When working with Microsoft Graph PowerShell, it’s often necessary to consent to specific scopes, which requires administrative approval. However, with the Azure CLI, we can bypass this step and greatly simplify the process. This approach also removes the need to register new applications in the tenant, further reducing administrative overhead.
Why Azure CLI?
Azure CLI is a pre-consented application, which means it doesn’t require explicit administrative consent to obtain certain scopes. This greatly simplifies the process of setting up and initiating operations.
One of the key advantages of this approach is that it eliminates the need for explicit consent, thereby simplifying the process of setting up and initiating operations. This advantage comes into play when working with scopes like "Directory.AccessAsUser.All", which is generally compatible with most Graph operations. It is important to limit the user to read-only as this quite powerful scope. Limiting the user permissions in adversary simulations to read-only prevents unwanted write operations.
Adversary Simulation
This approach is also beneficial for adversary simulation. By using Azure CLI to obtain tokens and interact with Microsoft Graph, red teams can simulate the actions of adversaries in a controlled and secure manner.
Code Example
Here is an example of how you can obtain a token from Azure CLI and use it with the Microsoft Graph PowerShell SDK:
Code Example
Here is an example of how you can obtain a token from Azure CLI and use it with the Microsoft Graph PowerShell SDK:
# Only needed when refresh token is not present. This will bypass the need to Consent MS graph application, as Azure CLI is pre-consented application
az login --allow-no-subscription
# Get the best possible scope that works generally with most Graph Operations. Ensure that the logged-in user is limited to read-only AAD role, to ensure no write operations are possible (The scope allows write permissions)
$graphAccessUserAsAll = az account get-access-token --scope="https://graph.microsoft.com/Directory.AccessAsUser.All" | ConvertFrom-Json
# Connect to MS Graph using the token
Connect-MgGraph -AccessToken $graphAccessUserAsAll.accessToken
# Run a command to verify the connection
Get-MgApplication
# Get CA Policies
Get-MgIdentityConditionalAccessPolicy
# Example of a write operation
New-MgApplication -DisplayName "CreatedByGraphSDK with Azure CLI ClientID"
Limitations
While the ”Directory.AccessAsUser.All” scope covers most Graph operations, there may be certain scopes that are not covered. In such cases, you would need to consent to the Microsoft Graph PowerShell service principal. This is something to be mindful of when planning your operations.
Not sure this is limitation, maybe possible confusion but don’t expect to see MS Graph Powershell in the logs, as this uses Azure CLI’s clientId
References
By using Azure CLI in conjunction with the Microsoft Graph PowerShell SDK, we can simplify Graph operations, improve security, and reduce administrative overhead. This is a powerful technique for developers, system administrators, and red teams alike.
- App details
"appDisplayName": "Microsoft Graph Command Line Tools",
"appDescription": null,
"appId": "14d82eec-204b-4c2f-b7e8-296a70dab67e",
"applicationTemplateId": null,
"appOwnerOrganizationId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"appRoleAssignmentRequired": false,
"description": null,
"disabledByMicrosoftStatus": null,
"displayName": "Microsoft Graph PowerShell",
SecureCloudBlog 
#Convert the access token to a secure string
$clientSecret = ConvertTo-SecureString -String $graphAccessUserAsAll.accessToken -AsPlainText -Force
# Connect to MS Graph using the token
Connect-MgGraph -AccessToken $clientSecret
The msgraph access token function now reques a secure string (https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2123)
TykkääLiked by 1 henkilö
Thx for highlighting this!
TykkääTykkää