-
Notifications
You must be signed in to change notification settings - Fork 0
Get GraphToken
Get-GraphToken.ps1 acquires an OAuth2 access token for Microsoft Graph using the MSAL.PS module. It serves as the authentication foundation for all Graph API scripts in this repository, supporting both unattended (client secret) and interactive authentication flows.
- Client Credentials Flow - App-only auth using client ID and secret (for automation/pipelines)
- Interactive Flow - Delegated auth with browser prompt (for user-context scripts)
- Auto-Install MSAL.PS - Detects and installs MSAL.PS module if not present
- Custom Scope Support - Request specific Graph permission scopes
- Default Client ID - Falls back to Microsoft Graph PowerShell client if no client ID provided
- PowerShell 5.1 or later
-
MSAL.PS(auto-installed if missing)
Permissions depend on the scopes requested. Common examples:
-
User.Read.All- Read all users -
Directory.Read.All- Read directory data -
AuditLog.Read.All- Read audit logs -
https://graph.microsoft.com/.default- All permissions granted to the app registration
- Register an App in Azure AD
- Create a client secret
- Grant the app the required API permissions
- Grant admin consent
Type: String
Required: Yes
Description: The Azure AD / Entra ID tenant ID to authenticate against.
Type: String
Required: No
Default: 14d82eec-204b-4c2f-b7e8-296a70dab67e (Microsoft Graph PowerShell)
Description: The application (client) ID of the app registration.
Type: String
Required: No
Description: The client secret for app-only authentication. If omitted, interactive browser authentication is used.
Type: Array
Required: No
Default: @("https://graph.microsoft.com/.default")
Description: OAuth2 scopes to request. Use .default for app-only flows; specify explicit scopes for delegated flows.
$token = Get-GraphToken `
-TenantId "12345678-1234-1234-1234-123456789012" `
-ClientId "abcdefab-1234-1234-1234-abcdefabcdef" `
-ClientSecret "your-client-secret-here"$token = Get-GraphToken `
-TenantId "12345678-1234-1234-1234-123456789012"$token = Get-GraphToken `
-TenantId "12345678-1234-1234-1234-123456789012" `
-Scope @("User.Read.All", "Directory.Read.All", "AuditLog.Read.All")# 1. Get token
$token = Get-GraphToken -TenantId "<tenant-id>" -ClientId "<client-id>" -ClientSecret "<secret>"
# 2. Build headers
$headers = Get-GraphHeaders -accessToken $token
# 3. Call Graph API
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers $headers -Method GetReturns an access token string ($accessToken) ready for use in Authorization headers.
Access token retrieved successfully.
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIm...
Solution: The script will auto-install. If it fails, install manually:
Install-Module MSAL.PS -Scope CurrentUser -ForceCauses:
- Incorrect TenantId, ClientId, or ClientSecret
- Client secret expired
- App registration doesn't have required permissions
Solutions:
- Verify app registration details in Azure Portal
- Check that client secret hasn't expired
- Confirm admin consent has been granted for required permissions
Solution: Ensure PowerShell window is interactive (not a background job/service). Use -ClientSecret for non-interactive scenarios.
Solution: Tokens are typically valid for 1 hour. For long-running scripts, re-acquire the token periodically.
- Get-GraphHeaders - Build authorization headers using this token
- Get-AzureResourcePaging - Use with headers for paginated API calls
- v1.0 (2025-06-25) - Initial public release
- Overview
- Start-LyncCsvExporter
- Get-ComprehensiveLyncReport
- Get-LyncHealthReport
- Get-LyncInfrastructureReport
- Get-LyncServiceStatus
- Get-LyncUserRegistrationReport
- Export-ADLyncTeamsMigrationData
- New-Office365Accounts
- Sync-ContactsFromCsv
- Set-EmailToSharedAccount
- Set-SMTPForward
- Invoke-UserSignOutAndBlock
- Security Assessment Scripts (coming soon)
- Azure Automation (documentation pending)
- Get-GraphToken
- Get-GraphHeaders
- Get-AzureResourcePaging
- Get-EnterpriseAppUsage
- Get-ExchangeErrorsGraph
- Get-PBIWorkspaceUsageReport
- Intune Management (documentation pending)