Forum Discussion
How can I use a System Managed Identity with Connect-MsolService
Thank you so much for responding to this. Your information was very well written and easy to understand.
I have in fact tried all of the above approaches prior to writing this post. It appears that calling for an API access token from MSGraph does not in fact work for MSOnline. I get an error regarding "the key was not found in the dictionary.", which means that an expected array of access tokens did not contain my specified token. I searched this up and found that it's purely because it expects and Az graph access token. The API's and these modules that organisations rely on are clearly a shambles.
As far as you're aware, the only way to get this kind of information is with your Get-MgUser.. method? I am currently access the UserRegistrationDetails environment, but no such StrongAuthenticationRequirements parameter can be found, that IS found in the MSOnline module. (Which is what I really need)
Can you please just confirm to your best knowledge that it is currently not possible to get that level of information until MS migrates that data over to the MSGraph? I want to iterate that I can do it with my own access credentials (with any method including using MSOnline module) but I need to be able to automate it in a weekly report.
Hi, Jack.
First, here's how you can procure an Azure AD Graph token for use with the MSOnline module.
I should add a disclaimer that I have not used the MSOnline module for many years now and only ran a quick Get-MsolUser comamndlet post sign-in as confirmation the sign-in was valid.
The version of MSOnline I used for this authentication test is 1.1.183.57.
$Token = Get-AzAccessToken -ResourceUrl "https://graph.windows.net";
Connect-MsolService -AdGraphAccessToken ($Token).Token;
Output
So, if I'd signed into Az first with the servicePrincipal, then the above steps show how to procure a token that's usable in MSOnline - or it should (I'' double-check with a servicePrincipal and CBA later when time permits).
Next, when it comes to replicating the functionality of MSOnline, I can't answer that as I don't use MSOnline and therefore have no point of comparison.
I'd imagine that most if not all of it could be emulated using Graph, whether that's with the Microsoft.Graph.* commandlets or if they have gaps, the native REST calls. It may just be the case that there's no single Microsoft.Graph commandlet that behaves precisely as the MSOnline commandlet, meaning some extra effort may be required in joining things together.
Cheers,
Lain
- Hey Lain,
The below error is thrown when I use the system managed identity to connect to Az like so:
Connect-AzAccount -Identity
Error thrown:
Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.
The system managed identity has all of the necessary permissions. Could I instead use an app registration?Hi, Jack.
I haven't yet had a reason to use managed service identities, however, it seems it should be possible.
I'll have a proper look when time permits.
Cheers,
Lain
- Appreciate it mate.
It's worth noting I only need MSOnline in order to get MFA Status using the StrongAuthentication property for a weekly report. I have got working scripts that use MSGraph, I just can't find the same level of information.