Programmatical Authentication to Graph API

Question

Morning All, I'm having trouble connecting to Graph API using an Azure Automation account. I’m running the below script through an automation account but it fails to use the stored creds, instead it tries to launch a prompt for credentials, and that’s where the automation account fails.. the script is

The Account username and password have been sored in Azure Automation Account.

param( $UserPrincipalName )
    try {
       Import-Module -Name MSGraphIntuneManagement -ErrorAction Stop
       } catch {
        throw 'Prerequisites not installed (AzureAD or MSGraphIntuneManagement PowerShell module not installed'
       }

$IntuneCredential = Get-AutomationPSCredential -Name UserName
$IntuneClientId = Get-AutomationVariable -Name SecretValue

$Token = Get-MSGraphAuthenticationToken -Credential $IntuneCredential -ClientId $IntuneClientId

Write-Output "Authenticating to Microsoft Graph API"
$AzureADUser = Get-MSGraphAzureADUser -UserPrincipalName $UserPrincipalName -AuthenticationToken $Token

Write-Output "Found user $($AzureADUser.displayName) in Azure AD"

This is authenticating against Intune.

$Token = Get-MSGraphAuthenticationToken -Credential $IntuneCredential -ClientId $IntuneClientId

Does this $IntuneCredential and $intuneClientId need to be a registered app or User with Intune Admin in Azure AD?

Thanks in advance :)

Answer 1

I suppose you used the MFA-enabled user account in $IntuneCredential. If so, it will not work, as you knew, the runbook in automation does not support the interactive way to input credentials.

In such a scenario, your first option is to use the service principal, but if you want to use MSGraphIntuneManagement module, it is not an option, because if you look into the source file of Get-MSGraphAuthenticationToken command, you will find it uses adal to get the token, the code needs the user's credential, so the way is to use a user account without MFA.

Please follow the steps as below.

1.If you did not have a user account without MFA, you could follow this doc to create a new user.

2.Navigate to the Azure Active Directory in the portal -> App registrations -> New registration to create a new AD App, details see here.

After creating the app, click the app, follow the screenshot to set it as public client.

3.Grant the Microsoft Graph API permissions to the AD App.

4.Navigate to the automation account in the portal -> Modules -> make sure you have installed the MSGraphIntuneManagement and AzureAD module, if not, go to Browse gallery, search and install them.

5.Go to the Credentials, store the username and password. Then go to Variables, store the ClientId of the AD App, you can find it in the App Registration -> your AD App.

6.Then in your runbook, run your script, it will work.

---

Note :

The solution above is just for your original requirement - get the token via Get-MSGraphAuthenticationToken to get the user via Get-MSGraphAzureADUser. If you need to use other commands in the MSGraphIntuneManagement moudle, e.g. Get-MSGraphIntuneUserDevice, you need to grant the corresponding API permissions(Delegated permissions) like step 3 to the AD App. The way is to look into the source file, find the API which the function uses, then find it in the Microsoft Graph Doc and see what permissions it needs.

After doing some research with the API in the screenshot above, you will find this doc Get managedDevice and get the permissions(please note the $graphApiVersion = "beta" it used, it is a beta version which I don't recommend you to use it in the production environment.)