Microsoft Graph PowerShell SDK without Admin Rights

-

 If you have used or are still using Azure AD PowerShell for interacting with Azure AD, you should probably already have taken note that Azure AD PowerShell will be deprecated on June 30, 2023.

The alternative - Microsoft Graph PowerShell SDK, uses the power of the new Microsoft Graph and all underlying Graph APIs - allowing you to do much more than just Azure AD related tasks, supports PowerShell 7 making it work cross platform, use modern authentication and a whole bunch of other things that you expect from a modern solution. See link to learn more:

https://learn.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-1.0

The SDK supports two types of authentication: delegated access and app-only access.

If you follow the tutorial in the documentation, you will be using the delegated permission model. This is effective for ensuring least privilege.

However, there is one important thing when dealing with delegated permissions which is mentioned in another part of the documentation: You need to run "Microsoft Graph PowerShell using a user with privileges to create applications in the tenant and the appropriate permissions."

Now this might be a deterrent because a lot of times we maybe trying to automate stuff having the right permissions assigned to our user accounts but nor necessarily creating apps or modifying them - principle of least privilege (keeps coming back).

In these scenarios, if you try to run a command as follows:


You will run into error as below:




This is because you need rights on the following Enterprise Application to be able to register the delegated permissions for the SDK


While this might be workable, most administrators might not want to do this. 

So, what next. I ran into a similar situation where getting into a lengthy discussion with Tenant Admins was not an option and I had to still automate my stuff.

The solution is actually quite easy. A hidden feature in the MS Graph PS SDK authentication commandlets is using an already obtained access token. So, simply change your previous script to the following:


And just like that, you're in. No admin help needed.


Now you can freely use your existing permissions to build scripts using the power of Microsoft Graph in PowerShell.



Comments

Post a Comment

Popular posts from this blog

Automate Import of Functions/WebAPI in Azure API Management as backend and using OpenAPI definition and Terraform

-
Image
 When hosting APIs in Azure it is more and more common to make them available for consumption via an API Management Gateway. The advantages of using a API Management gateway are well known.  When adding a Function/WebAPI to an API Management gateway, the most common method is to add the Function/WebAPI as a backend in API Management and then exposing the Function/WebAPI as an API that uses this backend to process requests. There is a very simple way to do this using the Azure Portal. The portal allows connecting an existing Function or WebAPI inside the API Management gateway.  The portal now also allows to expose a function/web api from the action pane of functions and web api. While this makes it very easy to add APIs to API Management gateway using the portal, this would very soon become unmanageable and for more complex and automated environments, the obvious tilt would then be towards a automated deployment using one of the Infrastructure as Code (IaC) possibilities. In this examp
Read more

Managing built-in cache in Azure API Management

-
Image
 Azure API Management offers caching possibilities to improve performance.  There are 2 caching options: Response Caching - Useful for caching entire HTTP responses Value Caching - To cache arbitrary pieces of data from within policy definitions. When it comes to the actual store, APIM supports: Built-in cache External Redis Compatible cache In this blog I will focus on how to manage "Value Caching". How do we set/retrieve/delete values using APIM policies? Typically, Value storage is used for fragment caching - where responses contain data that is expensive to determine and yet remains fresh for a reasonable amount of time. Also, within the APIM policies, we want to cache certain values e.g. OAuth tokens, key-vault secrets, etc. because these remain relatively fresh for a longer period of time. With caching comes the need to manage the cache specially when you need to clear cached values because they are stale.  In some scenarios, where OAuth tokens or secrets are cached, yo
Read more