{"id":53483,"date":"2021-09-23T14:11:30","date_gmt":"2021-09-23T13:11:30","guid":{"rendered":"https:\/\/practical365.com\/?p=53483"},"modified":"2025-04-30T15:56:12","modified_gmt":"2025-04-30T19:56:12","slug":"connect-microsoft-graph-powershell-sdk","status":"publish","type":"post","link":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/","title":{"rendered":"Connecting to the Microsoft Graph Using the PowerShell SDK"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Connect_to_the_Graph_in_a_Secure_and_Powerful_Way\" >Connect to the Graph in a Secure and Powerful Way<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Connecting_to_the_Graph_SDK\" >Connecting to the Graph SDK<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Permissions\" >Permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Gathering_New_Permissions\" >Gathering New Permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Reporting_Your_Connection\" >Reporting Your Connection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Disconnect_When_Youre_Done\" >Disconnect When You\u2019re Done<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#App-Only_Access_for_Production_Use\" >App-Only Access for Production Use<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#Some_Issues_for_Microsoft_to_Solve\" >Some Issues for Microsoft to Solve<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"bsf_rt_marker\"><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Connect_to_the_Graph_in_a_Secure_and_Powerful_Way\"><\/span>Connect to the Graph in a Secure and Powerful Way<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><em>Updated: 1 August 2023<\/em><\/p>\n\n\n\n<p>In a <a href=\"https:\/\/practical365.com\/microsoft-forces-move-from-azure-ad-cmdlets-for-license-management\/\" target=\"_blank\" rel=\"noreferrer noopener\">previous article<\/a>, I discuss using cmdlets from the Microsoft Graph SDK for PowerShell to replace license management cmdlets from the Azure AD module in advance of their retirement on June 30, 2022 (<em>update: Microsoft has moved this date out to March 2024<\/em>). As it turns out, converting a couple of Azure AD cmdlets by replacing them with cmdlets like <em>Get-MgUser<\/em> and <em>Set-MgUserLicense<\/em> isn\u2019t particularly difficult (if it was, I wouldn\u2019t be able to do it). However, introducing a new module into the mix of PowerShell used in production environments always creates some questions and concerns, not least of which is security.<\/p>\n\n\n\n<p>There\u2019s a right and a wrong way to use the Graph SDK cmdlets in testing and production environments. In a nutshell, running the cmdlets interactively is straightforward, but could lead to a problem with an over-permissioned service principal (app). It\u2019s all to do with the way the Graph SDK connects and the permissions it uses. Let\u2019s examine why.<\/p>\n\n\n\n<p><em><strong><a href=\"https:\/\/practical365.com\/moving-office365-service-communications-api-graph\/\" data-type=\"URL\" data-id=\"https:\/\/practical365.com\/moving-office365-service-communications-api-graph\/\">Read more:<\/a> <a href=\"https:\/\/practical365.com\/moving-office365-service-communications-api-graph\/\">Microsoft Is Moving the Office 365 Service Communications API to the Graph<\/a><\/strong><\/em><\/p>\n\n\n\n<div class=\"q-blockads-inside-content q-blockads-entity-placement\" id=\"q-blockads-252401769\"><div id=\"q-blockads-3997009907\"><p><a href=\"https:\/\/www.quest.com\/P365_On_Demand_Migration\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-62892\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-300x31.jpg\" alt=\"\" width=\"861\" height=\"89\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-300x31.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-768x80.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone.jpg 860w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<\/div><\/div><h2 class=\"wp-block-heading\" id=\"h-connecting-to-the-graph-sdk\"><span class=\"ez-toc-section\" id=\"Connecting_to_the_Graph_SDK\"><\/span>Connecting to the Graph SDK<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The first step in any use of the Graph SDK is to connect to the Graph using the <em>Connect-MgGraph<\/em> cmdlet. When you run <em>Connect-MgGraph<\/em> to connect to the Graph, it\u2019s wise to specify the identifier of the tenant to which you want to connect.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Connect-MgGraph -TenantId \"828e1143-88e3-492b-bf82-24c4a47ada63\"<\/pre>\n\n\n\n<p>If you don\u2019t specify a tenant, <em>Connect-MgGraph<\/em> will choose the last tenant you signed into during a session (which might not be the one you want to connect to). I discovered this when I connected to the Graph and discovered that the data used belonged to my development tenant. I noticed then, but it\u2019s possible that someone might miss this elsewhere, so make it a habit to connect with the tenant identifier.<\/p>\n\n\n\n<p>A session lasts until you run <em>Disconnect-MgGraph<\/em> (see below) and can be reinitiated multiple times over days by running <em>Connect-MgGraph<\/em>. Behind the scenes, the Graph SDK keeps an encrypted token cache and will refresh the token as needed to allow you to work with Graph commands.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-permissions\"><span class=\"ez-toc-section\" id=\"Permissions\"><\/span>Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>After making a successful connection, the session signs in as your account. The permission scope for the connection comes from the service principal for the enterprise app registered in Entra ID for the SDK. If you\u2019ve never signed in with the Graph SDK before, the SDK creates an enterprise app called <em>Microsoft Graph Command Line Tools<\/em> with an AppId of <em>14d82eec-204b-4c2f-b7e8-296a70dab67e <\/em>and requests a limited set of permissions (Figure 1). If you\u2019re an administrator, you can grant consent for these permissions on behalf of the organization. To ease the reasonable suspicions of vigilant administrators, it would be nice if the service principal showed up as verified, but that\u2019s not currently the case.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"540\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent.jpg\" alt=\"Granting initial consent for the Graph PowerShell SDK\" class=\"wp-image-53484\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent.jpg 566w, https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent-300x286.jpg 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><figcaption class=\"wp-element-caption\">Figure 1: Granting initial consent for the Graph PowerShell SDK<\/figcaption><\/figure>\n<\/div>\n\n\n<p>The permissions consented for the Microsoft Graph PowerShell SDK are held by the enterprise app&#8217;s service principal. Importantly, the permissions are delegated permissions (they allow access to data that the signed-in user can access) rather than application permissions. If you want to use application permissions, which allow access to all data in the tenant, run <em>Connect-Graph <\/em>in app-only mode. This means that you specify the tenant, app, and credential to connect. In app-only mode, the SDK uses the application permissions consented to for the app. See the discussion below for more details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-gathering-new-permissions\"><span class=\"ez-toc-section\" id=\"Gathering_New_Permissions\"><\/span>Gathering New Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>As people begin executing Graph SDK commands using the interactive client, they will need consent for the permissions needed to run the commands. For example, to use the <em>Get-MgUser<\/em> cmdlet to retrieve a set of Entra ID accounts, a user needs permission to read directory information, so they might request the permissions using the <em>Scope<\/em> parameter when making the connect as follows:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$RequiredScopes = @(\"Directory.AccessAsUser.All\", \"Directory.ReadWrite.All\")\nConnect-MgGraph -Scopes $RequiredScopes<\/pre>\n\n\n\n<p>Connecting with a scope which includes permissions not held by the enterprise app causes Entra ID to prompt for consent for the permissions not inherited from the service principal (Figure 2).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"533\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent-More-permissions.jpg\" alt=\"Azure AD prompts to grant consent for more permissions for the Graph SDK service principal\" class=\"wp-image-53485\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent-More-permissions.jpg 566w, https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/Graph-SDK-Consent-More-permissions-300x283.jpg 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><figcaption class=\"wp-element-caption\">Figure 2: Entra ID prompts to grant consent for more permissions for the Graph SDK service principal<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Like other apps which use the Graph APIs, an administrator consent to the requested permissions on behalf of the organization. This adds the extra permissions to the set held by the service principal. If an administrator does not grant consent, the requested permissions are available (subject to the administrative roles held by the signed-in account) for the session, but don\u2019t join the set held by the service principal.<\/p>\n\n\n\n<p>Over time, the set of delegated permissions held by the SDK&#8217;s service principal will be those granted at the initial time of consent plus any other permissions granted subsequently as people work with the interactive client. In other words, the service principal collects aggregated permissions over time. For this reason, it\u2019s not recommended to use the Graph SDK cmdlets interactively because if you do, over time a distinct possibility exists that the service principal will become very over-permissioned and therefore becomes a security risk. This is the kind of issue highlighted by <a href=\"https:\/\/office365itpros.com\/2021\/07\/21\/microsoft-launches-preview-app-governance\/\" target=\"_blank\" rel=\"noreferrer noopener\">App Governance for Cloud App Security<\/a> (or in the <a href=\"https:\/\/office365itpros.com\/2021\/04\/28\/cleanup-azuread-integrated-apps\/\" target=\"_blank\" rel=\"noreferrer noopener\">home-grown solution explained in this article<\/a>). In addition, you should pay attention to <a href=\"https:\/\/practical365.com\/azure-ad-apps-review-permissions\/\" target=\"_blank\" rel=\"noreferrer noopener\">apps assigned high-priority permissions<\/a> because they&#8217;re the ones that might be either planted or exploited by attackers.<\/p>\n\n\n\n<p>The only resolution for an over-permissioned service principal is its removal and recreation, at which time an administrator can grant consent for limited permissions to the new service principal. Here\u2019s how to remove the service principal using Graph SDK cmdlets (naturally):<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$Sp = Get-MgServicePrincipal -Filter \"AppId eq '14d82eec-204b-4c2f-b7e8-296a70dab67e'\"\nRemove-MgServicePrincipal -ServicePrincipalId $Sp.Id<\/pre>\n\n\n\n<p><em><a href=\"https:\/\/office365itpros.com\/2023\/07\/10\/graph-powershell-sdk-v2\/\" target=\"_blank\" rel=\"noreferrer noopener\">V2.0 of the Microsoft Graph PowerShell SDK <\/a>removes the need to switch profiles to use beta cmdlets. Instead, the beta cmdlets are in a separate module.<\/em><\/p>\n\n\n\n<div class=\"q-blockads-content q-blockads-entity-placement\" id=\"q-blockads-239388305\"><div id=\"q-blockads-83696989\"><p><a href=\"https:\/\/www.quest.com\/Security_Guardian_P365\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-62893\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-300x31.jpg\" alt=\"\" width=\"861\" height=\"89\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-300x31.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-768x80.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone.jpg 860w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<\/div><\/div><h2 class=\"wp-block-heading\" id=\"h-reporting-your-connection\"><span class=\"ez-toc-section\" id=\"Reporting_Your_Connection\"><\/span>Reporting Your Connection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>To check that you\u2019re connected to the right tenant with the right profile and permissions, we can extract information about the tenant with the <em>Get-MgOrganization<\/em> cmdlet, the current connection with the <em>Get-MgContext<\/em> cmdlet, and the profile used with the <em>Get-MgProfile<\/em> cmdlet and display some useful information:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$Details = Get-MgContext\n$Scopes = $Details | Select -ExpandProperty Scopes\n$Scopes = $Scopes -Join \", \"\n$OrgName = (Get-MgOrganization).DisplayName\nClear-Host\nWrite-Host \"Microsoft Graph Connection Information\"\nWrite-Host \"--------------------------------------\"\nWrite-Host \" \"\nWrite-Host (\"Connected to Tenant {0} ({1}) as account {2}\" -f $Details.TenantId, $OrgName, $Details.Account)\nWrite-Host \"+-------------------------------------------------------------------------------------------------------------------+\"\nWrite-Host (\"The following permission scope is defined: {0}\" -f $Scopes)\nWrite-Host \"\"\n\nMicrosoft Graph Connection Information\n--------------------------------------\n\nConnected to Tenant a662313f-14fc-43a2-9a7a-d2e27f4f3475 (Office 365 for IT Pros) as account Global.Administrator@office365itpros.com\n+-------------------------------------------------------------------------------------------------+\nThe following scopes are defined: Directory.AccessAsUser.All, Directory.ReadWrite.All, openid, profile, User.Read, email, Group.Read.All, Group.ReadWrite.All \n<\/pre>\n\n\n\n<p>The permissions listed above include those inherited from the service principal and any others requested by the user for the session.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-disconnect-when-you-re-done\"><span class=\"ez-toc-section\" id=\"Disconnect_When_Youre_Done\"><\/span>Disconnect When You\u2019re Done<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>When you\u2019re finished interacting with the Graph, remember to close off the session by running <em>Disconnect-MgGraph <\/em>to sign the session out from the Graph<em>.<\/em> Disconnecting the session removes the encrypted token cache and prevents a session from being reinitialized.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Disconnect-MgGraph<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-app-only-access-for-production-use\"><span class=\"ez-toc-section\" id=\"App-Only_Access_for_Production_Use\"><\/span>App-Only Access for Production Use<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The description above covers an interactive session. This is a good way to get to know the Graph SDK cmdlets and debug scripts in preparation for operational use. However, when you run SDK cmdlets interactively, you&#8217;re limited to delegate permissions. In other words, you can access items that you can interact with through Microsoft 365 apps, but you can&#8217;t access items owned by other users. For instance, you can read items in your mailbox but not in another mailbox. If you want to run the SDK with application permissions, you can do so with an app or in Azure Automation (using an Automation account or <a href=\"https:\/\/practical365.com\/managed-identity-powershell\/\" target=\"_blank\" rel=\"noreferrer noopener\">managed identity<\/a>).<\/p>\n\n\n\n<p>Because of the issues with consent and the service principal, Microsoft recommends that operational scripts use registered Entra ID apps with certificate-based authentication (<a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/powershell\/app-only?tabs=azure-portal\" target=\"_blank\" rel=\"noreferrer noopener\">app-only access<\/a>) or a managed identity. You can certainly write and test scripts using the interactive client, but once the code is complete, it\u2019s time to run it using its own app with a tightly scoped permission set. This approach means that you can restrict the permissions assigned to apps to only the set needed by the processing done by the script and restrict those who can use the app to a selected set of accounts. The downside of using separate apps with scoped permissions is that over time you might accumulate many registered apps in Entra ID which must be managed.<\/p>\n\n\n\n<p>The alternative is to use Azure Automation with managed identities to run scripts that use SDK cmdlets. See <a href=\"https:\/\/practical365.com\/microsoft-graph-sdk-powershell-azure-automation\/\" target=\"_blank\" rel=\"noreferrer noopener\">this article<\/a> for more information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-some-issues-for-microsoft-to-solve\"><span class=\"ez-toc-section\" id=\"Some_Issues_for_Microsoft_to_Solve\"><\/span>Some Issues for Microsoft to Solve<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Having a service principal which diligently gathers permissions on an ongoing basis doesn\u2019t seem to be a good idea. In fact, it\u2019s a lousy idea. Microsoft needs to come up with a better way of allowing administrators to run Graph SDK cmdlets interactively without creating a security problem. Deleting the security principal when <em>Disconnect-MgGraph<\/em> is run one way to zeroize permissions, but it\u2019s a poor solution. Allowing people to hard code usernames and passwords or use app secrets in scripts to authenticate access to the Graph is also not a direction to take given the current threat landscape.<\/p>\n\n\n\n<p>The fact of the matter is that tenant administrators will forget about the permission accumulation issue unless they check service principals. It\u2019s sad but true, and due to the demands of other work. People won\u2019t run <em>Disconnect-MgGraph<\/em> either for the same reason as cmdlets like <em>Disconnect-MicrosoftTeams<\/em> and <em>Disconnect-ExchangeOnline<\/em> are ignored.<\/p>\n\n\n\n<p>The Graph SDK is an excellent idea because it isolates PowerShell users from many of the complexities involved in using Graph APIs. It\u2019s still a work in progress, but if Microsoft wants to make the Graph SDK a go-to tool for tenant administrators, they need to solve the permissions issue. And soon (before that deprecation deadline!)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there&#8217;s a right way to connect and use the SDK and a wrong way. In this article we explore topics like how to connect to the right tenant, how permissions are managed (or not), and why running Graph SDK cmdlets interactively isn&#8217;t something you should do in production. Good as the SDK is, Microsoft has some big issues to solve to address some obvious security issues. <\/p>\n","protected":false},"author":84,"featured_media":53559,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[6,10900,9890,9055],"tags":[10122,9833,10138,10141,10140,10142,10118,9835,10119,10139],"class_list":["post-53483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-entra-id","category-microsoft-graph","category-powershell","tag-connect-mggraph","tag-consent","tag-disconnect-mggraph","tag-get-mgcontext","tag-get-mgorganization","tag-get-mgprofile","tag-get-mguser","tag-microsoft-graph-api","tag-microsoft-graph-powershell-sdk","tag-select-mgprofile","entry","has-media"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Connecting to the Microsoft Graph Using the PowerShell SDK | Practical365<\/title>\n<meta name=\"description\" content=\"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there&#039;s a right way to connect and use the SDK and a wrong way.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Connecting to the Microsoft Graph Using the PowerShell SDK\" \/>\n<meta property=\"og:description\" content=\"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there&#039;s a right way to connect and use the SDK and a wrong way.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/\" \/>\n<meta property=\"og:site_name\" content=\"Practical 365\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Practical365\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-23T13:11:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-30T19:56:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1383\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tony Redmond\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/12Knocksinna\" \/>\n<meta name=\"twitter:site\" content=\"@Practical365\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tony Redmond\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/\"},\"author\":{\"name\":\"Tony Redmond\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/person\\\/19d7b2f404dd1da1d87586fb07015a19\"},\"headline\":\"Connecting to the Microsoft Graph Using the PowerShell SDK\",\"datePublished\":\"2021-09-23T13:11:30+00:00\",\"dateModified\":\"2025-04-30T19:56:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/\"},\"wordCount\":1569,\"commentCount\":51,\"publisher\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/248-09_1-scaled.jpg\",\"keywords\":[\"Connect-MgGraph\",\"Consent\",\"Disconnect-MgGraph\",\"Get-MgContext\",\"Get-MgOrganization\",\"Get-MgProfile\",\"Get-MgUser\",\"Microsoft Graph API\",\"Microsoft Graph PowerShell SDK\",\"Select-MgProfile\"],\"articleSection\":[\"Blog\",\"Entra ID\",\"Microsoft Graph\",\"PowerShell\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/\",\"url\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/\",\"name\":\"Connecting to the Microsoft Graph Using the PowerShell SDK | Practical365\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/248-09_1-scaled.jpg\",\"datePublished\":\"2021-09-23T13:11:30+00:00\",\"dateModified\":\"2025-04-30T19:56:12+00:00\",\"description\":\"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there's a right way to connect and use the SDK and a wrong way.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#primaryimage\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/248-09_1-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/248-09_1-scaled.jpg\",\"width\":2560,\"height\":1383,\"caption\":\"Microsoft Graph\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/practical365.com\\\/connect-microsoft-graph-powershell-sdk\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/practical365.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/practical365.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Connecting to the Microsoft Graph Using the PowerShell SDK\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#website\",\"url\":\"https:\\\/\\\/practical365.com\\\/\",\"name\":\"Practical 365\",\"description\":\"Practical Office 365 News, Tips, and Tutorials\",\"publisher\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/practical365.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\",\"name\":\"Practical 365\",\"url\":\"https:\\\/\\\/practical365.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/Logo-P365-stacked.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/Logo-P365-stacked.jpg\",\"width\":1176,\"height\":696,\"caption\":\"Practical 365\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Practical365\",\"https:\\\/\\\/x.com\\\/Practical365\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/practical365-com\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/person\\\/19d7b2f404dd1da1d87586fb07015a19\",\"name\":\"Tony Redmond\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"caption\":\"Tony Redmond\"},\"description\":\"Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.\",\"sameAs\":[\"https:\\\/\\\/office365itpros.com\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/12Knocksinna\"],\"url\":\"https:\\\/\\\/practical365.com\\\/author\\\/tony-redmondredmondassociates-org\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Connecting to the Microsoft Graph Using the PowerShell SDK | Practical365","description":"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there's a right way to connect and use the SDK and a wrong way.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/","og_locale":"en_US","og_type":"article","og_title":"Connecting to the Microsoft Graph Using the PowerShell SDK","og_description":"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there's a right way to connect and use the SDK and a wrong way.","og_url":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/","og_site_name":"Practical 365","article_publisher":"https:\/\/www.facebook.com\/Practical365","article_published_time":"2021-09-23T13:11:30+00:00","article_modified_time":"2025-04-30T19:56:12+00:00","og_image":[{"width":2560,"height":1383,"url":"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg","type":"image\/jpeg"}],"author":"Tony Redmond","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/12Knocksinna","twitter_site":"@Practical365","twitter_misc":{"Written by":"Tony Redmond","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#article","isPartOf":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/"},"author":{"name":"Tony Redmond","@id":"https:\/\/practical365.com\/#\/schema\/person\/19d7b2f404dd1da1d87586fb07015a19"},"headline":"Connecting to the Microsoft Graph Using the PowerShell SDK","datePublished":"2021-09-23T13:11:30+00:00","dateModified":"2025-04-30T19:56:12+00:00","mainEntityOfPage":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/"},"wordCount":1569,"commentCount":51,"publisher":{"@id":"https:\/\/practical365.com\/#organization"},"image":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#primaryimage"},"thumbnailUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg","keywords":["Connect-MgGraph","Consent","Disconnect-MgGraph","Get-MgContext","Get-MgOrganization","Get-MgProfile","Get-MgUser","Microsoft Graph API","Microsoft Graph PowerShell SDK","Select-MgProfile"],"articleSection":["Blog","Entra ID","Microsoft Graph","PowerShell"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/","url":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/","name":"Connecting to the Microsoft Graph Using the PowerShell SDK | Practical365","isPartOf":{"@id":"https:\/\/practical365.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#primaryimage"},"image":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#primaryimage"},"thumbnailUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg","datePublished":"2021-09-23T13:11:30+00:00","dateModified":"2025-04-30T19:56:12+00:00","description":"The Microsoft Graph SDK for PowerShell exists to help developers use Graph API calls from PowerShell. It works, but like anything in life, there's a right way to connect and use the SDK and a wrong way.","breadcrumb":{"@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#primaryimage","url":"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2021\/09\/248-09_1-scaled.jpg","width":2560,"height":1383,"caption":"Microsoft Graph"},{"@type":"BreadcrumbList","@id":"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/practical365.com\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/practical365.com\/blog\/"},{"@type":"ListItem","position":3,"name":"Connecting to the Microsoft Graph Using the PowerShell SDK"}]},{"@type":"WebSite","@id":"https:\/\/practical365.com\/#website","url":"https:\/\/practical365.com\/","name":"Practical 365","description":"Practical Office 365 News, Tips, and Tutorials","publisher":{"@id":"https:\/\/practical365.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/practical365.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/practical365.com\/#organization","name":"Practical 365","url":"https:\/\/practical365.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/#\/schema\/logo\/image\/","url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/Logo-P365-stacked.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/Logo-P365-stacked.jpg","width":1176,"height":696,"caption":"Practical 365"},"image":{"@id":"https:\/\/practical365.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Practical365","https:\/\/x.com\/Practical365","https:\/\/www.linkedin.com\/company\/practical365-com"]},{"@type":"Person","@id":"https:\/\/practical365.com\/#\/schema\/person\/19d7b2f404dd1da1d87586fb07015a19","name":"Tony Redmond","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","caption":"Tony Redmond"},"description":"Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.","sameAs":["https:\/\/office365itpros.com","https:\/\/x.com\/https:\/\/twitter.com\/12Knocksinna"],"url":"https:\/\/practical365.com\/author\/tony-redmondredmondassociates-org\/"}]}},"_links":{"self":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts\/53483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/users\/84"}],"replies":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/comments?post=53483"}],"version-history":[{"count":0,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts\/53483\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/media\/53559"}],"wp:attachment":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/media?parent=53483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/categories?post=53483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/tags?post=53483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}