Forum Discussion

Jonesy6123's avatar
Jonesy6123
Copper Contributor
Feb 09, 2024

How can I use a System Managed Identity with Connect-MsolService

Does anyone know how to use Connect-MsolService with a system-assigned managed identity? I need it for the purpose of getting MFA status data about the organisation's employees. MSGraph seems to have...
azure active directory
azure automation
LainRobertson's avatar
LainRobertson
Silver Contributor
Feb 21, 2024

Jonesy6123 

 

Hi, Jack.

 

First, here's how you can procure an Azure AD Graph token for use with the MSOnline module.

 

I should add a disclaimer that I have not used the MSOnline module for many years now and only ran a quick Get-MsolUser comamndlet post sign-in as confirmation the sign-in was valid.

 

The version of MSOnline I used for this authentication test is 1.1.183.57.

 

$Token = Get-AzAccessToken -ResourceUrl "https://graph.windows.net";
Connect-MsolService -AdGraphAccessToken ($Token).Token;

 

Output

 

So, if I'd signed into Az first with the servicePrincipal, then the above steps show how to procure a token that's usable in MSOnline - or it should (I'' double-check with a servicePrincipal and CBA later when time permits).

 

Next, when it comes to replicating the functionality of MSOnline, I can't answer that as I don't use MSOnline and therefore have no point of comparison.

 

I'd imagine that most if not all of it could be emulated using Graph, whether that's with the Microsoft.Graph.* commandlets or if they have gaps, the native REST calls. It may just be the case that there's no single Microsoft.Graph commandlet that behaves precisely as the MSOnline commandlet, meaning some extra effort may be required in joining things together.

 

Cheers,

Lain

Jonesy6123's avatar
Jonesy6123
Copper Contributor
Feb 21, 2024
Hey Lain,

The below error is thrown when I use the system managed identity to connect to Az like so:

Connect-AzAccount -Identity

Error thrown:
Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.

The system managed identity has all of the necessary permissions. Could I instead use an app registration?
    • Jonesy6123's avatar
      Jonesy6123
      Copper Contributor
      Feb 21, 2024
      Appreciate it mate.

      It's worth noting I only need MSOnline in order to get MFA Status using the StrongAuthentication property for a weekly report. I have got working scripts that use MSGraph, I just can't find the same level of information.
      • LainRobertson's avatar
        LainRobertson
        Silver Contributor
        Feb 21, 2024

        Jonesy6123 

         

        I need to form the habit of checking the REST APIs first, not after I've posted based on the modules.

         

        That entire script above could easily enough be replaced with a one-liner that calls an endpoint that I can't easily see represented in the Graph modules.

         

         

        Not only does this trivialise the code, it's significantly faster and comes with a much wider array of status flags - which I imagine might even be more than MSOnline provides.

         

         

         

        (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails" -OutputType PSObject).value;

         

         

        Edited: I didn't have my thinking cap on when I wrote "one-liner", since of course, the result size could readily be larger than the page size.

         

        Here's a "proper" implementation of the REST approach:

         

        $uri = "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails";

while ($null -ne ($Response = Invoke-MgGraphRequest -Method GET -Uri $uri -OutputType PSObject)) {
    $Response.value;
    
    if (-not $Response.'@odata.nextLink')
    {
        break;
    }

    $uri = $Response.'@odata.nextLink';
}

         

        Cheers,

        Lain

Resources