The Connect-MgGraph cmdlet in Microsoft Graph PowerShell enables you to connect to the Microsoft Graph API, both in the delegated scenario and in the application-based scenario. If you want to connect to Microsoft Graph PowerShell in an automated fashion without a user, you will need to connect in the application-based scenario using an authentication method such as a client secret.
A client secret is essentially an application password which is stored in Microsoft Entra, that enables you to create a quick and simple connection to Microsoft Graph in the application context.
In this article, I will show you how to connect to Microsoft Graph using the Connect-MgGraph cmdlet with a client secret.
Requirements
The –ClientSecretCredential parameter on the Connect-MgGraph cmdlet is what enables you to connect using a client secret. This parameter is only available in version 2 of the Microsoft Graph PowerShell module. You should first ensure you are running the latest version of the Microsoft Graph PowerShell modules.
Before upgrading check what the latest version of the module is by running the following command:
Find-Module -Name Microsoft.Graph -AllVersions `
-AllowPrerelease | select-Object -First 5Your output will look like the below
To upgrade to the latest version of Microsoft Graph Powershell, you can run the following script
$latest = Find-Module -Name Microsoft.Graph -AllVersions -AllowPrerelease select-Object -First 1
$current = Get-InstalledModule Where-Object {$_.Name -eq "Microsoft.Graph"}
If ($latest.version -gt $current.version) {
try {Update-Module -Name Microsoft.Graph -RequiredVersion $latest.version -AllowPrerelease
Write-host "Microsoft Graph PowerShell module updated successfully to" $latest.Version -ForegroundColor Green}
catch {Write-Host "Unable to update Microsoft Graph PowerShell module" -ForegroundColor Red}
} else {
write-host "Latest version of Microsoft Graph is not newer than the current" -ForegroundColor yellow
}The script will automatically check which version of Microsoft Graph PowerShell you have installed and then determine whether the latest version is greater than the version you have installed and upgrade it if required.
Once the script is complete, use the following command to check you now have the latest version of the modules installed.
Check the version column to confirm you are now running the latest version.
Register an application in Microsoft Entra
1. Start by logging into entra.microsoft.com
2. Select App registrations, then New registration.
3. Choose a meaningful name for your application and select Accounts in this organizational directory only. Leave all other settings as default and click Register.
4. Once created, the application page will automatically open. Copy the Application ID, as you will need this next and then select Certificates & secrets.
5. Select New client secret.
6. Choose a description for your client secret and define the expiry duration. The duration should be set to meet your specific requirements.
7. Copy the Value field as we will also need this next.
Apply permissions to your registered application
Now we have registered our application, we can apply the necessary permissions for the action we want to perform.
2. Select API permissions.
3. Select Add a permission.
4. Select Microsoft Graph under the Microsoft APIs tab.
5. Select Application permissions.
6. Choose your permissions from the list and select Add permissions.
7. Select Grant admin consent for <tenant> and click Yes.
Connect to Microsoft Graph with a client secret
Now you have registered an application, you can use the -ClientSecretCredential parameter with Connect-MgGraph to connect to your tenant.
First you will need the write down the following information from the previous steps
- Tenant ID (found at Microsoft Entra > Overview)
- Client ID (found at App registrations > your app > Overview > Application (client) ID).
- Client Secret Value (found at App registrations > your app > Certificates and Secrets > Value).
Now open PowerShell and run the following (be sure to change the values you wrote down above).
$ApplicationId = "<value>"
$SecuredPassword = "<value>"
$tenantID = "<value>"
$SecuredPasswordPassword = ConvertTo-SecureString `
-String $SecuredPassword -AsPlainText -Force
$ClientSecretCredential = New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $ApplicationId, $SecuredPasswordPasswordIf you don’t convert your Secured Password to a secure string, you may encounter the following error
“New-Object Cannot find an overload for “PSCredential” and the argument count “2”.”
You can now run the following command to connect to Microsoft Graph without an interactive prompt.
Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $ClientSecretCredentialYou can test this worked by running a cmdlet that matches the permissions you granted your application. (the information below has now been deleted).
This does not seem to work using RC1 of MgGraph
Connect-MgGraph A parameter cannot be found that matches parameter name ‘ClientSecretCredential’.
I am also getting the error message “Connect-MgGraph A parameter cannot be found that matches parameter name ‘ClientSecretCredential’.” When I run Get-Command.Params on MgGraph, I get no response for ClientSecretCredential. For testing, I ran the same command on ClientId and received details about said parameter.
Hi Kyle, you will get that error if you do not have version 2 of the Microsoft Graph PowerShell SDK installed!
UPDATE I was able to get it to work. The solution I found was to update Microsoft.Graph.Authentication to RC3, you’ll then have to include the TenantID as a parameter as well, but all other steps are the same!