Forum Discussion

aammirmirza's avatar
aammirmirza
Copper Contributor
Oct 14, 2020

Connect-MsolService -AdGraphAccessToken $token

I am planning for automation that requires to frequently fetch DELETED users using the below command line. With the collected data I perform cleanup in AzDO.   $deletedUsersfromAAD = (Get-MsolUser...
admin
developer
exchange
Microsoft 365 Groups
office 365
VasilMichev's avatar
VasilMichev
MVP
Oct 15, 2020

Last time I toyed with this, you needed to use both -AdGraphAccessToken and -MsGraphAccessToken to make it work.

  • nExoR's avatar
    nExoR
    Copper Contributor
    Jan 06, 2021

    ...how to generate these tokens? any link for document or something that help to understand the process?

    thx

    • nExoR's avatar
      nExoR
      Copper Contributor
      Jan 06, 2021

      VasilMichev after reviewing numerous articles i was able to write some code, i have no problem with MSGraphToken but it fails on ADGraphToken. i'm not sure if i create it correctly. if you managed to somehow use this method i'd appreciate if you share code.

       

      i as well found that: https://github.com/Azure/azure-docs-powershell-azuread/issues/246 but i don't understand if you can logon using both tokens or it is not working any more...

       

      what i was able to do:

      $TenantId = '********'
      $ClientId = '*********'
      $ClientSecret = '**********'

      $MSGraphBody = @{
          'tenant' = $TenantId
          'client_id' = $ClientId
          'client_secret' = $ClientSecret
          'grant_type' = 'client_credentials'
      }

      $MSParams = @{
          'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
          'Method' = 'Post'
          'Body' = $MSGraphBody
          'ContentType' = 'application/x-www-form-urlencoded'
      }

      $ADGraphBody = @{
          'tenant' = $TenantId
          'client_id' = $ClientId
          'client_secret' = $ClientSecret
          'grant_type' = 'client_credentials'
      }

      $ADParams = @{
          'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
          'Method' = 'Post'
          'Body' = $ADGraphBody
          'ContentType' = 'application/x-www-form-urlencoded'
      }

      $ADAuthResponse = Invoke-RestMethod @ADParams
      $MSAuthResponse = Invoke-RestMethod @MSParams
      Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token -MsGraphAccessToken $MSAuthResponse.access_token
       
      + Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
      + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Administration.Automation.ConnectMsolService
      • Sgbjrn's avatar
        Sgbjrn
        Copper Contributor
        Jan 14, 2022

        nExoR 

         

        Did you (or anyone else) find a solution to this issue?

        I'm trying to run a few msol commands in a script to collect information, and need to use a spn/access token to authenticate.

Resources