsoft Graph PowerShell module. The Microsoft Graph PowerShell SDK comes in 2 modules that you will install separately:

  • Microsoft.Graph PowerShell module
  • Microsoft.Graph.Beta PowerShell module

We recommend you update to the latest version because some of the cmdlets will not work.

Note: You need to install Microsoft Graph PowerShell module v2.x to connect with Microsoft Graph to run automated scripts.

Check Microsoft Graph PowerShell module

You can verify you have installed the Microsoft Graph PowerShell SDK and see which version the modules are running.

Run the below PowerShell commands.

Get-InstalledModule Microsoft.Graph | ft -AutoSize
Get-InstalledModule Microsoft.Graph.Beta | ft -AutoSize

The output shows which version you installed.

PS C:\> Get-InstalledModule Microsoft.Graph | ft -AutoSize
Get-InstalledModule Microsoft.Graph.Beta | ft -AutoSize

Version Name            Repository Description                      
------- ----            ---------- -----------                      
2.7.0   Microsoft.Graph PSGallery  Microsoft Graph PowerShell module


Version Name                 Repository Description                      
------- ----                 ---------- -----------                      
2.7.0   Microsoft.Graph.Beta PSGallery  Microsoft Graph PowerShell module

Update Microsoft Graph PowerShell module

You can always keep your Microsoft Graph PowerShell SDK up to date.

Run the below commands to update the Microsoft Graph and Microsoft Graph Beta modules.

Update-Module Microsoft.Graph -Force
Update-Module Microsoft.Graph.Beta -Force

After you have installed the Microsoft Graph PowerShell modules to the latest version, you can start to connect.

Three methods to connect to Microsoft Graph PowerShell

We will show you three methods to connect to Microsoft Graph PowerShell:

  1. Interactive mode (delegated access)
  2. Certificate Based Authentication (CBA)
  3. Client secret (password)

The first method is the easiest as you only need to connect with PowerShell. The other two methods are similar because it requires creating a new application in Azure AD. The difference between method 2 and 3 is that there are two ways to authenticate your newly created application in Azure Active Directory.

We will show you both ways but recommend to add a certificate (CBA) rather than a client secret for your application because they are not as secure.

1. Connect MgGraph with interactive mode

The first method is the quickest and easiest way to connect to Microsoft Graph API with PowerShell.

  1. Open PowerShell as administrator and run the below command.
Connect-MgGraph
  1. Sign in with your admin credentials.
Connect to Microsoft Graph PowerShell
  1. If you have MFA enabled, you will get a verification code sent as a text message or to your Authentication app on your phone. If your MFA is disabled, you will not do anything here.
Connect to Microsoft Graph PowerShell

Now you must go back to the PowerShell windows, where you get this below output.

PS C:\> Connect-MgGraph
Welcome To Microsoft Graph!

Note: You can’t run automated scripts, but it is usable for testing or to run a script.

If you like to run an automated task, you should use the next method.

2. Connect MgGraph with Certificate Based Authentication

Before we can connect to Microsoft Graph with PowerShell, you need to register an application in Azure AD and assign API permissions. Then we will create a self-signed certificate to the application.

Register new application in Azure AD

First, you need to register an application, where you will get the Application (client) ID and Directory (tenant) ID.

Time needed: 10 minutes

How to register a new application in Microsoft Entra admin center:

  1. Sign into Microsoft Entra admin center.

    Sign in with your admin credentials

  2. Go to Azure Active Directory.

    Click on Applications > App registrations
    Click New registration

    Register new application

  3. Register an application.

    Name your application MSGraph bot
    Select Accounts in this organizational directory only (- Single tenant)
    Click Register

    Register application in Microsoft

  4. Successfully created application MSGraph bot.

    You will be redirected to the MSGraph bot overview page
    Copy the Application ID and Directory ID

    Copy Application ID and Directory ID

You need to copy the below values and paste them into Notepad because you need them later when connecting to Microsoft Graph:

  • Application (client) ID
  • Directory (tenant) ID

Assign API permissions

You must assign API permissions to the MSGraph bot application you created.

  1. Click API permission
  2. Click Add a permission
Add permission to new application
  1. Under the tab Microsoft APIs
  2. Click Microsoft Graph
Microsoft Graph API
  1. Click Application permissions
  2. Search for User.Read.All
  3. Select User > User.Read.All
  4. Click Add permissions
Request API permission
  1. Click Grant admin consent for m365info
  2. Click Yes
Grant admin consent confirmation

A green check mark appears that you granted admin consent successfully!

Granted admin consent

Create self-signed certificate

Once you created a new application, you can use a self-signed certificate to upload a .pfx file and .cer file to Azure AD.

First, you need to generate a self-signed certificate. It’s better to make the certificate on the same machine you want to run the unattended PowerShell script.

Log into any Windows Server or Desktop with Windows PowerShell as administrator.

Note: Self-signed certificate is valid for one year by default

In our example, we will add 5 years to the self-signed certificate to avoid yearly renewal.

Use the below PowerShell cmdlet to create a new self-signed certificate.

$mycert = New-SelfSignedCertificate -DnsName "m365info.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -FriendlyName "MSGraph Bot"

The certificate is now stored, To view the thumbprint, use the below PowerShell cmdlet.

$mycert | Select-Object -Property Subject,Thumbprint,NotBefore,NotAfter

Copy the Thumbprint and paste it into Notepad. You will need it later when you connect to Microsoft Graph PowerShell with CBA.

PS C:\> $mycert | Select-Object -Property Subject,Thumbprint,NotBefore,NotAfter

Subject         Thumbprint                               NotBefore             NotAfter             
-------         ----------                               ---------             --------             
CN=m365info.com 03D55A7B5A29D571BDEB21F1079541F130F93B26 7/19/2023 11:49:38 AM 7/19/2028 11:59:38 AM

Export to .cer file with PowerShell

We want to create a .cer file to upload later in Azure AD application. With a .cer file you can only connect to Microsoft Graph from the machine where the self-signed certificate is generated.

Create a folder named temp to save it in the C:\temp.

Use the below PowerShell cmdlet to export the certificate to .cer file.

$mycert | Export-Certificate -FilePath "C:\temp\MSGraphBot.cer"

You will see the below output in PowerShell.

PS C:\> $mycert | Export-Certificate -FilePath "C:\temp\MSGraphBot.cer"


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/19/2023  12:00 PM            805 MSGraphBot.cer

You can find the .cer file on your computer in C:\temp.

Export to .pfx file

We will also create a .pfx file so that you can connect to Microsoft Graph from any machine. You can copy or send a .pfx file to a person so it can be installed on another machine, because the .pfx file will be retrieved during the authentication process.

$mycert | Export-PfxCertificate -FilePath "C:\temp\MSGraphBot.pfx" -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)

See the below output.

PS C:\> $mycert | Export-PfxCertificate -FilePath "C:\temp\MSGraphBot.pfx" -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/19/2023  12:02 PM           2709 MSGraphBot.pfx

You can find the .pfx file on your computer in C:\temp.

Upload certificate to app

Now we need to upload the self-signed certificate you created earlier.

From the MSGraph bot overview:

  1. Click Certificates & secrets
  2. Select Certificates
  3. Click Upload certificate
  4. Click on the browse icon to search in C:\temp and select the MSGraphBot.cer file
  5. Add description MSGraph bot
  6. Click Add
Connect to Microsoft Graph PowerShell Upload certificate

The certificate appears in the list with the thumbprint.

Note: Always ensure it has the same certificate thumbprint as the one you created previously.

Connect to Microsoft Graph PowerShell Certificate thumbprint value

Connect to Microsoft Graph with CBA

Type the below information to connect to Microsoft Graph PowerShell with Certificate Based Authentication:

  • Fill in the App ID in line number 1
  • Fill in the Tenant ID in line number 2
  • Fill in the Certificate Thumbprint in line number 3

Run the below PowerShell script to connect to Microsoft Graph with CBA.

# Configuration
$ClientId = "9e2c8889-527c-4ce9-9da8-6b4ce9abe3b7"
$TenantId = "a2ff010e-0e03-4c56-8863-2ae7f07876dd"
$CertificateThumbprint = "03D55A7B5A29D571BDEB21F1079541F130F93B26"

# Connect to Microsoft Graph with CBA
Connect-MgGraph -ClientId $ClientId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint

You are connected to Microsoft Graph. An excellent way to verify is to run the below cmdlet.

Get-MgUser

3. Connect MgGraph with Client Secret app

In the last method, we will show you how to create a Client Secret to the newly created application.

Register new application in Azure AD

See the above steps to register a new application in Azure. In our example, we will use the same application we created earlier.

Assign API permissions

See the above steps to assign API permissions to the Azure application. In our example, we already assigned API permissions to the application we created earlier.

Create client secret

Go to the MSGraph bot application overview page in Azure AD.

To create a Client Secret for your application in Microsoft Entra portal, follow these steps:

  1. Click on Certificates & secrets
  2. Click Client secrets > New client secret
  3. Type the description
  4. Select an expiration date
  5. Click Add

Note: The Client Secret expiration date has a maximum of 24 months (2 years). You can Create unlimited Client Secret in Microsoft Entra ID with PowerShell.

Connect to Microsoft Graph PowerShell add client secret
  1. Copy the client secret Value and save it

Note: Client secret values cannot be viewed except immediately after creation. Remember to save the secret when created before leaving the page.

Connect MgGraph with client secret value

Connect to Microsoft Graph with Client Secret

You need to change the below parameters values to connect to MS Graph with Client Secret:

  • Type the Application Client ID in line number 2
  • Type the Directory Tenant ID in line number 3
  • Type the Client Secret Value in line number 4

Run the below PowerShell script.

# Configuration
$ClientId = "9e2c8889-527c-4ce9-9da8-6b4ce9abe3b7"
$TenantId = "a2ff010e-0e03-4c56-8863-2ae7f07876dd"
$ClientSecret = "ZZj8Q~pHUbxG1uX5bNmuM5XV-rQb20tiWHEEkbsO"

# Convert the client secret to a secure string
$ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force

# Create a credential object using the client ID and secure string
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass

# Connect to Microsoft Graph with Client Secret
Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential

You are connected to Microsoft Graph. An excellent way to verify is to run the below cmdlet.

Get-MgUser

That’s it! You successfully connected to Microsoft Graph PowerShell!

Read more: Configure Certificate-Based Authentication to run automated scripts »

Conclusion

You learned how to connect to Microsoft Graph PowerShell with a self-signed certificate, client secret, and interactive mode. Remember to update MS Graph module to the latest version, create an application and assign API permissions if you connect with client secret or CBA. With CBA, there is no more user interactions, usernames, passwords, or MFA involved to run automated scripts.

Did you enjoy this article? You may also like Assign Microsoft 365 licenses with group-based licensing. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

X Twitter

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *