Use app-only authentication

Article
07/31/2024

In this article, you learn how to use app-only access for automation scenarios using the Microsoft Entra PowerShell to manage Microsoft Entra resources.

Important

App-only access grants permissions directly to an application, and requires an administrator to consent to the required permission scopes. For more information on app-only access, see Microsoft identity platform and the OAuth 2.0 client credentials flow.

Prerequisites

To use app-only access with the Microsoft Entra PowerShell module, you need:

A Microsoft Entra ID account. If you don't already have one, you can Create an account for free.
One of the following roles: Privileged Role Administrator, Cloud Application Administrator, or Application Administrator.
Microsoft Entra PowerShell module installed. Follow the Install the Microsoft Entra PowerShell module guide to install the module.
A certificate to use as a credential for the application. The certificate can be a self-signed certificate or a certificate from an authority. For more information on how to create a self-signed certificate, see Create a self-signed public certificate. Self-signed certificates aren't recommended for production scenarios. Obtain a certificate from a certificate authority for production scenarios.

Use certificate-based authentication

You should have this information to authenticate using a certificate.

Certificate subject or thumbprint of the certificate uploaded to your Microsoft Entra app registration.
Application ID for your app registration. To get the Application ID, see: Create a custom application.
Your tenant ID.

In this section, you learn how to use a certificate to authenticate with the Microsoft Entra PowerShell module. You can use the certificate thumbprint, certificate name, or the certificate itself to authenticate. To authenticate using the given examples, you need to sign in with at least a Privileged Role Administrator role.

Use Certificate Thumbprint

$params = @{
    ClientId = 'YOUR_APP_ID'
    TenantId = 'YOUR_TENANT_ID'
    CertificateThumbprint = 'YOUR_CERT_THUMBPRINT'
}

Connect-Entra @params

To find the certificate thumbprint in the Microsoft Entra admin center, navigate to Identity > App registrations > Certificates & secrets > Certificates. Select the certificate and copy its thumbprint.

Alternatively, you can use the following PowerShell command to get your self-signed certificate:

Get-ChildItem Cert:\CurrentUser\My

Use Certificate name

$params = @{
    ClientId = 'YOUR_APP_ID'
    TenantId = 'YOUR_TENANT_ID'
    CertificateName = 'YOUR_CERT_SUBJECT'
}

Connect-Entra @params

You can find the certificate subject by running the command:

Get-ChildItem Cert:\CurrentUser\My\$CertThumbprint | Select Subject

Use a certificate

$Cert = Get-ChildItem Cert:\CurrentUser\My\$CertThumbprint
Connect-Entra -ClientId 'YOUR_APP_ID' -TenantId 'YOUR_TENANT_ID' -Certificate $Cert

To use a certificate stored in your machine's certificate store or another location when connecting to Microsoft Entra PowerShell, specify the certificate's location.

If the authentication succeeds, you see the message Welcome To Microsoft Graph!. Run Get-EntraContext to verify that you're authenticated with app-only method. The output should look like the following.

ClientId              : YOUR_APP_ID
TenantId              : YOUR_TENANT_ID
CertificateThumbprint :
Scopes                : {Group.Read.All, User.Read.All}
AuthType              : AppOnly
CertificateName       : YOUR_CERT_SUBJECT
Account               :
AppName               : {Your Awesome Application Name Here}
ContextScope          : Process
Environment           : Global

Use client secret credentials

Client credentials grant is used to authenticate and authorize the app to access resources on its own behalf. Support for client secret credentials is added by adding -ClientSecretCredential parameter to Connect-Entra.

# Define the Application (Client) ID and Secret
$ApplicationClientId = '<application(client)ID>' # Application (Client) ID
$ApplicationClientSecret = '<secret.value>' # Application Secret Value
$TenantId = 'Tenant_Id' # Tenant ID

# Convert the Client Secret to a Secure String
$SecureClientSecret = ConvertTo-SecureString -String $ApplicationClientSecret -AsPlainText -Force

# Create a PSCredential Object Using the Client ID and Secure Client Secret
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationClientId, $SecureClientSecret

# Connect to Microsoft Graph Using the Tenant ID and Client Secret Credential
Connect-Entra -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential

To create or add a client secret, use the command New-EntraServicePrincipalPasswordCredential or see: Add a client secret in Microsoft Entra admin center.

Note

It's recommended to use PowerShell 7 or higher when using client secret credentials authentication method.

Use managed identity

A common challenge when writing automation scripts is the management of secrets, credentials, certificates, and keys used to secure communication between services. Eliminate the need to manage credentials by allowing the module to obtain access tokens for Azure resources that are protected by Microsoft Entra ID. The Azure platform manages the identity and doesn't require you to create or rotate any secrets.

System-assigned managed identity - Uses an automatically managed identity on a service instance. The identity is tied to the lifecycle of a service instance.
```
Connect-Entra -Identity
```
User-assigned managed identity - Uses a user created managed identity as a standalone Azure resource.
```
Connect-Entra -Identity -ClientId 'User_Assigned_Managed_identity_Client_Id'
```

Partager via