Forum Discussion

aammirmirza's avatar
aammirmirza
Copper Contributor
Oct 14, 2020

Connect-MsolService -AdGraphAccessToken $token

I am planning for automation that requires to frequently fetch DELETED users using the below command line. With the collected data I perform cleanup in AzDO.

 

$deletedUsersfromAAD = (Get-MsolUser -ReturnDeletedUser -EnabledFilter EnabledOnly -MaxResults 500 | Where-Object { $_.SoftDeletionTimestamp.ToString("MM-dd-yyyy") -gt $limit }  | Sort-Object -Property $_.SoftDeletionTimestamp)
 
But when I running the pipeline it stuck at Connect-MsolService because everytime login window pop-up for authentication. How can I bypass the pop-up authentication while using ¨Connect-MsolService¨.

Or it will be great if there is alternative to fetch only deleted (soft deleted) AAD users list, instead of indexing entire AAD.
  • Last time I toyed with this, you needed to use both -AdGraphAccessToken and -MsGraphAccessToken to make it work.

    • nExoR's avatar
      nExoR
      Copper Contributor

      ...how to generate these tokens? any link for document or something that help to understand the process?

      thx

      • nExoR's avatar
        nExoR
        Copper Contributor

        VasilMichev after reviewing numerous articles i was able to write some code, i have no problem with MSGraphToken but it fails on ADGraphToken. i'm not sure if i create it correctly. if you managed to somehow use this method i'd appreciate if you share code.

         

        i as well found that: https://github.com/Azure/azure-docs-powershell-azuread/issues/246 but i don't understand if you can logon using both tokens or it is not working any more...

         

        what i was able to do:

        $TenantId = '********'
        $ClientId = '*********'
        $ClientSecret = '**********'

        $MSGraphBody = @{
            'tenant' = $TenantId
            'client_id' = $ClientId
            'client_secret' = $ClientSecret
            'grant_type' = 'client_credentials'
        }

        $MSParams = @{
            'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
            'Method' = 'Post'
            'Body' = $MSGraphBody
            'ContentType' = 'application/x-www-form-urlencoded'
        }

        $ADGraphBody = @{
            'tenant' = $TenantId
            'client_id' = $ClientId
            'client_secret' = $ClientSecret
            'grant_type' = 'client_credentials'
        }

        $ADParams = @{
            'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
            'Method' = 'Post'
            'Body' = $ADGraphBody
            'ContentType' = 'application/x-www-form-urlencoded'
        }

        $ADAuthResponse = Invoke-RestMethod @ADParams
        $MSAuthResponse = Invoke-RestMethod @MSParams
        Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token -MsGraphAccessToken $MSAuthResponse.access_token
         
        + Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token ...
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
        + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Administration.Automation.ConnectMsolService

Resources