microsoftgraph
Non-interactive authentication
I can see there are two ways to use Connect-Graph. One creates an authentication prompt for an interactive user. The other takes a client ID and a certificate for a service principal. To create a Conditional Access policy with the Graph API, we need to use Delegated permissions. Application permissions are not supported. Is there any way to supply the credentials of a delegated user non-interactively? It seems to be possible to do this in the AzureAD module for Graph, so it must be conceptually possible. But I don't see how to do it for the Microsoft.Graph modules. AB#7434
We don't support username/password auth which to my knowledge is the only way of doing delegated non-interactive access. username/password auth is highly discouraged by the Microsoft identity platform. I doubt that we would get approval to add that feature.
Thanks Darrel, that's actually extremely helpful. We are trying to automate some Microsoft 365 configurations, and running into the problem of how to authenticate the scripts. We are using the Key Vault to secure credentials. We can use a service principal to obtain the secret from the Key Vault, and supply it in the credentials. But there isn't any way in Conditional Access (that I know of) to limit the cases where the credentials can be used. Even if we could use a service principal, it just pushes out the problem of using a username and password, if the principal is given administrative privileges. What we really need is something where the executing platform (e.g. Azure Automation) is considered a trusted device.
Our roadmap includes support for Managed Service Instance auth. Hopefully this will address your requirements.
@darrelmiller, I am currently using Azure Automation with PnP.PowerShell using App Only authentication successfully. However, I can't make similar authentication work for Graph. Specifically, I am using Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateName $subject.
The issue is that where ever that is stored doesn't allow you access to the private key. For PnP.PowerShell I am able to use a command like $connection = Connect-PnPOnline -Url https://$domain.sharepoint.com -ClientId $clientId -Tenant $tenant -CertificatePassword $certPass.Password -CertificateBase64Encoded $certString. In this case I am able to manually export the private key and directly pass it to the connection command.
Graph PowerShell libraries don't support a similar sign-on. In addition, I can get the raw Graph Access Token from PnP.PowerShell, but it seems that parameter was removed from the Graph PowerShell libraries. Are there any options for me to get this to work?
You can always get token using msal.ps for example, which supports all authentication options (including appId/appSecret), and then use the parameter set:
Connect-MgGraph [[-AccessToken] <string>] [-Environment <string>] [-ClientTimeout <double>] [-Break] [<CommonParameters>]
Our roadmap includes support for Managed Service Instance auth. Hopefully this will address your requirements.
Unless I'm just missing it, it seems like MSIs don't support adding Delegated permissions to the SP it creates? I've searched all around and only seem to find examples of adding Application permissions. (Which has to be done via PowerShell, the UI doesn't support it I don't think)
Still, MSIs is still probably better than using certs for Application scenarios, but I don't know that it gets you any closer to non-interactive delegated flows.
Might need to enable either username/password or Integrated Windows Authentication methods. MSAL.PS already lets you do this but it would be nice to not have to use 2 modules.
Hey folks. -Credential parameter will be added in the Microsoft Graph PowerShell SDK v2. We have plans to release v2 before the end of the year. I'm closing this one since -Credential is being tracked by https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1366.
