Sysadmin Central

A Practical Guide to Connect-MgGraph and Microsoft Graph App Registration via PowerShell

Published by

Shaun Wilkinson

on

A Practical Guide to Connect-MgGraph and Microsoft Graph App Registration via PowerShell

The Connect-MgGraph command is the entry point for automating Microsoft Graph API access using PowerShell. Whether you’re writing scripts to manage Entra ID, Intune, or Microsoft 365 services, understanding how this command works and how it relates to app registrations is critical.

This post will walk through –

  • What Connect-MgGraph actually does
  • How app authentication works
  • When and how to register an app manually
  • Common pitfalls and troubleshooting

What Connect-MgGraph Does

Connect-MgGraph establishes an authenticated session with Microsoft Graph which is ‘Microsofts gateway to data and intelligence for Microsoft Cloud services’ according to their own documentation. Allowing for scripted access to information and the ability to automate actions against the vast majority of the Microsoft tech stack.

This authentication can be based one one of two types of identities –

  • Interactive login (delegated permissions) which uses your own user identity to authenticate and make request
  • Client credential flow (application permissions) which uses an Entra ID App Registration as the identity

A quick example of how these can be defined is below. User Identities should assign a given Scope which controls what data may be accessed which I’ll cover further down this post, whereas App Registrations have this configured on them so you don’t need to define it within the command.

# Delegated (user) access
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"

# Application (service) access
Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint $CertThumbprint

Authentication Modes

Delegated Permissions (User Login)

This mode will normally open a browser window or tab and allows you to log in as you normally would to Microsoft services. Depending on the Scopes listed and your own level of access this may trigger a request to your system administrator requesting the ability to access the given scopes.

Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All"

Advantages

  • Simple and fast for ad-hoc or interactive scripts
  • Uses the user’s permissions, so you don’t need separate app registration
  • Supports conditional access and MFA (if required)

Disadvantages

  • Requires user interaction (opens browser, can’t run headless)
  • Token expires quickly (1 hour), session won’t persist
  • Not suitable for automation or scheduled jobs
  • Limited by user’s permissions no elevation beyond assigned roles

Application Permissions (Client Credential Flow)

This method is suitable for automation and headless scripts.

Using this method requires the following –

  • Register an app in Azure AD
  • Assign API permissions to the app
  • Authenticate using a certificate or secret
Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint $Thumbprint

Advantages

  • Fully headless which is ideal for CI/CD, runbooks, automation
  • Centralized permission management via app registration
  • Elevated permissions possible (e.g., read all users, modify groups across tenant)
  • Token caching/refresh manageable in long-running scripts

Disadvantages

  • Requires app registration setup (plus certificate or secret management)
  • Overprivilege risk – app permissions apply tenant-wide, not per-user

Manual App Registration (for Automation)

If you’re running PowerShell in unattended scripts, you need an app registration.

Step-by-Step

  1. Register the App
    • Go to Azure Portal > Microsoft Entra ID > App registrations > New registration
    • Name the app (e.g GraphAutomation)
    • Set the Supported account types (usually Single tenant unless you know otherwise)
    • Skip Redirect URI (not needed for client creds)
  2. Add API Permissions
    • Go to API permissions > Add a permission > Microsoft Graph
    • Choose Application permissions
    • Add what your script requires (e.g., User.Read.All, Group.ReadWrite.All)
    • Click Grant admin consent, which depending on the roles request may require a administrator account.
  3. Create a Certificate or Secret
    • Go to Certificates & secrets
    • Recommended – Upload a certificate
    • Alternative – Create a client secret (shorter lifespan, less secure)
  4. Connect Using PowerShell

Inspecting the Current Session

If at any point you’re unsure what permissions the currently authenticated user or app registration is operating under, you can run the command below which will list the current account, scopes and the token type. This can be useful for debugging purposes or for error handling in the script.

Get-MgContext
An example showing a Microsoft Graph Context created using a User Identity

Useful Extras

Listing Available Scopes

Scopes change what data you may be able to access and what actions your current session will allow, for a full list of available scopes you may run the command below –

Find-MgGraphPermission -PermissionType Delegated

Replace “Delegated” with “Application” to see the equivelent App Registration scopes.

Disconnecting the Session

Once you’ve completed what you need to do, it’s best practice to disconnect the session. This can be easily accomplished with the command below.

Disconnect-MgGraph

Summary

Use Connect-MgGraph with a clear understanding of your authentication context –

  • Interactive work? Use delegated + scopes.
  • Automation? Register an app and use client credentials.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hello,

I’m Shaun Wilkinson

| Azure MVP
| Tech Blogger
| Isle of Skye Trig Point Enthusiast

Let’s connect

Join the fun!

Join my newsletter to stay up-to-date with all things Azure!

Recent posts

Categories

Design a site like this with WordPress.com
Get started