Does your company have the policy not to use ClientSecret of Certificate when connecting to the Graph Application, as ClientSecret and Certificate can be used by unauthorized persons? In a lot of posts online, I only read about using ClientSecret or if that wasn’t possible using Certificate. But I needed none of that; I wanted to connect to the Graph Application using my credentials (and MFA).
In this post I will describe how I would configured it.
Graph Application
In the Graph App Registration you configure the permissions the application is authorized for; for instance ‘Group.Read.All’ – Delegated.
Graph Enterprise Application
At my company we’ve configured the Graph Enterprise Application to only use the permission to the authenticated user.
Connect to Graph Application
When you want to use the Graph.Rest.API and cannot use a ClientSecret or Certificate, you must be authorized to the Graph Application with your Azure AD account and use the MFA.
PowerShell Script
First import the AzureAD module which is needed for the MFA.
# Import needed modules
$ModulePath = ((Get-Module -Name AzureAD -ListAvailable).Path).Trim("AzureAD.psd1")
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$Adal = Add-Type -Path "$ModulePath\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
Create Authority Context Object
$authority = "https://login.microsoftonline.com/common"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
Set Token Response parameters.
$ResourceURI = "https:/graph.microsoft.com"
$ClientId = "<clientId of your Graph application>"
$RedirectURI = "https://login.microsoftonline.com/common/oauth2/nativeclient"
$PlatformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
Create Token Response
Now you’ll be asked to enter MFA.
$TokenResponse = $authContext.AcquireTokenAsync($ResourceURI, $ClientID, $RedirectURI, $PlatformParameters)
Create Headers
$Headers = @{
"Authorization" = "Bearer $($TokenResponse.result.AccesToken)"
"Content-Type" = "application/json"
}
And now you have a header with an access token, so you can use it to call the Graph.Rest.API to retrieve all M365 Groups in your tenant.
$uri = "https://graph.microsoft.com/v1.0/groups?$filter=resourceProvisioningOptions/Any(x:x eq 'Teams')
$result = (Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET).Value