Connecting to Microsoft Graph using certificate to run scripts without a user present

Blog by: Dmitry Sotnikov

Find him on LinkedIn or Twitter.

Questions asked during our webinar, “Microsoft Graph Basics for PowerShell Admins”:

  • For automating with Microsoft Graph and using PowerShell. When working as a user, you needed to enter the code and then sign-in as your user. How would an automation/service account work, do you make an app password or some other method?  –Question asked by: Korey
  • How we can connect without attending and use the browser to authorize the device?  –Question asked by: Yazan

By default, when you use the connect-graph PowerShell command, it gives you a random nine character code that you then submit at https://microsoft.com/devicelogin to connect to Microsoft Graph from command line on behalf of yourself authenticating to your Azure AD organization in the browser.

In the automation / scheduled script scenario, this is obviously not an option. In that case, you can authenticate the script using a certificate. In that case, the following syntax needs to be used:

Connect-Graph [-ClientId] <string> [[-CertificateName] <string>] [[-CertificateThumbprint] <string>] [[-TenantId] <string>] [[-ForceRefresh]]  [<CommonParameters>]

Note that (as of SDK version 0.7):

  • The certificate can be self-signed
  • You need to register an application with that certificate in Azure AD portal and give it permissions as described at https://docs.microsoft.com/en-us/graph/auth-v2-service
  • The certificate needs to be in the user store of the account under which the task will be executed
  • CertificateName parameter of the cmdlet needs to contain the Subject of the certificate that you want to use
  • For the cmdlet, you need to provide both the subject (CertificateName) and the thumbprint (CertificateThumbprint)

Watch the full on-demand webinar, “Microsoft Graph Basics for PowerShell Admins“.

Check out these relevant resources.