There is no hiding the added complexities of working with permissions in Microsoft Graph PowerShell, compared to working with legacy modules such as Azure AD and MSOnline.
Historically, if you wanted to manage resources in Azure AD, you could connect to the Azure AD module within PowerShell and immediately be granted a session, fully within the context of your user permissions. While this is still true with Microsoft Graph PowerShell, you also need to explicitly specify the Microsoft Graph API permissions needed to meet the requirements of your current session. This usually leads to the use of a Global Admin account, with potentially unnecessarily high privileges for the task at hand.
One option might be to have an administrator grant all the necessary permissions to your Microsoft Entra application in advance, however, with forever changing requirements, this might not be feasible.
In this post, I am going to deploy an alternative solution which utilises the Directory.AccessAsUser.All permission with Privileged Identity Management (PIM)
Understanding the solution
The goal is to create a simpler process for using Microsoft Graph PowerShell, replicating similar experiences with legacy modules, but with the added security of using PIM. The idea behind the solution is quite simple, an Enterprise Application will exist in Microsoft Entra with the Directory.AccessAsUser.All permission granted to it. Users will be assigned to this application, enabling them to connect to it using Microsoft Graph PowerShell. Users will also be eligible for privileged roles within PIM, so when they need to use PowerShell, they can elevate their own rights but must complete an MFA challenge to do so.
How the Directory.AccessAsUser.All permissions works
The Directory.AccessAsUser.All permission is slightly more unique in nature, compared to other permissions, such as Directory.ReadWrite.All. Instead of just granting the user access to all available directory resources, it grants them access to resources at the same level as the user signed in.
For example, if the user has the User Administrator role assigned when they connect to this app, they will only be able to manage user objects in Microsoft Enta. This limits the risk of overprivilege, while users can only manage resources at the level they have been previously approved for.
There is also another difference with the Directory.AccessAsUser.All permission and that is because, with it, you can delete users, groups and reset user passwords. None of these tasks you can do with the Directory.ReadWrite.All permission, even if you have the necessary Entra role assigned to the signed-in user.
Creating a new Microsoft Entra application
The first step in the process is to create a new app registration in Microsoft Entra. Ideally, you shouldn’t use the built-in Microsoft Graph Command Line Tools application. Although it is feasible to use it, I only recommend it in smaller organisations, whom may only have a single administrator. If you are a larger organisation, for better control and governance, use a unique application instead. Follow the below steps to register a new application:
- Login to Microsoft Entra.
- Expand Identity > Applications then select App Registrations.
- Click New registration.
- Define a name for the application, then under Redirect URI, select Public client/native (mobile & desktop) from the dropdown list and enter the value http://localhost in the text box.
- Click Register.
Next you need to assign the Directory.AccessAsUser.All permission to your application. To do this, follow the below steps:
- From within your new application, under the Manage menu heading, select API permissions.
- Click Add a permission.
- Select Microsoft Graph then Delegated permissions.
- Select Directory.AccessAsUser.All and click Add permission.
- On the Configured permissions page, select Grant admin consent for %your organisation%.
Lastly, you need to assign the users who will be using the application, to the application, under the Enterprise application page in Microsoft Entra. Follow the below steps to assign your users:
- From Microsoft Enta, expand Applications and select Enterprise applications.
- Select your new application from the list.
- Under Manage, select Users and groups.
- Click Add user/group, then search for and add your users.
You have now successfully prepared your new Microsoft Entra application. From the application overview tab, copy the Application ID and Directory ID, as you will use this to connect to it through PowerShell.
Permissions and PIM
Privileged Identity Management (or PIM) in Microsoft Entra ID, enables you to govern access to important resources in your directory by using approval and time-based assignment to privileged roles. As showing you how to configure PIM isn’t the goal of this post, I will detail some recommendations that I have around configuring PIM for this solution:
- From within PIM, under the Manage heading, use the settings option to modify the Activation, Assignment and Notification settings for the necessary roles that will be assigned, do not leave them as default.
- Use Conditional Access with PIM to ensure that additional MFA challenges are required prior to activation of a Role. This will ensure rights cannot be elevated during account takeovers, including via token theft.
- As an administrator, select Manage > Assignments > Eligible assignments and ensure that all users are only eligible for roles pertinent to their job and the tasks they need to complete.
Elevating access and connecting to Microsoft Graph
Now you have PIM and your Entra application configured, users can simply elevate their rights through the PIM portal and connect to Microsoft Graph PowerShell. While each step doesn’t need to happen in any particular order, you can follow these steps to complete this task:
- Login to PIM through Microsoft Entra, adpim.cmd.ms
- Select My Roles then click on the Eligible assignments tab.
- Click Activate then Activate again on the desired role.
Now your access rights are elevated, connect to Microsoft Graph PowerShell using the tenantid and clientid that we detailed in the prior steps.
Connect-MgGraph -TenantID $tenantid -ClientID $clientid
Below I am validating that I can connect to Microsoft Graph PowerShell with my PIM-activated account and perform privileged tasks within the Microsoft Entra directory.
Thanks for sharing this, very useful with the deprecation of the AzureAD modules