• Home
  • /
  • 2023
  • /
  • Connect to Graph Application with your credentials

Connect to Graph Application with your credentials

Does your company have the policy not to use ClientSecret of Certificate when connecting to the Graph Application, as ClientSecret and Certificate can be used by unauthorized persons? In a lot of posts online, I only read about using ClientSecret or if that wasn’t possible using Certificate. But I needed none of that; I wanted to connect to the Graph Application using my credentials (and MFA).

In this post I will describe how I would configured it.

Graph Application

In the Graph App Registration you configure the permissions the application is authorized for; for instance ‘Group.Read.All’ – Delegated.

Graph Enterprise Application

At my company we’ve configured the Graph Enterprise Application to only use the permission to the authenticated user.

Connect to Graph Application

When you want to use the Graph.Rest.API and cannot use a ClientSecret or Certificate, you must be authorized to the Graph Application with your Azure AD account and use the MFA.

PowerShell Script

First import the AzureAD module which is needed for the MFA.

# Import needed modules
$ModulePath = ((Get-Module -Name AzureAD -ListAvailable).Path).Trim("AzureAD.psd1")
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$Adal = Add-Type -Path "$ModulePath\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

Create Authority Context Object

$authority = "https://login.microsoftonline.com/common"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

Set Token Response parameters.

$ResourceURI = "https:/graph.microsoft.com"
$ClientId = "<clientId of your Graph application>"
$RedirectURI = "https://login.microsoftonline.com/common/oauth2/nativeclient"
$PlatformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"

Create Token Response

Now you’ll be asked to enter MFA.

$TokenResponse = $authContext.AcquireTokenAsync($ResourceURI, $ClientID, $RedirectURI, $PlatformParameters)

Create Headers

$Headers = @{
    "Authorization" = "Bearer $($TokenResponse.result.AccesToken)"
    "Content-Type" = "application/json"

And now you have a header with an access token, so you can use it to call the Graph.Rest.API to retrieve all M365 Groups in your tenant.

$uri = "https://graph.microsoft.com/v1.0/groups?$filter=resourceProvisioningOptions/Any(x:x eq 'Teams')
$result = (Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET).Value

Leave a Reply